Research report

profilegunnala
Ch10ManagementandIncidents.pptx

Security in Computing, Fifth Edition

Chapter 10: Management and Incidents

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

1

Chapter 10 Objectives

Study the contents of a good security plan

Learn to plan for business continuity and responding to incidents

Outline the steps and best practices of risk analysis

Learn to prepare for natural and human-caused disasters

2

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Contents of a Security Plan

A security plan identifies and organizes the security activities for a computing system.

The plan is both a description of the current situation and a map for improvement.

The plan is both an official record of current security practices and a blueprint for orderly change to improve those practices.

3

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

3

Contents of a Security Plan

Policy, indicating the goals of a computer security effort and the willingness of the people involved to work to achieve those goals

Current state, describing the status of security at the time of the plan

Requirements, recommending ways to meet the security goals

Recommended controls, mapping controls to the vulnerabilities identified in the policy and requirements

Accountability, documenting who is responsible for each security activity

Timetable, identifying when different security functions are to be done

Maintenance, specifying a structure for periodically updating the security plan

4

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

4

Security Policy

A high-level statement of purpose and intent

Answers three essential questions:

Who should be allowed access?

To what system and organizational resources should access be allowed?

What types of access should each user be allowed for each resource?

Should specify

The organization’s security goals (e.g., define whether reliable service is a higher priority than preventing infiltration)

Where the responsibility for security lies (e.g., the security group or the user)

The organization’s commitment to security (e.g., defines where the security group fits in the corporate structure)

5

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

5

Security Policy

Security policies and plans can and often should exist at the level of systems or groups of systems.

An organization-wide security policy can address users and systems only in the context of fairly general roles, which, for many purposes, is not specific enough.

Whereas the organization as a whole may be primarily focused on maintaining confidentiality of data, certain systems in that organization may rightfully focus on maintaining availability as a top priority.

6

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

6

Assessment of Current Security Status

A risk analysis—a systemic investigation of the system, its environment, and what might go wrong—forms the basis for describing the current security state

Defines the limits of responsibility for security

Which assets are to be protected

Who is responsible for protecting them

Who is excluded from responsibility

Boundaries of responsibility

7

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

We look at risk analysis in more detail later in this chapter.

7

Security Requirements

Security requirements are functional or performance demands placed on a system to ensure a desired level of security

Usually derived from organizational business needs, sometimes including compliance with mandates imposed from outside, such as government standards

Characteristics of good security requirements:

Correctness

Consistency

Completeness

Realism

Need

Verifiability

Traceability

8

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

8

Security Requirements

Correctness: Are the requirements understandable? Are they stated without error?

Consistency: Are there any conflicting or ambiguous requirements?

Completeness: Are all possible situations addressed by the requirements?

Realism: Is it possible to implement what the requirements mandate?

Need: Are the requirements unnecessarily restrictive?

Verifiability: Can tests be written to demonstrate conclusively and objectively that the requirements have been met? Can the system or its functionality be measured in some way that will assess the degree to which the requirements are met?

Traceability: Can each requirement be traced to the functions and data related to it so that changes in a requirement can lead to easy reevaluation?

9

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

9

Responsibility for Implementation

A section of the security plan will identify which people (roles) are responsible for implementing security requirements

Common roles:

Users of personal computers or other devices may be responsible for the security of their own machines. Alternatively, the security plan may designate one person or group to be coordinator of personal computer security.

Project leaders may be responsible for the security of data and computations.

Managers may be responsible for seeing that the people they supervise implement security measures.

Database administrators may be responsible for the access to and integrity of data in their databases.

Information officers may be responsible for overseeing the creation and use of data; these officers may also be responsible for retention and proper disposal of data.

Personnel staff members may be responsible for security involving employees, for example, screening potential employees for trustworthiness and arranging security training programs.

10

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Timetable and Plan Maintenance

As a security plan cannot be implemented instantly, the plan should include a timetable of how and when the elements in it will be performed

The plan should specify the order in which controls are to be implemented so that the most serious exposures are covered as soon as possible

The plan must be extensible, as new equipment will be acquired, new connectivity requested, and new threats identified

The plan must include procedures for change and growth

The plan must include a schedule for periodic review

11

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Inputs to the Security Plan

12

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

This is a conceptual model of how the previous slides fit together.

12

Security Planning Team Members

Security planning touches every aspect of an organization and therefore requires participation well beyond the security group

Common security planning representation:

Computer hardware group

System administrators

Systems programmers

Applications programmers

Data entry personnel

Physical security personnel

Representative users

13

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Assuring Commitment to a Security Plan

A plan that has no organizational* commitment collects dust on a shelf

Three groups of people must contribute to making the plan a success:

The planning team must be sensitive to the needs of each group affected by the plan.

