TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management Lecture 1 Jan 10, 2006 Contact James Joshi 706A, IS Building Phone: 412-624-9982 E-mail: [email protected] Web: /~jjoshi/TELCOM2813/Spring2005/

Office Hours: Wednesdays: 1.00 3.00 p.m. or By appointments GSA: will be announced later Course objective The course is aimed at imparting knowledge and skill sets required to assume the overall responsibilities of administration and management of security of an enterprise information system. Course objective After the course, ability to to carry out

detailed analysis of enterprise security by performing various types of analysis vulnerability analysis, penetration testing, audit trail analysis, system and network monitoring, and Configuration management, etc. Carry out the task of security risk management using various practical and theoretical tools. Course objective

After the course, ability to carry out Design detailed enterprise wide security plans and policies, and deploy appropriate safeguards (models, mechanisms and tools) at all the levels due consideration to the life-cycle of the enterprise information systems and networks, legal and social environment Be able to certify products according to IA standards (Common Criteria Evaluations)

Course content Introduction to Security Management Security policies/models/mechanisms Security Management Principles, Models and

Practices Security Planning/ Asset Protection Security Programs and Disaster Recovery Plans Security Analysis and Safeguards Vulnerability analysis (Tools & Tech.) Penetration testing Risk Management Protection Mechanisms and Incident handling

Standards and Security Certification Issues Rainbow Series, Common Criteria Security Certification Process National/International

Security Laws and Ethical Issues Access Control and Authentication architecture Configuration Management Auditing systems audit trail analysis Network defense and countermeasures Intrusion Detection Systems (SNORT) Architectural configurations and survivability

Firewall configurations Virtual private networks Computer and network forensic Privacy Protection Case studies on OS and application software (e.g., SELinux, Unix and Windows Security) Course Material Recommended course material

Management of Information Security, M. E. Whitman, H. J. Mattord Guide to Disaster Recovery, M. Erbschilde Guide to Network Defense and Countermeasures, G. Holden Real Digital Forensics: Computer Security and Incident Response, 1/e; Keith J. Jones, Richard Bejtlich, Curtis W. Rose Computer Security: Art and Science, Matt Bishop (ISBN: 0-201-44099-7), Addison-Wesley 2003 Security in Computing, 2nd Edition, Charles P. Pfleeger, Prentice Hall A list of papers will be provided

Tentative Grading Assignments (50%) Homework/Quiz/Paper review/Class Participation/Seminar attendance 40% One/two presentation 10% Exams 20% Project 30%

Course Policies Your work MUST be your own Homework Zero tolerance for cheating/plagiarism

You get an F for the course if you cheat in anything however small NO DISCUSSION Discussing the problem is encouraged Penalty for late assignments (15% each day) Ensure clarity in your answers no credit will be given for vague answers Homework is primarily the GSAs responsibility Check webpage for everything! You are responsible for checking the webpage for updates Introduction Introduction

Information technology is critical to business and society Computer security is evolving into information security Information security is the responsibility of every member of an organization, but managers play a critical role Introduction Information security involves three distinct communities of interest

Information security managers and professionals Information technology managers and professionals Non-technical business managers and professionals Communities of Interest InfoSec community: IT community:

protect information assets from threats support business objectives by supplying appropriate information technology Business community: policy and resources What Is Security? The quality or state of being secureto be free from danger

Security is achieved using several strategies simultaneously Security and Control Examples Physical security Personal security Operations

security Communications security Network security Controls Physical Controls Technical Controls Administrative

Prevention Detection Recovery Deterrence, Corrective InfoSec Components CIA Triangle The C.I.A. triangle is made up of Confidentiality Integrity

Availability Over time the list of characteristics has expanded, but these three remain central CNSS model is based on CIA NSTISSC Security Model (4011) Key Concepts: Confidentiality Confidentiality

only those with sufficient privileges may access certain information Some threats Confidentiality model Bell-LaPadula No write down & No read up

TCSEC/TNI (Orange, Red Book) Hackers Masqueraders Unauthorized users Unprotected download of files LANS Trojan horses Key Concepts: Integrity

Integrity Integrity is the quality or state of being whole, complete, and uncorrupted Integrity model Biba/low water mark Clark-Wilson

No write up & No read down Separation of duty Lipner Other issues Origin integrity Data integrity Key Concepts: Availability

Availability making information accessible to user access without interference or obstruction Survivability Ensuring availability in presence of attacks Key Concepts: privacy Privacy

Information is to be used only for purposes known to the data owner This does not focus on freedom from observation, but rather that information will be used only in ways known to the owner Key Concepts: Identification Identification

Information systems possess the characteristic of identification when they are able to recognize individual users Identification and authentication are essential to establishing the level of access or authorization that an individual is granted Key Concepts: Authentication & Authorization Authentication Authentication occurs when a control

provides proof that a user possesses the identity that he or she claims Authorization authorization provides assurance that the user has been specifically and explicitly authorized by the proper authority to access the contents of an information asset Key Concepts: Accountability; Assurance Accountability

The characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process Assurance Assurance that all security objectives are met What Is Management?

