Module 7: security management Security management seeks to provide a effective structured approach to securing the organizations systems and

d data Part of the security management process is to balance the costs of securing against various risks, against the cost of potential losses Balancing the Costs The cost of implementing and managing a security strategy needs to be weighed against the cost of insecurity The price of securing a given asset needs to be weighed against the cost of losing that asset Security is Everyones Responsibility Key Responsibilities Chairman and board level management Formally endorse and actively support the organizations security strategy Security manager - Be the organizations guidance for the development, implementation and periodic review of the security strategy Users - Follow the procedures set out by the organizations security guidelines General Areas of Responsibility Personal - Responsibilities to be borne by the individual. For example, the individual user should take responsibility for ensuring that they do not inadvertently disclose their password to anyone Internal - Responsibilities to be borne by system managers. Such a responsibility could

be, ensuring that incoming e-mails are scanned for viruses External - Responsibilities to be borne by third parties. An example of this could be an Internet Service Provider ensuring that the accounts and details of its customers are not accessible by anyone else High-Level Management Commitment The responsibility for the prevention and detection of irregularities and fraud rests with the management, who may obtain reasonable assurance that this responsibility will be discharged by instituting an adequate system of internal control. Auditing Standards Guideline Who Watches the Watchmen? The majority of organizations have security professionals who watch the employees However, it is also necessary to ensure that the security personnel themselves are not behaving unethically, or illegally Centralized vs. Devolved Security Structure If there is a single entity in charge of security, then it is easy to achieve uniformity, but this central entity may become a performance bottleneck Conversely, a distributed solution may be more efficient, but it is necessary to take added care to guarantee that the different components enforce a consistent policy Introduction to the Role of the ISO

Most small organizations will have one person responsible for their information security. This person will typically be employed as the organizations Information Security Officer (ISO)

Larger organizations may have more than one ISO operating in centralized or decentralized teams

An ISO's duty is to ensure that information security policies and procedures are established and implemented

Security Training/Education Training is an integral aspect of information security and a good training programme will help to contribute to creating a secure computing environment Training must encompass all of the users within the organization, including executive management, program, field, IT and other staff The ISO should also keep current on all areas of information security The ISO should receive information security and appropriate technical training on a regular basis Certification of an ISO is highly recommended

Security Administration Each agency must formally delegate responsibility and authority for all information security matters

Important that one individual be designated as having primary responsibility for coordination of information security

Many problems are better solved with detection and controls, rather than prevention

Benefits Containing and repairing damage from incidents Without an incident handling capability, certain responses can actually make matters worse Preventing future damage Uses of threat and vulnerability data Enhancing internal communications and organization preparedness Enhancing external communications and organization preparedness Module 8 Security Policy An Introduction to Security Policies Security policy - Is the documentation of the information security decisions. It details the required security practises and procedures of an organization Baseline - Details the minimum acceptable level of security with regard to the areas listed in the security policy document Guidelines and procedures - Outlines the procedures and practices which should be used to achieve the baseline standard Organizational standards - Specify the uniform use of specific procedures, technologies and parameters within the organization. These are normally mandatory Reasons for Information Security Policy Assuring that controls are implemented correctly Enhancing the training and awareness program

Keep it Simple Incrementalism is good Too many organizations try to cover all the bases at one time, and only end up paralyzing themselves Carry out a pilot test on a small area of the company. Once the pilot has been successfully completed, identify the organisations key areas, and secure those first. Then progress to other areas of the company.

Important that another individual be designated as a back-up ISO

Principle of Information Ownership Information ownership - Having a single responsible owner for each item of information All of the information that is owned or used by a particular organization should have a designated owner who has the following responsibilities: Determine the sensitivity of the data and how critical it is to the organization Decide who will be permitted to access the data and the uses to which it can be put Take steps to ensure that the relevant controls are used in the storage, handling, distribution and regular usage of the information Prevention - Breaches Happen If my security measures failed right now, what would be at risk? How would I even notice that I had a problem? What additional compensating controls or security mechanisms would I need to protect myself? Think about layering in terms of the level of authentication and authorization required for access to any given resource

