Security Management Practices
Download
Report
Transcript Security Management Practices
Security Management Practices
Topics to be covered
•
•
•
•
•
•
•
•
Change control
Data classification
Employment policies & practices
InfoSec policies
Risk management
Roles and responsibilities
Security awareness training
Security management planning
Change control & management
• Why is change control & change management a
security issue?
•
•
•
•
Many businesses live or die on data integrity
Changes can break a security model
Modifying system breaks warranty
Gartner Group analyst recently stated that a rogue Y2K
programmer can cause $1B in potential losses
• Needed since change requester does not understand
the security implications of their request
• Security administrator must analyze and assess
carefully the impact to the system
Change control & management
• Tools
• Checksums
• Digital signatures
• Tripwire
• Effective change control can uncover:
• cases of policy violation by staff; where programs are
installed or changed without following the proper
notification procedures
• Possible hardware failure leading to data corruption
• Viruses, worms, malicious code
Change control & management
• For change control & management to work, you must
have:
• Golden copies of the software, for comparison use
or database generation
• Secure infrastructure. Software must be securely
stored on physically protected media. If an intruder
can get root, and change the golden copies, then
the change control tools will be ineffective.
Change control & management
• Hardware
• Disks, peripherals
• Device drivers
• BIOS
• Application and operating systems software
• Upgrades
• Service packs, patches, fixes
• Changes to the firewall rulebase/proxies
• NLM’s
• Router software
Change control & management
• Policies, procedures and processes
• Develop polices that will stabilize the production
processing environment by controlling all changes made
to it
• Formal change control processes will help to ensure that
only authorized changes are made, that they are made at
the approved time, and that they are made in the approved
manner
• Promptly implement security patches, command scripts, &
similar from vendors, CERT, CIAC, etc.
• Have procedures for roll-back to prior versions in case of
problems, AKA, don’t burn your software bridges
Data classification
• Classification is part of a mandatory access control
model to ensure that sensitive data is properly
controlled and secured
• DoD multi-level security policy has 4 classifications:
•
•
•
•
Top Secret
Secret
Confidential
Unclassified
• Other levels in use are:
•
•
•
•
Eyes only
Officers only
Company confidential
Public
Data classification benefits
• Data confidentiality, integrity & availability are
improved since appropriate controls are used
throughout the enterprise
• Protection mechanisms are maximized
• A process exists to review the values of company
business data
• Decision quality is increased since the quality of the
data upon which the decision is being made has been
improved
Data classification
• Top Secret - applies to the most sensitive business information
which is intended strictly for use within the organization.
Unauthorized disclosure could seriously and adversely impact
the company, stockholders, business partners, and/or its
customers
• Secret - Applies to less sensitive business information which is
intended for use within a company. Unauthorized disclosure
could adversely impact the company, its stockholders, its
business partners, and/or its customers
• Confidential - Applies to personal information which is
intended for use within the company. Unauthorized disclosure
could adversely impact the company and/or its employees
• Unclassified - Applies to all other information which does not
clearly fit into any of the above three classifications.
Unauthorized disclosure isn’t expected to seriously or
adversely impact the company
MAC data classification
• In MAC systems, every subject and object in a
system has a sensitivity label and a set of
categories:
• classification [category]
• Top Secret [CEO, CFO, Board Members]
• Confidential [Internal employees, auditors]
• The function of categories is that even someone
with the highest classification isn’t automatically
cleared to see all information at that level. This
support the concept of need to know
Misc. data classification issues
• In a commercial setting, responsibility for assigning data
classification labels is on the person who created or updated
the information
• With the exception of general business correspondence, all
externally-provided information which is not public in nature
must have a data classification system label.
• All tape reels, floppy disks and other computer storage media
containing secret, confidential, or private information must be
externally labeled with the appropriate sensitivity
classification
• Holders of sensitive information must take appropriate steps
to ensure that these materials are not available to unauthorized
persons.
Data classification
• Roles & responsibilities
•
•
•
•
•
•
•
•
•
•
Information owner
Information custodian
Application owner
User manager
Security administrator
Security analyst
Change control analyst
Data analyst
Solution provider
End user
Employment policies & practices
• Background checks/security clearances
• Checking public records provides critical
information needed to make the best hiring
decision.
• Conducting these often simple checks verifies the
information provided on the application is current
and true, and gives the employer an immediate
measurement of an applicant’s integrity.
