Administering Security

 From our discussion you may concluded by now

that security is achieved through technology.
 You may think that the important activities in
security are picking the right IDPs, configuring
your firewall properly, encrypting your wireless
link, and deciding whether fingerprint readers
are better than retina scanners.
 These are important matters. But not all of
security is addressed by technology.
Administering Security
 Security is a combination of technical,
administrative, and physical controls.
 So far, we have considered technical controls
almost exclusively.
 But stop and think for a moment: What good is a
firewall if there is no power to run it? How effective is
a public key infrastructure if someone can walk off
with the certificate server? And why have elaborate
access control mechanisms if your employee mails a
sensitive document to a competitor?
 The administrative and physical controls may be
less glamorous than the technical ones, but
they are surely as important.
02/15/20 2
25
Administering Security
 prepare and study what will verify our
Planning:
implementation meets security needs of today
and tomorrow.
 Risk Analysis: cost/benefit analysis of controls.
 establish a framework to verify security
Policy:
needs are met.
 what aspects of the computing
Physical Control:
environment have an impact on security?
These four areas are just as important to
achieving security as are the latest firewall
or coding practice.
1. Security Planning
 “The system security plan should be viewed as
documentation of the structured process of planning
adequate, cost-effective security protection for a
system.
 It should reflect input from various managers with
responsibilities concerning the system, including
information owners, the system operator, and the
system security manager.
 Additional information may be included in the basic
plan and the structure and format organized
according to agency needs, so long as the major
sections described in this document are adequately
covered and readily identifiable
Contents of Security Plan

 Policy: the goal of the computer security.

 Current State: describe current status.
 Requirements: how to meet goals. legal,
etc.
 Recommended Controls: map controls to
vulnerabilities identified.
 Accountability: who is responsible
 Timetable: due dates for tasks
 Continuous Attention: keep it up to date.
Inputs to the Security Plan.
Do we protect everything?
 Risk Assessment
 Risk Categorization and Prioritization
 Risk Mitigation
 Resources Available
 Planning
 Implementation
 Testing
 Updates to plan

02/15/20 7
25
Live Chat 5
2. Risk Analysis

 Risk impact - loss associated with an event

 risk probability – likelihood that the event will
occur
 Risk control – degree to which we can change
the outcome
 Risk exposure – risk impact * risk probability
Risk Analysis Risk Assessment

Organization: Date:

Probability Impact
Threat Description High Medium Low High Medium Low

What are the risks?

What is the probability

of occurring?

What is the impact if it

happens?

02/15/20 9
25
Live Chat 5
Risk Analysis
 Assets: what are we trying to protect?
 Threats and Vulnerabilities: potential harmful occurrences
(power loss, hackers, virus, earthquake).
 Vulnerability: a weakness that allows a threat to cause harm.
 Risk = Threat * Vulnerability.
 Risk = Threat * Vulnerability * Impact($).
 Risk Analysis Matrix

Consequences
EVENT: Insignifica Mino Modera Majo Catastrop
nt r te r hic
Almost H H E E E
Likelihood

Certain
Likely M H H E E
Possible L M H E E
Unlikely L L M H E
Rare L L M H H
E-Extreme
H-High
M-Medium
L-Low
Risk Choices

 Accept: if low likelihood and low impact.

 Mitigate: lower risk to acceptable level.
 Transfer: buy insurance.
 Avoid it: drop the project.
Steps of a Risk Analysis

 Identify assets
 Determine vulnerabilities
 Estimate likelihood of exploitation
 Compute expected annual loss
 Survey applicable controls and their costs
 Project annual savings of control
Identify Assets

 Hardware
 Software
 Data
 People
 Procedures (policies, training)
 Documentation
 Supplies
 Infrastructure (building, power, water,
…)
Determine Vulnerabilities

Asset Confidentialit Integrity Availability

y
Hardware

Software

Data

People

procedures
Determine Vulnerabilities

 What are the effects of unintentional errors?

