Administering Security

- By Manish Bhatt
Security Plan
A security plan is a document that describes how an organization will address its security
needs. The plan is subject to periodic review and revision as the organizations security
needs change.
Contents of a security plan
1. policy, indicating the goals of a computer security effort and the willingness of
the people involved to work to achieve those goals
2. current state, describing the status of security at the time of the plan
3. requirements, recommending ways to meet the security goals
4. recommended controls, mapping controls to the vulnerabilities identified in the
policy and requirements
5. accountability, describing who is responsible for each security activity
6. timetable, identifying when different security functions are to be done
7. continuing attention, specifying a structure for periodically updating the
security plan
1) Policy
A security plan must state the organizations policy on security.
A security policy is a high-level statement of purpose and intent.
The policy statement should specify the following:
The organization's goals on security. For example, should the system protect
data from leakage to outsiders, protect against loss of data due to physical
disaster, protect the data's integrity, or protect against loss of business when
computing resources fail? What is the higher priority: serving customers or
securing data?
Where the responsibility for security lies. For example, should the
responsibility rest with a small computer security group, with each employee,
or with relevant managers?
The organization's commitment to security. For example, who provides
security support for staff, and where does security fit into the organization's
structure?
2) Current Security Status
The status can be expressed as a listing of organizational assets, the
security threats to the assets, and the controls in place to protect the
assets.
Also defines the limits of responsibility for security.
3) Requirements
Requirements are usually derived from organizational needs.
Requirements explain what should be accomplished, not how.
Must have these characteristics : correctness, consistency, completeness,
realism, need, verifiability, traceability.
May be constrained by budget, schedule, performance, policies,
government regulations and more.
4) Recommended Controls
The security plan must also recommend what controls should be
incorporated into the system to meet the requirements.
5) Responsibility for Implementation
A section of the security plan should identify which people are
responsible for implementing the security requirements.
At the same time, the plan makes explicit who is accountable should
some requirement not be met or some vulnerability not be addressed.
6) Time Table - shows how and when the elements of the plan will be
performed. These dates also give milestones so that management can track
the progress of implementation.
Security Planning Team Members
Computer hardware group
System administrators
Systems programmers
Applications programmers
Data entry personnel
Physical security personnel
Representative users
Business Continuity Plans
Documents how a business will continue to function during a computer
security incident.
An ordinary security plan covers computer security during normal times
and deals with protecting against a wide range of vulnerabilities from the
usual sources.
A business continuity plan deals with situations having two
characteristics:
1) catastrophic situations, in which all or a major part of a computing
capability is suddenly unavailable
2) long duration, in which the outage is expected to last for so long
that business will suffer
The steps in business continuity planning are these:
Assess the business impact of a crisis.
Develop a strategy to control impact.
Develop and implement a plan for the strategy
Incident Response Plans
Tells the staff how to deal with a security incident.
The goal of incident response is handling the current security
incident, without regard for the business issues.
An incident response plan should
1) define what constitutes an incident
2) identify who is responsible for taking charge of the situation
3) describe the plan of action
Phases of Incident Response Plans
Advance Planning
Triage
Running the incident
Response Team
Response team is the set of people charged with responding to the
incident.
To develop policy and identify a response team, you need to consider
certain matters.
1) Legal Issues
2) Preserving Evidence
3) Records
4) Public Relations
Risk Analysis
A risk is a potential problem that the system or its users may experience.
Characteristics of an event to be considered as a risk :
1. A loss associated with an event.
2. The likelihood that the event will occur.
3. The degree to which we can change the outcome.
Strategies used :
1. Avoiding the risk
2. Transferring the risk
3. Assuming the risk
Risk leverage is the difference in risk exposure divided by the cost of
reducing the risk. In other words, risk leverage is
If the leverage value of a proposed action is not high enough, then we
look for alternative but less costly actions or more effective reduction
techniques.