Background checks
What does a background check prevent potentially
prevent against:
•
•
•
•
•
•
•
•
•
•
lawsuits from terminated employees
lawsuits from 3rd-parties or customers for negligent hiring
unqualified employees
lost business and profits
time wasted recruiting, hiring and training
theft, embezzlement or property damage
money lost (to recruiters fees, signing bonus)
negligent hiring lawsuit
decrease in employee moral
workplace violence, or sexual harassment suits
Background checks
• Who should be checked? Employee background
checks should be performed for all sensitive
positions. Information security staff in sensitive
positions include those responsible for:
•
•
•
•
•
•
firewall administration
e-commerce management
Kerberos administrator
SecurID & Password usage
PKI and certificate management
router administrator
Background checks
• What can be checked for an applicant:
•
•
•
•
•
•
•
•
Credit Report
SSN searches
Workers Compensation Reports
Criminal Records
Motor Vehicle Report
Education Verification & Credential Confirmation
Reference Checks
Prior Employer Verification
Military security clearance
• Of the most meticulous background checks is those
requiring a DoD security clearance. After reviewing
the 30-page Defense Industrial Personnel Security
Clearance Review, one will get a new understanding
of painstaking review. A defense security clearances
is generally only requested for individuals in the
following categories whose employment involves
access to sensitive government assets:
• Members of the military;
• Civilian employees working for the Department of Defense or other
government agencies;
• Employees of government contractors.
Military security clearance
A DoD review, more correctly known as a personnel
security investigation is comprised of the following:
• a search of investigative files and other records held
by federal agencies, including the FBI and, if
appropriate, overseas countries
• a financial check
• field interviews of references (in writing, by
telephone, or in person), to include coworkers,
employers, personal friends, educators, neighbors,
and other individuals, as appropriate
• a personal interview with the applicant conducted by
an Investigator
Employment agreement
• Non-compete
• Non-disclosure
• Restrictions on dissemination of corporate
information, i.e., press, analysts, law enforcement
Hiring & termination
• Policies and procedures should come down from HR
• Should address:
•
•
•
•
•
how to handle employee’s departure
shutting down accounts
forwarding e-mail and voice-mail
lock and combination changes
system password changes
Separation of duties
• The principle of separating of duties is that an
organization should carefully separate duties, so that
people involved in checking for inappropriate use are
not also capable of make such inappropriate use
• No person should be responsible for completing a task
involving sensitive, valuable or critical information
from beginning to end. Likewise, a single person
must not be responsible for approving their own work
Separation of duties
• Separate:
• development/production
• security/audit
• accounts payable/accounts receivable
• encryption key management/changing of keys
• Split knowledge
• Encryption keys are separated into two
components, each of which does not reveal the
other
Information security policies
• Policy is perhaps the most crucial element in a
corporate information security infrastructure
• Marcus Ranum defines a firewall as “the
implementation of your Internet security policy. If
you haven’t got a security policy, you haven’t got a
firewall. Instead, you’ve got a thing that’s sort of
doing something, but you don’t know what it’s trying
to do because no one has told you what it should do”
• Corporate computing is a complex operation.
Effective policies can rectify many of the weaknesses
and faults
Information security policies
• Benefits:
• Ensure systems are utilized in the manner intended
for
• Ensure users understand their roles &
responsibilities
• Control legal liability
Information security policies
• Components of an effective policy:
•
•
•
•
•
•
•
•
•
•
•
Title
Purpose
Authorizing individual
Author/sponsor
Reference to other policies
Scope
Measurement expectations
Exception process
Accountability
Effective/expiration dates
Definitions
Information security policies
• How to ensure that policies are understood:
• Jargon free/non-technical language
• Rather then, “when creating software authentication codes, users must
endeavor to use codes that do not facilitate nor submit the company to
vulnerabilities in the event that external operatives break such codes”,
use “passwords that are guessable should not be used”.
• Focused
• Job position independent
• No procedures, techniques or methods
• Policy is the approach. The specific details & implementations should
be in another document
• Responsibility for adherence
• Users must understand the magnitude & significance of the policy. “I
thought this policy didn’t apply to me” should never be heard.
Information security policies
• How should policies be disseminated?
• New hires should get hard copies at orientation
• Rehires should go through orientation
• Hard copies
• Web/corporate intranet
• Brochures
• Videos
• Posters
• e-mail/voice-mail
Risk management
• Security risks start when the power is turned-on. At
that point, security risks commence. The only way to
deal with those security risks is via risk management
• Risks can be identified & reduced, but never
eliminated
• No matter how secure you make a system, it can
always be broken into given sufficient resources,
time, motivation and money
• People are usually cheaper & easier to compromise
than advance technological safeguards
Qualitative and quantitative
• There are two different risk management metrics:
qualitative and quantitative
• Quantitative, or a quasi-subjective, risk management
attempts to establish and maintain an independent set
of risk metrics & statistics
• Qualitative
Qualitative vs. quantitative
• Qualitative - Pros
• Calculations are simple and readily understood and execute
• Not necessary to determine quantitative threat frequency & impact data
• Not necessary to estimate the cost of recommended risk mitigation
measures & calculate cost/benefit
• A general indication of significant areas of risk that should be
addressed is provided
• Qualitative - Cons
• Risk assessment & results are essentially subjective in both process &
metrics. Use of independently objective metrics is eschewed.