Computer Security Incident Handling Computer systems are subject to a wide range of mishaps from corrupted data files, to viruses, to natural disasters Some of these mishaps can be fixed through standard operating procedures Recurrence of similar incidents often makes it cost-effective to develop a standing capability for quick discovery of, and response to, such events Contingency planning and incident handling can be separated as follows: Contingency planning addresses events with the potential to interrupt system operations Incident handling can be considered that portion of contingency planning that responds to malicious technical threats

Guiding product selection and implementation Demonstrating management support Avoiding/minimizing liability Protection of internal data Adapting to modern communications environments

Clearly written and identifies the roles and responsibilities of the individuals within the organization

Introduction The implementation phase has two main components: Implement countermeasures suite Educate staff

Education and training should be provided for the users

Approval should be obtained from the management and they should be seen to support the policy

During the implementation phase, it should be noted: Necessary to recognize that some of the countermeasures are not applicable to every information system or environment Non-monetary factors such as loss of reputation should also be taken into account

Co-ordinating internal and external groups Ensuring consistent and complete security Inform members of staff

General users should be encouraged to buy-in to the policy

Elements of an Acceptable Use Policy State the responsibilities of a user in terms of protecting information that is stored in their user accounts State if users can make copies of system configuration files for their personal use, or to provide to other people State if users can read, or copy files that they have not created, but that they have access to State whether users can modify files that they have not created, but which they have access to State if users can make copies of copyrighted software State acceptable levels of usage of electronic mail and Internet browsing Requirements for a Good Security Policy Drawn-up by a core team of security personnel Takes into account the needs of the users as well as the philosophy and operating practices of the organization Module 9

Baseline Standards Baseline standards support the security policy Identify what is considered to be the minimum level of security that is acceptable, with respect to the areas highlighted in the security policy Guidelines and Procedures Guidelines are recommended practice, but not compulsory A procedure defines how to protect an organizations resources and the mechanisms that can be used to achieve the goals of the security policy Organizational Standards Organizational standards are used to specify the uniform use of specific procedures, technologies and parameters within an organization Organizational standards are usually compulsory

Critical Success Factors Security policy, objectives and activities that reflect business objectives An approach to implementing security that is consistent with the organizational culture Visible support and commitment from management A good understanding of the security requirements, risk assessment and risk management Effective marketing of security to all managers and employees Distribution of guidance on information security policy and standards to all employees and contractors Providing appropriate training and education A comprehensive and balanced system of measurement

Implementing Security

Cost vs. Benefits The implementation cost consists of a number of factors: Purchase cost: Up front cost of purchasing the countermeasure Cost of deployment: Separate to the cost of purchasing the product Cost of maintenance Includes day to day running, maintenance, support and training Cost of training Training of management Training of support/security personnel Training the users

Evidence that installation of the new system will not adversely affect existing systems

Reviewing controls and integrity procedures Identifying all computer software, information, database entities and hardware that require amendment

Evidence that consideration has been given to the effect the new system has on the overall security of the organization

Obtaining formal approval for detailed proposals before work commences

Training in the operation or use of new systems

New Systems Development and Maintenance For new systems that are being developed, security should be designed into the solution Security requirements should be identified and agreed prior to the development of all information systems Statements of business requirements for new systems, or enhancements to existing systems should specify the requirements for controls Similar considerations should be applied when evaluating software packages for business applications Application Systems Considerations Appropriate controls and audit trails or activity logs should be designed into application systems, including user written applications Additional controls may be required for systems that process, or have an impact on, sensitive, valuable or critical organizational assets Applications should ensure that restrictions are implemented to minimize the risk of processing failures leading to a loss of integrity Other Factors Maintaining a record of agreed authorization levels

Mandate that the authorized user accepts changes prior to any implementation

Ensuring that implementation is carried out to minimize business disruption

Update system documentation on the completion of each change and ensure that old documentation is archived or disposed of

Modification Considerations There is a risk that built-in controls and integrity processes could be inadvertently compromised The consent of the vendor should be obtained Can the required changes be obtained from the vendor as standard program updates? The impact if the organization becomes responsible for the future maintenance of the software as a result of changes Training the Managers Management personnel are often reluctant to support projects which they do not understand If management understand security and its benefits, they are more likely to support the security solution Examples of issues which should be addressed are: What is security?