Steps of Risk Analysis
1. Identify assets
2. Determine vulnerabilities
3. Estimate likelihood of exploitation
4. Compute expected annual loss
5. Survey applicable controls and their costs
6. Project annual savings of control
1. Identify Assets
The assets can be considered in categories, as listed below.
Hardware: processors, boards, keyboards, monitors, terminals,
microcomputers, workstations, tape drives, printers, disks, disk drives,
cables, connections, communications controllers, and communications
media
Software: source programs, object programs, purchased programs, in-
house programs, utility programs, operating systems, systems programs
(such as compilers), and maintenance diagnostic programs
Data: data used during execution, stored data on various media, printed
data, archival data, update logs, and audit records
People: skills needed to run the computing system or specific programs
Documentation: on programs, hardware, systems, administrative
procedures, and the entire system
Supplies: paper, forms, laser cartridges, magnetic media, and printer fluid
2. Determine Vulnerabilities
Asset Secrecy Integrity Availability
Hardware Overloaded,
destroyed,
tampered with
Failed, stolen,
destroyed,
unavailable
Software Stolen, copied,
pirated
Impaired by Trojan
Horse, modified,
tampered with
Deleted, misplaced,
usage expired
Data Disclosed, accessed
by outsider,
inferred
Damaged- software
error-hardware
error- user error
Deleted, misplaced,
destroyed
People Quit, retired,
terminated, on
vacation
Documentation Lost, stolen,
destroyed
Supplies Lost, stolen,
damaged
Attributes Contributing to vulnerabilities
Design/Architecture Behavioral General
Singularity uniqueness, centrality,
homogeneity
Behavioral sensitivity/fragility Accessible, detectable, identifiable,
transparent, interceptable
Separability Malevolence Hard to manage or control
Logic/implementation errors,
fallibility
Rigidity Self-unawareness and
unpredictability
Design sensitivity, fragility, limits,
finiteness
Malleability Predictability
Unrecoverability Gullibility, deceivability, naivete
Complacency
Corruptibility, controllability
3. Estimate Likelihood of Exploitation
Determining how often each exposure is likely to be exploited.
Ratings of Likelihood
Frequency Rating
More than once a day 10
Once a day 9
Once every three days 8
Once a week 7
Once in two weeks 6
Once a month 5
Once every four months 4
Once a year 3
Once every three years 2
Less than once in three years 1
4. Compute Expected Loss
Determine the likely loss if the exploitation does indeed occur.
5. Survey and Select New Controls
Analysis of the controls to see which ones address the risks we have
identified.
Match each vulnerability with at least one appropriate security
technique.
Valuation of Security Technique
Interpretation of numbers in the table :
2 means that the control mitigates the vulnerability significantly and should be
a prime candidate for addressing it.
1 means that the control mitigates the vulnerability somewhat, but not as well
as one labeled 2, so it should be a secondary candidate for addressing it.
0 means that the vulnerability may have beneficial side effects that enhance
some aspect of security. (Example: homogeneity can facilitate both static and
dynamic resource allocation. It can also facilitate rapid recovery and
reconstitution.)
-1 means that the control worsens the vulnerability somewhat or incurs new
vulnerabilities.
-2 means that the control worsens the vulnerability significantly or incurs new
vulnerabilities
6. Project Savings
Determine whether the costs outweigh the benefits of preventing or mitigating
the risks.
Item Amount
Risks: disclosure of company confidential data, computation based on
incorrect data
Cost to reconstruct correct data: $1,000,000 $100,000
@ 10% likelihood per year
Effectiveness of access control software: 60% -60,000
Cost of access control software +25,000
Expected annual costs due to loss and $65,000
controls (100,000 60,000 + 25,000)
Savings (100,000 65,000) $35,000
Advantages of Risk Analysis
Improve awareness
Relate security mission to management objectives
Identify assets, vulnerabilities and controls
Improve basis for decisions
Justify expenditures for security
Disadvantages of Risk Analysis
False sense of precision and confidence
Hard to perform
Immutability
Lack of Accuracy
Organizational Security Policies
Purpose
recognizing sensitive information assets
clarifying security responsibilities
promoting awareness for existing employees
Guiding new employees
Audience Users, owners, beneficiaries
Contents
A security policy must identify its audiences: the beneficiaries,
users, and owners.