A process of achieving objectives using a given set of resources To manage the information security process, first understand core principles of management A manager is someone who works with and through other people by coordinating their work activities in order to accomplish organizational goals Managerial Roles Informational role: Collecting,

processing, and using information to achieve the objective Interpersonal role: Interacting with superiors, subordinates, outside stakeholders, and other Decisional role: Selecting from alternative approaches and resolving conflicts, dilemmas, or challenges Differences Between Leadership and Management

The leader influences employees so that they are willing to accomplish objectives He or she is expected to lead by example and demonstrate personal traits that instill a desire in others to follow Leadership provides purpose, direction, and motivation to those that follow A manager administers the resources of the organization, budgets, authorizes expenditure Characteristics of a Leader 1. 2. 3. 4. 5. 6. 7.

Bearing Courage Decisiveness Dependability Endurance Enthusiasm Initiative Used by US military 8. 9. 10. 11. 12. 13. 14. Integrity Judgment Justice

Knowledge Loyalty Tact Unselfishness What Makes a Good Leader? Action plan 1. 2. 3. 4. 5. 6. Know yourself and seek

self-improvement Be technically and tactically proficient Seek responsibility and take responsibility for your actions Make sound and timely decisions Set the example Know your [subordinates] and look out for their wellbeing 7. 8. 9. 10. 11.

Keep your subordinates informed Develop a sense of responsibility in your subordinates Ensure the task is understood, supervised, and accomplished Build the team Employ your team in accordance with its capabilities Leadership quality and types A leader must:

BE a person of strong and honorable character KNOW you, the details of your situation, the standards to which you work, human nature, and your team DO by providing purpose, direction, and motivation to your team Three basic behavioral types of leaders: Autocratic Democratic

Laissez-faire Characteristics of Management Two well-known approaches to management: Traditional management theory using principles of planning, organizing, staffing, directing, and controlling (POSDC) Popular management theory using principles of management into planning, organizing, leading, and controlling (POLC) The PlanningControlling

Link Planning & Organization Planning: process that develops, creates, and implements strategies for the accomplishment of objectives Three levels of planning Strategic Tactical Operational

Organization: structuring of resources to support the accomplishment of objectives Leadership Encourages the implementation of the planning and organizing functions, Includes supervising employee behavior, performance, attendance, and attitude Leadership generally addresses

the direction and motivation of the human resource Control Control: Monitoring progress toward completion Making necessary adjustments to achieve the desired objectives Controlling function determines what must be monitored as well as using specific control tools to gather and evaluate information

Control Tools Four categories: Information Financial Guide use of monetary resources (ROI,CBA,..)

Operational Information flows/ communications PERT, Gantt, process flow Behavioral Human resources The Control Process Solving Problems

Step 1: Recognize and Define the Problem Step 2: Gather Facts and Make Assumptions Step 3: Develop Possible Solutions (Brainstorming) Step 4: Analyze and Compare the Possible Solutions (Feasibility analysis) Step 5: Select, Implement, and Evaluate a Solution Feasibility Analyses

Economic feasibility assesses costs and benefits of a solution Technological feasibility assesses an organizations ability to acquire and manage a solution Behavioral feasibility assesses whether members of the organization will support a solution Operational feasibility assesses if an organization can integrate a solution Principles Of Information Security Management

The extended characteristics of information security are known as the six Ps: Planning Policy Programs Protection People Project Management InfoSec Planning

Planning as part of InfoSec management is an extension of the basic planning model discussed earlier Included in the InfoSec planning model are activities necessary to support the design, creation, and implementation of information security strategies as they exist within the IT planning environment InfoSec Planning Types

Several types of InfoSec plans exist: Incident response Business continuity Disaster recovery Policy Personnel Technology rollout Risk management and Security program including education, training and awareness

Policy Policy: set of organizational guidelines that dictates certain behavior within the organization In InfoSec, there are three general categories of policy: General program policy (Enterprise Security Policy) An issue-specific security policy (ISSP)

E.g., email, Intenert use System-specific policies (SSSPs) E.g., Access control list (ACLs) for a device Programs Programs are operations managed as specific entities in the information security domain Example:

A security education training and awareness (SETA) program is one such entity Other programs that may emerge include a physical security program, complete with fire, physical access, gates, guards, and so on Protection Risk management activities, including

risk assessment and control, & Protection mechanisms, technologies & tools Each of these mechanisms represents some aspect of the management of specific controls in the overall security plan People People are the most critical link in the information security program

Human firewall It is imperative that managers continuously recognize the crucial role that people play; includes information security personnel and the security of personnel, as well as aspects of the SETA program Project Management Project management discipline should be present throughout all elements of the information security program Involves

Identifying and controlling the resources applied to the project Measuring progress and adjusting the process as progress is made toward the goal Security Planning Introduction Successful organizations utilize planning Planning involves:

Employees Management Stockholders Other outside stakeholders Physical environment Political and legal environment Competitive environment Technological environment Introduction Strategic planning includes:

Vision statement Mission statement Strategy Coordinated plans for sub units Knowing how the general organizational planning process works helps in the information security planning process Introduction

Planning: Is creating action steps toward goals, and then controlling them Provides direction for the organizations future Top-down method: Organizations leaders choose the direction Planning begins with the general and ends

with the specific Information Security Planning Components Of Planning: Mission Statement Mission statement: Declares the business of the organization and its intended areas of operations Explains what the organization does and for whom

Example: Random Widget Works, Inc. designs and manufactures quality widgets, associated equipment and supplies for use in modern business environments CSSD http://technology.pitt.edu/security.html Components Of Planning: Vision Statement Vision statement:

Expresses what the organization wants to become Should be ambitious Example: Random Widget Works will be the preferred manufacturer of choice for every businesss widget equipment needs, with an RWW widget in every machine they use Components Of Planning: Values By establishing organizational principles in a values statement, an organization makes its conduct standards clear

Example: RWW values commitment, honesty, integrity and social responsibility among its employees, and is committed to providing its services in harmony with its corporate, social, legal and natural environments. The mission, vision, and values statements together provide the foundation for planning Components Of Planning: Strategy

Strategy is the basis for long-term direction Strategic planning: Guides organizational efforts Focuses resources on clearly defined goals strategic planning is a disciplined effort to produce fundamental decisions and actions that shape and guide what an organization is, what it does, and why it does it, with a focus on the future. Strategic Planning Strategic Planning

Organization: Each level of division Develops a general strategy Creates specific strategic plans for major divisions translates those objectives into more specific objectives for the level below In order to execute this broad strategy,

executives must define individual managerial responsibilities Planning for the Organization Strategic Planning Strategic goals are then translated into tasks with specific, measurable, achievable, reasonably high and timebound objectives (SMART) Strategic planning

then begins a transformation from general to specific objectives Planning Levels Planning levels Tactical Planning Shorter focus than strategic planning Usually one to three years Breaks applicable strategic goals into a series of incremental objectives Planning levels

Operational Planning Used by managers and employees to organize the ongoing, day-to-day performance of tasks Includes clearly identified coordination activities across department boundaries such as: Communications requirements Weekly meetings

Summaries Progress reports Typical Strategic Plan Elements Introduction by senior executive (President/CEO) Executive Summary

Mission Statement and Vision Statement Organizational Profile and History Strategic Issues and Core Values Program Goals and Objectives Management/Operations Goals and Objectives Appendices (optional) Strengths, weaknesses, opportunities and threats (SWOT) analyses, surveys, budgets &etc Tips For Planning Create a compelling vision statement that frames the evolving plan, and acts as a magnet for people who want to make a difference

Embrace the use of balanced scorecard approach Deploy a draft high level plan early, and ask for input from stakeholders in the organization Make the evolving plan visible Tips For Planning

Make the process invigorating for everyone Be persistent Make the process continuous Provide meaning Be yourself Lighten up and have some fun Planning For Information Security Implementation The CIO and CISO play important roles

in translating overall strategic planning into tactical and operational information security plans CISO plays a more active role in the development of the planning details than does the CIO CISO Job Description Creates strategic information security plan with a vision for the future of information security at Company X Understands fundamental business activities performed by Company X

Based on this understanding, suggests appropriate information security solutions that uniquely protect these activities Develops action plans, schedules, budgets, status reports and other top management communications intended to improve the status of information security at Company X Planning for InfoSec Once plan has been translated into IT and information security objectives and tactical and operational plans for information security, implementation can begin

Implementation of information security can be accomplished in two ways: Bottom-up OR Top-down Approaches to Security Implementation The Systems Development Life Cycle (SDLC)