Those affected by the security recommendations must understand what the plan means for the way they will use the system and perform their business activities. In particular, they must see how what they do can affect other users and other systems.

Management must be committed to using and enforcing the security aspects of the system.

14

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Business Continuity Planning

A business continuity plan documents how a business will continue to function during or after a computer security incident

Addresses situations having two characteristics:

Catastrophic situations, in which all or a major part of a computing capability is suddenly unavailable

Long duration, in which the outage is expected to last for so long that business will suffer

15

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

The next slide addresses the specific tasks involved in business continuity planning.

15

Continuity Planning Activities

Assess the business impact of a crisis

What are the essential assets?

What could disrupt use of these assets?

Develop a strategy to control impact

Investigate how the key assets can be safeguarded

Develop and implement a plan for the strategy

Define:

Who is in charge when an incident occurs

What to do when an incident occurs

Who does what tasks when an incident occurs

16

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Incident Response Plans

A security incident response plan tells the staff how to deal with a security incident

In contrast to a business continuity plan, the goal of incident response is handling the current security incident without direct regard for the business issues

An incident response plan should

Define what constitutes an incident

Identify who is responsible for taking charge of the situation

Describe the plan of action

17

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Incident Response Teams

The response team is charged with responding to the incident. It may include

Director : The person in charge of the incident, who decides what actions to take

Technicians: People who perform the technical part of the response

Advisors: Legal, human resources, or public relations staff members as appropriate

Matters to consider when identifying a response team:

Legal issues

Preserving evidence

Records

Public relations

18

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

CSIRTs

Computer Security Incident Response Teams (CSIRT) are teams trained and authorized to handle security incidents

CSIRTs are closely related to Security Operations Centers (SOC), which perform day-to-day monitoring of a network and may be the first to detect an incident.

Responsibilities of a CSIRT include

Reporting: Receiving reports of suspected incidents and reporting as appropriate to senior management

Detection: Investigation to determine if an incident occurred

Triage: Immediate action to address urgent needs

Response: Coordination of effort to address all aspects in a manner appropriate to severity and time demands

Postmortem: Declaring the incident over and arranging to review the case to improve future response

Education: Preventing harm by advising on good security practices and disseminating lessons learned from past incidents

19

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

19

CSIRT Skills

Collect, analyze, and preserve digital forensic evidence

Analyze data to infer trends

Analyze the source, impact, and structure of malicious code

Help manage installations and networks by developing defenses such as signatures

Perform penetration testing and vulnerability analysis

Understand current technologies used in attacks

20

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Risk Analysis

Risk analysis is an organized process for identifying the most significant risks in a computing environment, determining the impact of those risks, and weighing the desirability of applying various controls against those risks

A risk is a potential problem that the system or its users may experience – like the cost of a data breach*

Characteristics of a risk:

Associated loss (also known as a risk impact)

Likelihood of occurring

Degree to which we can change the outcome (risk control)

We can theoretically quantify the effects of a risk, or risk exposure, by multiplying likelihood by risk impact

21

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Note that even though risks have likelihoods associated with them, those likelihoods, in the context of cybersecurity, are generally impossible to measure.

21

Strategies for Dealing with Risk

Avoid the risk by changing requirements for security or other system characteristics

Transfer the risk by allocating the risk to other systems, people, organizations, or assets or by buying insurance to cover any financial loss should the risk become a reality

Assume the risk by accepting it, controlling it with available resources, and preparing to deal with the loss if it occurs

22

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Steps of a Risk Analysis

Identify assets.

Determine vulnerabilities.

Estimate likelihood of exploitation.

Compute expected annual loss.

Survey applicable controls and their costs.

Project annual savings of control.

23

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

These steps are discussed in more detail in the next slides.

23

Step 1: Identify Assets

Hardware: Processors, boards, keyboards, monitors, terminals, microcomputers, workstations, tape drives, printers, disks, disk drives, cables, connections, communications controllers, and communications media

Software: Source programs, object programs, purchased programs, in-house programs, utility programs, operating systems, systems programs (such as compilers), and maintenance diagnostic programs

Data: Data used during execution, stored data on various media, printed data, archival data, update logs, and audit records

People: Skilled staff needed to run the computing system or specific programs, as well as support personnel such as guards

Documentation: On programs, hardware, systems, administrative procedures, and the entire system

Supplies: Paper, forms, laser cartridges, recordable media, and printer ink, as well as power, heating and cooling, and necessary buildings or shelter

Reputation: Company image

Availability: Ability to do business, ability to resume business rapidly and efficiently after an incident

24

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Step 2: Determine Vulnerabilities

25

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

This is an example of a matrix mapping vulnerabilities to assets. In real life, the matrix would be much longer and include much more specific assets. Numerous vulnerability types can apply broadly to a class of assets, however, so broad categories are useful and help identify organization-wide concerns.