The policy should describe the nature of each audience and their
security goals.
Several other sections are required, including the purpose of the
computing system, the resources needing protection, and the
nature of the protection to be supplied. We discuss each one in
turn.
Goals
1. Promote efficient business operation.
2. Facilitate sharing of information throughout the organization.
3. Safeguard business and personal information.
4. Ensure that accurate information is available to support business
processes.
5. Ensure a safe and productive place to work.
6. Comply with applicable laws and regulations.
Protected resources - protected assets should be listed in the policy.
Nature of Protection - indicate who should have access to the protected
items. It may also indicate how that access will be ensured and how
unauthorized people will be denied access.
Characteristics of Good Security Policy
Coverage - It must either apply to or explicitly exclude all possible
situations.
Durability - grow and adapt well. If written in a flexible way, the
existing policy will be applicable to new situations.
Realism- must be realistic. It must be possible to implement the
stated security requirements with existing technology.
Usefulness - The policy must be written in language that can be
read, understood, and followed by anyone who must implement it
or is affected by it.
Physical Security
Natural Disasters
Flood
Fire
Power Loss
Solutions UPS, surge supressors
Human Vandals
Unauthorized access and use theft
Interception of Sensitive Information - Shredding
Overwriting Magnetic Data Degaussing
Protecting Against Emanation : Tempest
Contingency Planning
Backup
Offsite Backup
Networked Storage
Cold Site or shell - facility with power and cooling available, in which a
computing system can be installed to begin immediate operation.
Hot site - computer facility with an installed and ready-to-run
computing system.
Legal And Ethical Issues In
Computing
Protecting Programs and Data
1) Copyrights designed to protect the expression of ideas.
Applies to a creative work, such as a story, photograph, song, or
pencil sketch.
Intention is to allow regular and free exchange of ideas.
Gives the author exclusive right to make copies of the expression
and sell them in public.
Intellectual Property
Originality of work
Fair use of Material copyrighted object is subjected to fair use.
A purchaser has the right to use the product in the manner for
which it was intended and in a way that does not interfere with
the author's rights.
Requirements for registering a copyright.
Notice - Any potential user must be made aware that the work is copyrighted.
Officially filed.
Copyright Infringement
The holder of the copyright must go to court to prove that someone
has infringed on the copyright.
The infringement must be substantial, and it must be copying, not
independent work.
Copyrights for Digital Objects
2) Patents
Protect inventions, tangible objects, or ways to make them, not
works of the mind.
Designed to protect the device or process for carrying out an idea,
not the idea itself.
The distinction between patents and copyrights is that patents were intended to
apply to the results of science, technology, and engineering, whereas copyrights were
meant to cover works in the arts, literature, and written scholarship. A patent can
protect a "new and useful process, machine, manufacture, or composition of matter."
Requirement of Novelty
A patent can be valid only for something that is truly novel or unique, so
there can be only one patent for a given invention.
An object patented must also be nonobvious.
Registering a Patent
Patent Infringement
A patent holder must oppose all infringement.
Failing to sue a patent infringement even a small one or one the
patent holder does not know about can mean losing the patent rights
entirely.
Applicability of Patents to Computer Objects
3)Trade Secrets
The information has value only as a secret, and an infringer is one who divulges the
secret. Once divulged, the information usually cannot be made secret again.
Characteristics of Trade Secrets
1. Must always be kept secret.
2. If someone else happens to discover the secret independently,
there is no infringement and trade secret rights are gone.
Reverse Engineering - one studies a finished object to determine how it is
manufactured or how it works.
Trade secret protection works best when the secret is not apparent in the product.
Applicability to computer objects
Trade secret protection allows distribution of the result of a secret
(the executable program) while still keeping the program design
hidden.