Security is constantly changing as security professionals try to keep up with the hackers. Security countermeasures should reflect this and be frequently and securely updated.

Acceptance Criteria Performance and computer capacity requirements Error recovery, restart procedures, and contingency plans Preparation and testing of routine operating procedures to defined standards An agreed set of security controls should be in place Effective manual procedures Business continuity arrangements

What are the security risks to the organization?

The fact that a particular operating system or product has been evaluated against a formal standard does not guarantee that it is free from security vulnerabilities

2.

According to general quality principles

What are the benefits and the disadvantages?

Accreditation addresses whether the system's security requirements are correct and well implemented and whether the level of quality is sufficiently high

Case studies of where businesses have experienced losses due to security incidents

A higher level of assurance can be gained from a full system evaluation of both the operating system and all applications residing on it

Assurance is an extremely important element in accreditation

The importance of management commitment

Most evaluated products, including Windows NT, are not delivered in their evaluated configuration, and some manual configuration will be necessary

Assurance Methods The accrediting official makes the final decision about what level and what types of assurance are needed for a system For this decision to be informed it is derived from a review of security, such as a risk assessment or other study (e.g. certification), as deemed appropriate by the accrediting official In selecting assurance methods, the need for assurance should be weighed against its cost The accrediting official is not the only arbiter of assurance Certain assurance methods may be required by organizational policy or directive Two Methods Organizations use two basic methods to maintain operational assurance: A system audit examine whether the system is meeting stated or implied security requirements, including system and organizational policies. Monitoring watching daily usage of the system.

Details of the organizations specific security implementations or strategy

Training the Staff

User issues with security

Security Assurance & Accreditation Assurance is the degree of confidence one has that the security measures, both technical and operational, work as intended to protect the system and the information it processes Note: Assurance is not a guarantee that the measures work as intended, nor a true measure of how secure the system actually is. Accreditation is a management official's formal acceptance of the adequacy of a system's security

Staff are typically reluctant to follow rules and regulations, regardless of their nature

By educating the staff to the risks faced, and the benefits that security will bring, they are likely to be more receptive to the security measures and the procedures or restrictions that they involve

Typical topics for security training for staff may include: What is security? What are the security risks to the organization? What are the benefits and the disadvantages of security? Training on the organizations specific security implementations

Note: Systems should be accredited before becoming operational, and periodically reaccredited. Typically this occurs after major system changes, or at predefined intervals.

Accreditation and Assurance Assurance addresses whether the technical measures and procedures operate either: 1. According to a set of security requirements and specifications

Security Framework Formal security standards serve as a framework on which to build a secure system

In general, the more real-time an activity is, the more it falls into the category of monitoring

divulge information about systems, including their passwords Change Control Change Control provides assurance that the system in operation is the correct version (configuration) of the system and that any changes to be made are reviewed for security implications Change Control can be used to help ensure that changes take place in an identifiable and controlled environment and that they do not unintentionally harm any of the system's properties, including its security Changes to the system can have security implications, because they may introduce or remove vulnerabilities. Significant changes may require updating the contingency plan, risk analysis, or accreditation Security Auditing Auditing has two main functions: 1. Technical auditing auditing use of the systems, via event logs, intrusion detection systems, etc. for signs of unauthorized access. 2. Compliance auditing auditing current security levels against predefined security standards and organizational policies, to ensure that the standards they define, are being adhered to. Note: The presence of an effective auditing policy and implementation is a requirement of

many formal security standards and guidelines including ISO 17799 What to Audit? Knowing what to audit for both technical and compliance auditing can be difficult A balance has to be made between having enough information to provide evidence in the event of an incident, and having too much information and perhaps restricting the efficiency of the infrastructure. Care must be taken to ensure that the data collect will also be admissible in the event of a trial. Who Performs the Audit Internal personnel within the business unit External to the business unit. External personnel fall into two categories: A separate team within the organization Third party

Automated Tools Automated tools make it feasible to review even large computer systems for a variety of security flaws There are two types of automated tools: Active tools - These find vulnerabilities by trying to exploit them Passive tools - These only examine the system and infer the existence of problems from the state of the system Automated tools can be used to help find a variety of threats and vulnerabilities These tools are often very successful at finding vulnerabilities and are sometimes used by hackers to break into system Penetration Testing Penetration testing can use many methods to attempt a system break-in The most useful type of penetration testing is to use the methods that might really be used against the system For many systems, lax procedures or a lack of internal controls on applications are common vulnerabilities that penetration testing can target Another method is social engineering, which involves getting users or administrators to