• No effort is made to develop an objective monetary basis for the value
of targeted information assets
• No basis is provided for cost/benefit analysis of risk mitigation
measures. Only subjective indication of a problem
• It is not possible to track risk management performance objectively
when all measures are subjective
Qualitative vs. quantitative
• Quantitative - Pros
• Assessment & results are based substantially on independently
objective processes & metrics. Thus, meaningful statistical analysis is
supported
• The value of information (availability, confidentiality & integrity) as
expressed in monetary terms with supporting rationale, is better
understood. Thus, the basis for expected loss is better understood.
• A credible basis for cost/benefit assessment of risk mitigation measures
is provided. Thus, information security budget decision-making is
supported
• Quantitative - Cons
• Calculations are complex. If they are not understood or effectively
explained, management may mistrust the results of black-box testing
• A substantial amount of information about the target information & its
IT environment must be gathered
• There is not yet a standard, independently developed & maintained
threat population & frequency knowledge base. Thus, users must rely
on the credibility of the vendors who develop & support the automated
tools or do perform the research.
Risk management nomenclature
• Annualized loss expectancy (ALE)
• Single loss expectance x annualized rate of occurrence = ALE
• Annualized rate of occurrence (ARO)
• On an annualized basis, the frequency with which a threat is expected to occur
• Exposure factor
• A measure of the magnitude of loss or impact on the value of an asset
• Probability
•
Chance or likelihood, in a finite sample, that an event will occur or that a
specific loss value may be attained should the event occur
• Threat
• An event, the occurrence of which cold have an undesired impart
• Safeguard
• Risk reducing measure that acts to detect, prevent or minimize loss
associated with the occurrence of a specified threat or category of threats
• Vulnerability
• The absence or weakness of a risk-reducing safeguard
Risk assessment
• Since you can’t protect yourself if you do not know
what you are protecting against, a risk assessment
must be performed
• A risk assessment answers 3 fundamental questions:
• Identify assets - What I am trying to protect?
• Identify threats - What do I need to protect against?
• Calculating risks - How much time, effort & money am I
willing to expend to obtain adequate protection?
• After risks are determined, you can then develop the
policies & procedures needed to reduce the risks
Identifying assets
• Tangibles
•
•
•
•
Computers, communications equipment, wiring
Data
Software
Audit records, books, documents
• Intangibles
•
•
•
•
•
•
Privacy
Employee safety & health
Passwords
Image & reputation
Availability
Employee morale
Identifying threats
•
•
•
•
•
•
•
•
•
•
•
Earthquake, flood, hurricane, lightening
Structural failure, asbestos
Utility loss, i.e., water, power, telecommunications
Theft of hardware, software, data
Terrorists, both political and information
Software bugs, virii, malicious code, SPAM, mail bombs
Strikes, labor & union problems
Hackers, internal/external
Inflammatory usenet, Internet & web postings
Employee illness, death
Outbreak, epidemic, pandemic
Calculating (quantifying) risks
• This is the hard part. Insurance & historical
records may help, but your actuary is your best
friend.
• How much damage did Kevin Mitnick do? Estimates
range from $500,000 to $120,000,000
• Review the risks
• Lists should be regularly updated
• Small changes in operations or corporate structure can
have significant risk implications
• Changes such as location, vendor, M&A, etc., must be
included into the risk factor
Cost/benefit analysis
• Cost of a loss
• Often hard to determine accurately
• Cost of prevention
• Long term/short term
• Adding up the numbers
• Output of an Excel spreadsheet listing assets, risks &
possible losses
• For each loss, know its probability, predicted loss &
amount of money needed to defend against the loss
Security awareness
• Must be driven from the top-down
• Must be comprehensive, all the way down to the
floppy & hard copies
• Education
• Hard copies
• Web-based
• Training & education
Security management planning
• But most importantly, to be successful in selling
security you must know your company’s or client’s
business
• Know what is important
• Each industry has differing priorities
Security management planning
Identify costs
• Initial investment
• ongoing costs
Identify benefits
•
•
•
•
•
•
Help Desk reduction
Common data locations
Reduced Remote Access costs
Improve Business Partner access
Enhanced public perception
Ernst & Young Cyberprocess Certification
Security management planning
Identify potential losses if security is not properly
implemented
•
•
•
•
•
•
•
•
•
•
•
Trade secrets
confidential information
personal e-mail
adverse publicity
viruses, worms, malicious Java and ActiveX applications
denial of service
hard drive reformats, router reconfigurations
M&A
financials
hacked web pages
breach of Human Resources information
Security management planning
Management Procrastination
Four primary reasons why the decision maker typically
procrastinates in deciding whether to allocate funds or
commence the initiative:
• Unable to understand or quantify security threats and technical
vulnerabilities. This results in buying decision paralysis.
• Unable to measure (through quantitative or qualitative analysis)
the severity and probability of risk.
• Begins the analysis with a preconceived notion that the cost of
controls will be excessive or the security technology does not
exist.
• Believes that the security solution will interfere with the
performance or appearance of the business product