Trade secret protection does not cover copying a product (specifically
a computer program), so it cannot protect against a pirate who sells
copies of someone else's program without permission.
Difficulty with computer programs is that reverse engineering works.
Difficulty of Enforcement - Trade secret protection is of no help when someone infers
a program's design by studying its output or, worse yet, decoding the object
code. Both of these are legitimate (that is, legal) activities, and both cause trade
secret protection to disappear.
Copyright Patent Trade Secret
Protects Expression of idea, not
idea itself
Invention the way
something works
A secret, competitive
advantage
Protected object made
public
Yes; intention is to
promote publication
Design filed at Patent
Office
No
Requirement to
distribute
Yes No No
Ease of filing Very easy, do-it-yourself Very complicated;
specialist lawyer
suggested
No filing
Duration Life of human originator
plus 70 years, or total of
95 years for a company
19 years Indefinite
Legal protection Sue if unauthorized copy
sold
Sue if invention copied Sue if secret improperly
obtained
Comparing Copyright, Patent, and Trade Secret Protection
Protecting Hardware Hardware can be patented.
Protecting Firmware - Trade secret protection is appropriate for the code
embedded in a chip.
Protecting Object Code Software - copyright protection is appropriate.
Protecting source code software copyright or trade secret protection.
Protecting Documentation - A program and its documentation must be
copyrighted separately.
Protecting Web Content - most appropriate protection is copyright
Protecting Domain Names and URLs - Domain names, URLs, company names,
product names, and commercial symbols are protected by a trademark, which
gives exclusive rights of use to the owner of such identifying marks.
Characteristics of Information
Information as an object
Information is not depletable
Information can be Replicated
Information has a Minimal Marginal Cost
The Value of Information is often Time Dependent
Information is often transferred Intangibly
These characteristics of information affect its legal treatment.
Legal Issues Relating To Information
Example 1- Information Commerce
Information is unlike most other goods traded, even though it
has value and is the basis of some forms of commerce.
Example 2- Electronic Publishing
Many newspapers and magazines post a version of their content
on the Internet, as do wire services and television news
organizations.
Example 3- Protecting Data in a Database
Databases are a particular form of software that has posed significant
problems for legal interpretation.
How does one determine that a set of data came from a particular
database (so that the database owner can claim some compensation)?
Who even owns the data in a database if it is public data, such as names
and addresses?
Example 4- Electronic Commerce
Suppose the information you order is not suitable for use or never arrives
or arrives damaged or arrives too late to use. How do you prove
conditions of the delivery?
For catalog sales, you often have receipts or some paper form of
acknowledgment of time, date, and location.
But for digital sales, such verification may not exist or can be easily modified.
Protecting Information
Criminal and Civil Law
Criminal Law - Goal is to punish a criminal
Civil Law Goal is restitution: to make the victim whole
again by repairing the harm.
Tort Law - A tort is harm not occurring from violation of a statute or from
breach of a contract but instead from being counter to the accumulated
body of precedents.
Contract Law
Differences between Law and Ethics
Law Ethics
Described by formal, written documents Described by unwritten principles
Interpreted by courts Interpreted by each individual
Established by legislatures representing
all people
Presented by philosophers, religions,
professional
groups
Applicable to everyone Personal choice
Priority determined by courts if two laws
conflict
Priority determined by an individual if
two
principles conflict
Court is final arbiter of "right" No external arbiter
Enforceable by police and courts Limited enforcement
Characteristics of Ethics
Ethics and Religion
Two people with different religious backgrounds may develop the
same ethical philosophy, while two exponents of the same religion
might reach opposite ethical conclusions in a particular situation.
We can analyze a situation from an ethical perspective and reach
ethical conclusions without appealing to any particular religion or
religious framework.
Ethical Principles are not universal
Ethics does not provide answers
Ethical Reasoning Principles
Consequence-Based - focuses on the consequences of an action.
Rule-Based