The approach that is used will depend on the size of the organization and internal politics

Compliance Auditing If an audit is performed against a standard such as ISO 17799, then it will typically be planned and conducted on the results of the risk assessment The audit controls will be set out in a statement of applicability An audit plan will then be created and this will cover major controls, or those identified as best practice

Once the audit has been completed then an audit report will be given to management.

conformity to an access policy model to be verified Event Logging Audit logs recording exceptions and other security-relevant events should be produced and kept for an agreed period to assist in future investigations and access control monitoring Audit logs should also include: User IDs Dates and times for log-on and logoff Terminal identity or location if possible Records of successful and rejected system access attempts Records of successful and rejected data and other resource access attempts Note: The correct setting of computer clocks is important to ensure the accuracy of audit logs System Audit Considerations There should be controls to safeguard operational systems and audit tools during system audits Audit tools must also be protected, to maintain their integrity and to prevent misuse Audit requirements and activities involving checks on operational systems should be carefully planned and agreed, to minimize the risk of disruptions to business processes Module 11 Security Law and Ethics

Laws While an individual may disagree with the intent or meaning of a law, that is no excuse for disobeying it In the event that two laws conflict, there is a regulated process in the courts which will determine which law will supersede which Certain actions are identified as right and others are identified as wrong by the law and the courts. Taken from a legal standpoint, anything that is not identified as being illegal, is legal Laws are enforced and there are means by which wrongs done by unlawful behavior can be rectified Ethics Two individuals may have different frameworks for making moral judgements. While one person may consider their actions to be perfectly justifiable, another individual may totally disagree Ethical positions can and often do come into conflict and as there is no arbiter of ethical positions, each individual must choose which goal is more important There is no enforcement of ethical choices

Audit Reporting The audit report should contain: A summary of the audit findings The areas audited The ISO 17799 audited Statements of observed nonconformity Observations if relevant Job titles of auditees or the names of departments audited (no names unless necessary) Follow up options

Technical Auditing/Monitoring Systems should be monitored to detect deviation from the organizations access control policy Audit trails and similar evidence should be collected and securely stored for: 1. 2. Internal problem analysis Use as evidence in relation to a potential breach of contract, breach of regulatory requirement or in the event of civil or criminal proceedings, for example under computer misuse or data protection legislation 3. Negotiating for compensation from software and service suppliers System monitoring also allows the effectiveness of controls adopted to be checked and

Copyrights The intention of copyright is to facilitate the regular and free exchange of ideas Copyrights protect creative work A copyright gives the author the exclusive right to make copies of the expression and sell or

distribute them to the public. It does not, however, protect the idea itself The copyright says: That a particular expression of an idea belongs to the author Only the author, or their authorized agents can sell copies of that expression Criteria for Copyrighting Work Work that is to be copyrighted must fulfil the following criteria: It must be original The idea or expression of the idea does not already exist within the public domain Exist on some tangible medium The expression of the idea must be distributed

The fact that updating or changing laws is a slow process, while computing is maturing extremely rapidly, means that the legal system is being left behind

Any use of an organizations facilities for nonbusiness or unauthorized purposes, without management approval, should be regarded as improper use of the facilities

Combine this with the fact that a computer can perform many roles within a crime, as the subject, object or medium of the crime, further confuses the issue

Legal advice should be taken before implementing monitoring procedures

Essential that all users are aware of the precise scope of their permitted access

Problems of Prosecuting Computer Crime Lack of understanding Lack of tangible evidence Categorizing assets The age of the individuals Cost of prosecution Public image

At log-on a warning message should be presented on the computer screen indicating that the system being entered is private and that unauthorized access is not permitted