 What are the effects of willfully malicious insiders?
 What are the effects of outsiders?
 What are the effects of natural and physical
disasters?
Risk Analysis

 Estimate Likelihood of Exploitation

 Classical probability
 Frequency probability (simulation)
 Subjective probability (Delphi approach)
 Computer Expected Loss (look for hidden
costs)
 Legal obligations
 Side effects
 Psychological effects
Risk Analysis

 Survey and Select New Controls

 What Criteria Are Used for Selecting
Controls?
 Vulnerability Assessment and Mitigation (VAM)
Methodology
 How Do Controls Affect What They Control?
 Which Controls Are Best?
 Project Savings
 Do costs outweigh benefits of preventing /
mitigating risks
Arguments For Risk
Analysis
Improve Awareness
 increase level of interest.
 Relate Security Mission to Management Objectives
 Security costs money.
 Need people to understand security balances harm and the costs
of controls.
 Identify Assets, Vulnerabilities & Controls.
Arguments For Risk
Analysis
 Improve basis for decisions
 Risk analysis augments the manager’s judgment as
a basis for the decision.
 Justify Expenditures for Security
 Balance costs versus risks to identify the business
case for a control.
Arguments Against Risk
Analysis
 False Sense of Precision and Confidence

Uses empirical data to

generate estimates of risk
impact, risk probability
and risk exposure.
 Hard to Perform

Assessment is subjective
and time consuming.
Arguments Against Risk
Analysis
 Immutability

 Risk analysis is often quickly

forgotten.
 Analysis
must be a living
document and not a one time
event.
 Lack of accuracy

 Hard to estimate risks.

 May be gaps due to our limited
knowledge of the system.
3. Organizational Security
Policies
 Who can access which resources in what manner?
 Security policy - high-level management
document that informs all users of the goals and
constraints on using a system.
Security Policies
functions/ Purpose
 Recognize sensitive information assets
 Clarify security responsibilities
 Promote awareness for existing employees
 Guide new employees
Security Policies Audience

 Users
 Owners
 Beneficiaries
 Balance Among All Parties
Contents

 Purpose

 Protected Resources (what - asset list)

 Nature of the Protection (who and how)

 4. Physical Security
how do you protect your self against the
following:
 Natural Disasters
 Earthquake, hurricane, flood, fire, storms, etc.

 Environmental
 Electrical

black outs, spikes, surges, sag,

fault.
 air conditioning, humidity controls.

 Electromagnetic Interference (EMI)

 Theft
 Internal, external
Physical Security
 Shredding: shred documents.
 Overwrite magnetic media or shred
it.
 Degaussing: use magnetic field to
destroy.
 TEMPEST: protect against
electromagnetic signal emission.
Certify emission free
Enclose device or modify emanations.
Business Continuity Plan
(BCP)
Long Term Strategic
Business Oriented Plan
for Continued Operation.
BCP Goal
 Ensure that business continues to operate before,
during and after a disaster
 Ensure critical services can be delivered in the wake
of a disruption and after it is over.
Disaster Recovery Plan

 Short term plan for dealing with specific IT

oriented disruptions.
 Tactical.
 Mitigate the impact of a disaster.
 Recover critical IT systems.
 Part of the Business Continuity Plan.
Contingency Planning
 Redundant Site: exact production duplicate.
 Hot $ite:
 fully configured site with all necessary hardware and critical
applications.
 Warm Site:
 Some aspects of hot site, rely on backup data to reconstitute
systems after a disruption.
 Cold Site (shell): alternative location.
Contingency Planning

 Mobile Site: Datacenter in a box

 Reciprocal Agreement
 Bi-directional agreement between two organizations
to share space if a disaster occurs.
 Backups
 Geographically distributed.
• For more go through:
– Security in Computing, Fourth Edition
• Chapter Eight

02/15/20 33
25