SDLC: methodology for the design and implementation of an information system SDLC-based projects may be initiated by events or planned At the end of each phase, a review occurs when reviewers determine if the project should be continued, discontinued, outsourced, or postponed Phases of An SDLC Investigation

Identifies problem to be solved Begins with the objectives, constraints, and scope of the project A preliminary cost/benefit analysis is developed to evaluate the perceived benefits and the appropriate costs for those benefits Analysis Begins with information from the Investigation phase

Assesses the organizations readiness, its current systems status, and its capability to implement and then support the proposed system(s) Analysts determine what the new system is expected to do, and how it will interact with existing systems Logical Design Information obtained from analysis phase is used to create a proposed solution for the problem A system and/or application is selected based on the business need

The logical design is the implementation independent blueprint for the desired solution Physical Design During the physical design phase, the team selects specific technologies The selected components are evaluated further as a make-or-buy decision A final design is chosen that optimally integrates required components Implementation

Develop any software that is not purchased, and create integration capability Customized elements are tested and documented Users are trained and supporting documentation is created Once all components have been tested individually, they are installed and tested as a whole Maintenance

Tasks necessary to support and modify the system for the remainder of its useful life System is tested periodically for compliance with specifications Feasibility of continuance versus discontinuance is evaluated Upgrades, updates, and patches are managed When current system can no longer support the mission of the organization, it is terminated and a new systems development project is undertaken

The Security SDLC May differ in several specifics, but overall methodology is similar to the SDLC SecSDLC process involves: Identification of specific threats and the risks that they represent Subsequent design and implementation of specific controls to counter those threats and assist in the management of the risk those threats pose to the organization

Investigation in the SecSDLC Often begins as directive from management specifying the process, outcomes, and goals of the project and its budget Frequently begins with the affirmation or creation of security policies Teams assembled to analyze problems, define scope, specify goals and identify constraints Feasibility analysis determines whether the organization has resources and commitment to conduct a successful security analysis and

design Analysis in the SecSDLC A preliminary analysis of existing security policies or programs is prepared along with known threats and current controls Includes an analysis of relevant legal issues that could affect the design of the security solution Risk management begins in this stage Risk Management

Risk Management: process of identifying, assessing, and evaluating the levels of risk facing the organization Specifically the threats to the information stored and processed by the organization To better understand the analysis phase of the SecSDLC, you should know something about the kinds of threats facing organizations In this context, a threat is an object, person, or other entity that represents a constant danger to an asset

Key Terms Attack: deliberate act that exploits a vulnerability to achieve the compromise of a controlled system Accomplished by a threat agent that damages or steals an organizations information or physical asset Exploit: technique or mechanism used to compromise a system Vulnerability: identified weakness of a

controlled system in which necessary controls are not present or are no longer effective Threats to Information Security Some Common Attacks Malicious code Hoaxes Back doors Password crack

Brute force Dictionary Denial-of-service (DoS) and distributed denial-of-service (DDoS) Spoofing

Man-in-themiddle Spam Mail bombing Sniffer Social engineering Buffer overflow Timing Risk Management Use some method of prioritizing risk posed by each category of threat and its related methods of attack To manage risk, you must identify and

assess the value of your information assets Risk assessment assigns comparative risk rating or score to each specific information asset Risk management identifies vulnerabilities in an organizations information systems and takes carefully reasoned steps to assure the confidentiality, integrity, and availability of all the components in organizations information system Design in the SecSDLC Design phase actually consists of two distinct phases: Logical design phase: team members

create and develop a blueprint for security, and examine and implement key policies Physical design phase: team members evaluate the technology needed to support the security blueprint, generate alternative solutions, and agree upon a final design Security Models Security managers often use established security models to guide the design process Security models provide frameworks for ensuring that all areas of security are addressed

Organizations can adapt or adopt a framework to meet their own information security needs Policy A critical design element of the information security program is the information security policy Management must define three types of security policy: General or security program policy Issue-specific security policies

Systems-specific security policies SETA An integral part of the InfoSec program is Security education and training (SETA) program SETA program consists of three elements: security education, security training, and security awareness Purpose of SETA is to enhance security by:

Improving awareness Developing skills and knowledge Building in-depth knowledge Design Attention turns to the design of the controls and safeguards used to protect information from attacks by threats Three categories of controls:

Managerial Operational Technical Managerial Controls Address design/implementation of the security planning process and security program management Management controls also address:

Risk management Security control reviews Operational Controls Cover management functions and lower level planning including: Disaster recovery Incident response planning Operational controls also address:

Personnel security Physical security Protection of production inputs and outputs Technical Controls Address those tactical and technical issues related to designing and implementing security in the organization