Data Protection Act 1998 (UK) Data users must register all computerized personal data to the data protection registrar Users must also comply with the eight principles of the act Failure to comply with the principles, if done knowingly or recklessly, may be a crime The data protection registrar maintain the register and enforces the principles The objectives of data protection are: 1. 2. To protect personal privacy To enable the international free flow of personal data The Eight Principles Personal data must be: 1. 2. 3. 4. 5. Processed fairly and lawfully Obtained and processed for specified purposes Adequate, relevant and not excessive Accurate and where necessary up to date Kept no longer than necessary

Introduction to Global Computer Crime Laws Law - Is a rule that is enacted, or customary in a community and recognized as enjoining or prohibiting certain actions. Laws are typically enforced by the imposition of penalties Statute - Is a written law passed by a legislative body, for example an Act of Parliament, or an Act of Congress Computer Misuse Act (UK) The Computer Misuse Act creates three new offences: 1. 2. Unauthorized access to computer material Unauthorized access with intent to commit or facilitate commission of further offences 3. Unauthorized modification of computer material Computer Misuse Issues

Copyright Law and Computing Three examples of areas in which copyright protection does not address critical elements that require protection are: 1. 2. A work must be published Copyright protects the expression of the idea, not the idea itself 3. Copyright only protects the distribution of copies The Problem of Defining Computer Crime Whilst most other legal areas have well grounded definitions, many people, including those in the legal profession, do not fully understand computers and concepts such as computer crime

6.

Processed in accordance with the rights of the data subject

Kingdom, signed the Wassenaar Arrangement, to set boundaries for the international export of encryption While the main aim of the Wassenaar Arrangement is to control the export of munitions into terrorist nations, encryption technology is also covered Ten Commandments of Computer Ethics (#1) 1. Thou shalt not use a computer to harm other people 2. Thou shalt not interfere with other people's computer work 3. Thou shalt not snoop around in other people's computer files 4. 5. Thou shalt not use a computer to steal Thou shalt not use a computer to bear false witness 6. Thou shalt not copy or use proprietary software for which you have not paid 7. Thou shalt not use other people's computer resources without authorization or proper compensation 8. Thou shalt not appropriate other people's intellectual output 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing 10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow human being Electronic Privacy

The right to privacy is often held extremely strongly, both in courts of law and on a personal level, as an ethical issue

7. 8.

Kept appropriately secure Kept within the EEA unless adequate protection

Only in the case of a stronger interest, such as prosecution of a crime, or the protection of rights of others, can this right to privacy be overruled

Introduction to Cryptographic Legislation People want to be able to protect their privacy Businesses often want similar confidentiality Government users want to be able to track criminals and apprehend them after the crime has been committed Foreign powers also want to know the military capabilities and strategies of other foreign powers Cryptography and the Government Cryptography is often a powerful tool for protecting confidentiality, but the government have a requirement to be able to break it Governments often unwilling to have people use strong encryption which they cannot break The following countries all allow the use of cryptography but control its export: The United States Britain Canada Germany

Electronic communications are most often transmitted in a very open manner, thus meaning that they are largely open to the intrusion of others

Significant ethical issues associated with the degree to which others can intrude into the private communications of others

Introduction to Investigating Security Incidents Necessary to have adequate evidence to support an action against a person or organization Where the action involves the law, either civil or criminal, the evidence presented should conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard. In general, these rules cover: Admissibility of evidence Weight of evidence Process control evidence

One of the problems of controlling the export of cryptography is that in most case the cryptographic algorithm is public knowledge

Admissibility of Evidence To achieve admissibility of the evidence, organizations should ensure that their information systems comply with any published

Wassenaar Arrangement On December 3rd, 1998 thirty-three nations including the United States and United

standard or code of practice for the production of admissible evidence To achieve quality and completeness of the evidence, a strong evidence trail is needed. In general, such a strong trail can be established under the following conditions: For paper documents For information on computer media

Computer Forensics The DDoS attacks on Yahoo!, eBay, Amazon.com and other popular Web sites illustrate not only how delicate and vulnerable the world's Internet infrastructure is, but how hard it is to gather irrefutable evidence of a computer crime A recent study by the Electronic Privacy Information Center (EPIC) demonstrates just how serious this problem is: Since 1992, the number of computer crime cases sent to federal prosecutors has tripled, while the number of cases prosecuted has remained constant. Of the 419 cases referred to prosecutors, only 83 were prosecuted. The rest were dismissed due to lack of evidence