In considering the contents of each matrix entry, we can ask some helpful questions:

What are the effects of unintentional errors? Consider typing the wrong command, entering the wrong data, using the wrong data item, discarding the wrong listing, and disposing of output insecurely.

What are the effects of willfully malicious insiders? Consider disgruntled employees, bribery, and curious browsers.

What are the effects of outsiders? Consider network access, remote access, hackers, people walking through the building, people snooping at coffee shops, and people sifting through the trash.

What are the effects of natural and physical disasters? Consider fires, storms, floods, power outages, and component failures.

25

Step 3: Estimate Likelihood of Exploitation

Because it is impossible to know all of a system’s vulnerabilities or all the ways those vulnerabilities can be exploited, is also impossible to accurately assess likelihood of exploitation

Possible approaches to estimation:

Apply frequency probability using observed data for a similar system

Use an analyst familiar with such systems to estimate number of occurrences in a given time period

Use descriptive adjectives or a simple rating system

The Delphi approach

26

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

The Delphi approach:

Provide each of several experts with information describing the situation surrounding the event under consideration. For example, the experts may be told about the software and hardware architecture, conditions of use, and expertise of users.

Each expert individually estimates the likelihood of the event. The estimates are collected, reproduced, and distributed to all experts.

The individual estimates are listed anonymously, and the experts are usually given some statistical information, such as mean or median.

The experts are then asked whether they wish to modify their individual estimates in light of values their colleagues have supplied.

If the revised values are reasonably consistent, the process ends with the group’s reaching consensus.

If the values are inconsistent, additional rounds of revision may occur until consensus is reached.

26

Quantitative vs. Qualitative Estimation

27

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

27

Step 4: Compute Expected Loss

In addition to the obvious costs, such as the cost to replace a hardware asset, there are hidden costs:

Cost of restoring the system to a previous state

Cost of downtime

Legal fees

Loss of reputation and confidence

Loss of confidentiality

Some hidden costs may be impossible to accurately evaluate, but considering them will nonetheless aid in risk management

28

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Step 5: Survey and Select New Controls

Once you understand your assets, vulnerabilities, estimated likelihood of exploitation, and cost of exploitation, you have enough information to select controls

Each vulnerability may have one or more controls associated with it, and each control may work for many assets and multiple vulnerabilities

One approach is to use graph theory to select a minimal set of controls to address all vulnerabilities

29

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Step 6: Project Costs and Savings

This step is meant to determine whether the costs of implementing controls outweigh the expected benefits

The effective cost of a given control is the actual cost of the control (including purchase price, installation and deployment costs, and training costs) minus the expected loss the control is expected to prevent

The cost may be positive if the product is very expensive or introduces new risks to the system, or it may be negative if the expected reduction in risk is greater than the cost of the control

30

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Access Control Software Cost Example

31

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Arguments for Risk Analysis

Improve awareness*

Relate security mission to management objectives

Identify assets, vulnerabilities, and controls

Improve basis for decisions

Justify expenditures for security

32

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Improve awareness: Discussing issues of security can raise the general level of interest and concern among developers and users. Especially when the user population has little expertise in computing, the risk analysis can educate users about the role security plays in protecting functions and data that are essential to user operations and products.

Relate security mission to management objectives: Security is often perceived as a financial drain for no gain. Management does not always see that security helps balance harm and control costs.

Identify assets, vulnerabilities, and controls: Some organizations are unaware of their computing assets, their value to the organization, and the vulnerabilities associated with those assets. A systematic analysis produces a comprehensive list of assets, valuations, and risks.

Improve basis for decisions: A security manager can present an argument such as “I think we need a firewall here” or “I think we should use token-based authentication instead of passwords.” Risk analysis augments the manager’s judgment as a basis for the decision.

Justify expenditures for security: Some security mechanisms appear to be very expensive and without obvious benefit. A risk analysis can help identify instances where it is worth the expense to implement a major security mechanism. Managers can show the much larger risks of not spending for security.