Technologies necessary to protect information are examined and selected Contingency Planning Essential preparedness documents provide contingency planning (CP) to prepare, react and recover from circumstances that threaten the organization: Incident response planning (IRP) Disaster recovery planning (DRP) Business continuity planning (BCP)

Physical Security Physical Securityaddresses the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization Physical resources include: People Hardware

Supporting information system elements Implementation in the SecSDLC Security solutions are acquired, tested, implemented, and tested again Personnel issues are evaluated and specific training and education programs conducted Perhaps most important element of implementation phase is management of project plan:

Planning the project Supervising tasks and action steps within the project Wrapping up the project InfoSec Project Team Should consist of individuals experienced in one or multiple technical and non-technical areas including:

Champion Team leader Security policy developers Risk assessment specialists Security professionals Systems administrators End users Staffing the InfoSec Function Each organization should examine the options for staffing of the information security function 1. 2.

3. 4. Decide how to position and name the security function Plan for proper staffing of information security function Understand impact of information security across every role in IT Integrate solid information security concepts into personnel management practices of the organization InfoSec Professionals It takes a wide range of professionals to support a diverse information security program:

Chief Information Officer (CIO) Chief Information Security Officer (CISO) Security Managers Security Technicians Data Owners Data Custodians Data Users Certifications Many organizations seek professional

certification so that they can more easily identify the proficiency of job applicants: CISSP SSCP GIAC SCP ICSA Security + CISM Maintenance and Change in the SecSDLC

Once information security program is implemented, it must be properly operated, managed, and kept up to date by means of established procedures If the program is not adjusting adequately to the changes in the internal or external environment, it may be necessary to begin the cycle again Maintenance Model

While a systems management model is designed to manage and operate systems, a maintenance model is intended to focus organizational effort on system maintenance: External monitoring Internal monitoring Planning and risk assessment Vulnerability assessment and remediation Readiness and review Vulnerability assessment

ISO Management Model One issue planned in the SecSDLC is the systems management model ISO network management model - five areas: Fault management Configuration and name management Accounting management Performance management Security management

Security Management Model Fault Management involves identifying and addressing faults Configuration and Change Management involve administration of components involved in the security program and administration of changes Accounting and Auditing Management involves chargeback accounting and systems monitoring

Performance Management determines if security systems are effectively doing the job for which they were implemented Security Program Management Once an information security program is functional, it must be operated and managed In order to assist in the actual management of information security programs, a formal management standard can provide some insight into the processes and procedures needed This could be based on the

BS7799/ISO17799 model or the NIST models described earlier

Recently Viewed Presentations

  • Example: Data Mining for the NBA

    Example: Data Mining for the NBA

    Data and Applications Security Developments and Directions Guest Lecture Dr. Kevin Hamlen Given in February 2012
  • MERCURY - Elon University

    MERCURY - Elon University

    Atmosphere. Existing atmosphere from solar winds trapped by magnetic field. Very little atmosphere on Mercury. Weak Magnetic Field. Hot temperatures due to proximity to Sun. With low escape velocity and high temperatures gases easily escape atmosphere
  • Our Leadership Model & Framework Our Leadership Model

    Our Leadership Model & Framework Our Leadership Model

    Modification of the WRHA Nursing Leadership Framework (2006) based on Simpson, Skelton-Green, Scott, and O'Brien-Pallas (2002). ... Completion to be Tracked in our New LMS. Simplification of Language - Especially for those who Lead in Place. ... PowerPoint Presentation
  • COPPER PATINA - ode.state.or.us

    COPPER PATINA - ode.state.or.us

    Accommodations Required Content for STC and TA Training Last updated: 08/20/09
  • The Tale of Perseus - PC\|MAC

    The Tale of Perseus - PC\|MAC

    The cult statue, begun in 447 BCE and dedicated in 438 BCE, would remain the great city's symbol for a thousand years until, in Late Antiquity, it disappeared from the historical record, possibly taken to Constantinople and there later destroyed.
  • Finding the mean from a frequency g. the

    Finding the mean from a frequency g. the

    Finding the mean from a frequency table. E.g. the following table shows the mean height of 30 students in our class. Find the mean height
  • AP World History

    AP World History

    Athens. Athens is known for having the first democracy in the world. democracy is a form of government in which people can vote . Athens had a direct democracy, which means that all citizens (adult males born in Athens) were...
  • Comparing Daniel & Revelation - Foundations for Freedom

    Comparing Daniel & Revelation - Foundations for Freedom

    The Visons Continue. After this I looked, and behold, a door standing open in heaven!And the first voice, which I had heard speaking to me like a trumpet, said, "Come up here, and I will show you what must take...