EE579S Computer Security
Download
Report
Transcript EE579S Computer Security
EE579U
Information Systems Security
and Management
9: Security Management
Professor Richard A. Stanley
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #1
Overview of Today’s Class
• Review of last class
• Security Management
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #2
Last class…
• Gathering forensic information from
computers is difficult and time-consuming
• You must preserve the chain of custody of
evidence or your efforts are in vain
• Tools exist to help with the hard stuff
• Crawl to conclusions—it is easy to become
enamored of the first theory to pop up
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #3
What Must be Managed?
•
•
•
•
Security requirements
Security design
Security implementation
Security response(s)
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #4
Requirements Management
• Formal methodologies exist
– Waterfall
– Spiral
– …etc.
• You may not be free to choose the one you
like (e.g. many US Govt. procurements
require use of the waterfall model)
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #5
Waterfall Model View
Requirements
Validate
Refine
Specification
Validate
Implement/Unit test
Verify
© 2000-2004, Richard A. Stanley
Build
Integration/System test
Verify
Spring 2004
Code
Field
Opns & Maintenance
EE579U/9 #6
Spiral Model
http://www.cc.gatech.edu/classes/cs3302_98_winter/1-08-mgt/sld012.htm
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #7
What Now?
• Security design should get the key security
points into the design documents
• The next problem is to ensure they survive
the actual system engineering
• This is not an easy task
– Relevance
– ROI
– Organizational support
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #8
A thought
• Security management is not a goal, it is a
process
• It requires a thorough understanding of all
the key security technologies that you have
studied, plus keen management ability
• This is an uncommon mix of abilities
• You are constantly in the position of saying
“NO,” so it is hard to “trade favors”
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #9
Return on Investment
• Common method of measuring business
investment worth
• ROI = Average annual profit / Project cost
• With security-related expenses, the
denominator is almost always known
• How do we calculate the numerator?
– And will we be believed?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #10
One View of the Topic
•
•
•
•
•
•
•
•
•
Access control
Telecomm and network security
Security management practices
Applications and systems development security
Cryptography
Security architecture and models
Operations security
Business continuity/disaster recovery planning
Law, investigation, and ethics
Micki Krause. Information Security Management Handbook, Fourth Edition, Volume I
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #11
Access Control
• Making sure only authorized users can
access systems
• Ensuring the authorized users can do only
what they should do once on the system
• This spans all levels of the system, from
development to day-to-day operation
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #12
Telecommunications and
Network Security
• This is the current “glamour” sector
• Network security seen by many as the
problem to solve
– As we have seen, it is one of many
• Significant technical content here
– Hard to stay current
– Harder still to keep an eye on all the
practitioners
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #13
Security Management Practices
• Awareness
• Policy
• Risk Management
– Vulnerability assessment
– Quantified where possible
– Insurance?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #14
Applications and Systems
Development Security
• Build it in, don’t bolt it on
• Easy to say, hard to do
– What happens when all software not produced
under your control?
– How to evaluate security in outsourced
products and services?
• Methodologies can get in the way of reality
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #15
Cryptography
• Basis of most modern authentication
systems
• Technical knowledge in this field absolutely
essential for sound security management
• Choices made here haunt the system forever
– Key management
– Key security
– System use policies
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #16
Security Architecture and Models
• Bigger than the computer box we choose
• Security architectures of the equipment and
the organization should be congruent
• Models help to evaluate the “goodness” of
our security approach, just as in engineering
• Simply selecting an architecture doesn’t
solve the problems
– It may not even highlight them!
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #17
Operations Security
• Simply put, how do we keep the system
operating safely on a day-to-day basis?
• Keeping hackers and malicious code at bay
are part of this effort
• Personnel security, physical security, and
other areas are implemented here
• This area gets little respect or funding, but
is absolutely critical to success
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #18
Business Continuity & Disaster
Recovery Planning
• This will be our topic next week
• Simply put, it covers how to keep the
business running in the event of a disaster
and how to plan for recovery in that event
• ALL reasonable probable disasters must be
considered
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #19
Law, Investigation, and Ethics
• We’ve spent a lot of time here
• This is usually seen as the end of the
security management process—if done
right, it can be a continuing process of
cooperation that helps to ensure success
• It may not be possible to force ethical
adjustment, but you can enforce the
corporation’s ethics on the workforce
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #20
Policy Mangement
• Policy establishment
– Building and maintaining policies to keep
current with law and regulation
• Communicating the policy
– Get the users to read and use it!
• Measure and enforce policy compliance
– Are they using it? How to know?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #21
Administration Management
• Administering and securing complex
modern software suites, such as Active
Directory
• Adding and deleting users in a timely
fashion
• Keeping user privileges current
• Enabling user self-service
– Reduces admin load, may reduce security
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #22
Vulnerability Management
•
•
•
•
•
Audit for policy exceptions
Monitor for vulnerabilities
Minimize manual processes
Provide scorecards for performance
Tighten security on platforms by using best
practices
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #23
Incident Management
• Identify security problems promptly
– Reduce false positives and noise
• Analyze events
• Prevent/detect intrusions
• Correlate information to get the “big
picture”
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #24
People: The Forgotten Dimension
• Technology can’t fix the problem, even
though it helped to create it
• “Human Firewall Manifesto”
• Vetting and monitoring people is not only
difficult, it runs through many laws and
regulations
• Distributed organizations present special
issues, particularly across national borders
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #25
Financial Issues
• Management exists largely to help the
company turn a profit
• Security managers must understand basic
financial accounting terms and forms
–
–
–
–
Balance sheet
Income statement (a.k.a. profit & loss)
Cash flow statement
Project evaluation techniques
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #26
Balance Sheet
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #27
Sample
Income
Statement
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #28
Cash Flow Statement
• Exists to show how the company is using its
cash
• “Cash is king” because companies with
plenty of cash can often survive bad times
• Works just like your checkbook register
• Much harder to “fiddle” than the Balance
Sheet or Income Statement
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #29
Project Evaluation Techniques
• ROI
• Payback period
• Discounted cash flow
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #30
Help?
• Lot of vendors—be careful here
• Government help aplenty
– www.nsa.gov
– www.issm.doe.gov
– www.gao.gov
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #31
GAO View in One Quarter
• “A new homeland security emphasis
is under way, but remains
incomplete.”
• “The federal government’s efforts to
improve homeland security will
require a results-oriented approach
to ensure mission accountability and
sustainability over time.”
GAO Highlights, “HOMELAND SECURITY Management Challenges Facing Federal Leadership, GAO 03-260, December 2002.
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #32
Case Studies
• Mine
• Yours
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #33
Summary
• Security management is the “glue” that
binds the entire security effort together.
• Absent proper and adequate management, it
doesn't matter how well the other bits and
pieces work
• This is probably the hardest part of all,
because it remains difficult to compute the
ROI
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #34
Homework
• From your personal experience or research,
identify a security management issue that
you believe was not optimally handled.
Identify the security lapses that resulted or
might have resulted. How would you have
management this problem? How would you
structure the security management
organization and process to avoid
recurrence of this or a similar problem?
Spring 2004
© 2000-2004, Richard A. Stanley
EE579U/9 #35