32

Arguments Against Risk Analysis

False sense of precision and confidence

Hard to perform

Immutability

Lack of accuracy

33

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

False sense of precision and confidence: The heart of risk analysis is the use of empirical data to generate estimates of risk impact, risk probability, and risk exposure. The danger is that these numbers will give us a false sense of precision, thereby giving rise to an undeserved confidence in the numbers. However, in many cases the numbers themselves are much less important than their relative sizes. Whether an expected loss is $100,000 or $150,000 is relatively unimportant. It is much more significant that the expected loss is far above the $10,000 or $20,000 budget allocated for implementing a particular control. Moreover, anytime a risk analysis generates a large potential loss, the system deserves further scrutiny to see if the root cause of the risk can be addressed.

Hard to perform: Enumerating assets, vulnerabilities, and controls requires creative thinking. Assessing loss frequencies and impact can be difficult and subjective. A large risk analysis must consider many factors. Risk analysis can be restricted to certain assets or vulnerabilities, however.

Immutability: Many software project leaders view processes such as risk analysis as an irritating fact of life—a step to be taken in a hurry so that the developers can get on with the more interesting jobs related to designing, building, and testing the system. For this reason, risk analyses, like contingency plans and five-year plans, have a tendency to be filed and promptly forgotten. But if an organization takes security seriously, it will view the risk analysis as a living document, updating it at least annually or in conjunction with major system upgrades.

Lack of accuracy: Risk analysis is not always accurate, for many reasons. First, we may not be able to calculate the risk probability with any accuracy, especially when we have no past history of similar situations. Second, even if we know the likelihood, we cannot always estimate the risk impact very well. The risk management literature is replete with papers about describing the scenario, showing that presenting the same situation in two different ways to two equivalent groups of people can yield two radically different estimates of impact. And third, we may not be able to anticipate all the possible risks. For example, bridge builders did not know about the risks introduced by torque from high winds until the Tacoma Narrows Bridge twisted in the wind and collapsed. After studying the colossal failure of this bridge and discovering the cause, engineers made mandatory the inclusion of torque in their simulation parameters. Similarly, we may not know enough about software, security, or the context in which the system is to be used, so there may be gaps in our risk analysis that cause it to be inaccurate.

33

Natural Disasters

Examples:

Flood

Fire

Earthquake

Mitigations:

Develop contingency plans so that people know how to react in emergencies and business can continue

Insure physical assets—computers, buildings, devices, supplies—against harm

Preserve sensitive data by maintaining copies in physically separated locations

Prevent power loss using uninterruptable power supplies and surge suppressors

34

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Interception of Sensitive Information

Mitigations:

Shred paper copies of sensitive information

Overwrite magnetic data several times using software designed for that purpose

Degauss magnetic media

Protect against RF emanation by trapping signals or adding spurious ones

35

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Contingency Planning

Backups

Offsite backup

Cloud backup

Failover

Cold site

Hot site

36

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Summary

A security plan is both an official record of current security practices and a blueprint for orderly change to improve those practices

Business contingency and incident response planning help establish an orderly, carefully considered response to emergencies and other security incidents

Risk analysis is a complex and imperfect process but forces an organization to carefully consider important assets, vulnerabilities, risks, and control options

Prepare for disasters by contingency planning, insuring assets, backing up data, and deploying failover sites

37

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

37

image2.emf

image3.png

image4.png

Pros

Cons

Quantitative

Chapter 1 Assessment and results based on independently objective processes and metrics. Meaningful statistical analysis is supported

Chapter 2 Value of information assets and expected loss expressed in monetary terms. Supporting rationale easily understood

Chapter 3 Provides credible basis for cost/benefit assessment of risk mitigation. Supports information security budget decision-making

Chapter 4 Calculations are complex. Management may mistrust the results of calculations and hence analysis

Chapter 5 Must gather substantial information about the target IT environment

Chapter 6 No standard independently developed and maintained threat population and frequency knowledge base. Users must rely on the credibility of the in-house or external threat likelihood assessment

Qualitative

Chapter 7 Simple calculations, readily understood and executed

Chapter 8 Not necessary to quantify threat frequency and impact data

Chapter 9 Not necessary to estimate cost of recommended risk mitigation measures and calculate cost/benefit

Chapter 10 A general indication of significant areas of risk that should be addressed is provided

Chapter 11 Results are subjective. Use of independently objective metrics is eschewed

Chapter 12 No effort to develop an objective monetary basis for the value of targeted information assets

Chapter 13 Provides no measurable basis for cost/benefit analysis of risk mitigation. Difficult to compare risk to control cost

Chapter 14 Not possible to track risk management performance objectively when all measures are subjective

image5.png