CIT 443

1
CIT 443

• FCAPS Security Management

2
Announcements

• Listserv
• Readings
• The Definitive Guide to Security Management
• Whitehat Web Security Whitepaper

3
Security Management

• Security management is concept that deals with
  protection of data in a network system against
  unauthorized access, disclosure, modification, or
  destruction and protection of the network system
  itself against unauthorized use, modification, or
  denial of service.

4
CIA Model

• Confidentiality
• Integrity
• Availability
• Provides for the prevention of security
  vulnerabilities, the detection and remediation of
  breeches in security .

5
Confidentiality

• The security management tenet that only
  authorized users, processes, or devices can
  access data/information.
• aka Privacy

6
Integrity

• Data /or Information is complete, accurate,
  up-to-date, and free from unauthorized/undocumente
  d changes
• It is important to understand the scope of the
  data/information
• What is the source of the data?
• Where is the data stored?
• Who has authorized access to the data?
• What applications make use of the data?

7
Availability

• All data, servers, and communications equipment
  must be available when the resources are needed.
• Goal Prevent uncontrolled resource outage(s)
  through proactive steps
• Graceful Service degradation
• Recovery-Oriented approach

8
Beyond CIA

• Information security security management must
  preserve both availability and utility, integrity
  and authenticity, and confidentiality and
  possession of information. (Parker, 1999)

9
Enforcing Security Management

• Network Security by Design
• System Monitoring
• Security Awareness Training
• Personnel Background Checks
• Secure Software Development Practices

10
Information Security Concept Flow
Protective Measures
impose
Owners
That may possess
May be aware of
To reduce
May be reduced by
Threat agents
Leading to
vulnerabilities
Risk
That exploit
Give rise to
to
That increase
Wish to minimize
threats
Assets
Wish to abuse and/or may damage
value
11
Security Management - Where?

• Perimeter Security
• System Security
• Security Policies

12
Perimeter Security Best Practices

• Actively monitor ALL TCP ports to detect
  intrusion attempts
• Block unused TCP ports - minimum requirement for
  perimeter security
• Exercise a default deny
• More effective security practice than port
  blocking
• Easier on router and firewall administrators
• Configurations and control lists tend to be
  shorter
• Warning blocking some TCP ports may disable
  needed services
• Beware of
• Rogue modems
• Trojan e-mail attachments
• User activity behind the filter point

13
Perimeter Security Best Practices

• ICMP Forego legitimate uses of ICMP to block
  some known malicious uses?
• Block incoming echo request (ping and Windows
  traceroute)
• Block outgoing echo replies, time exceeded, and
  destination unreachable messages
• Ingress Filtering
• Block spoofed addresses - packets coming from
  outside your company sourced from internal
  addresses
• Block private addresses (RFC 1918) and IANA
  reserved addresses http//www.iana.org/assignments
  /ipv4-address-space
• Block packets bound for (undocumented) broadcast
  or multicast addresses
• Block source-routed packets
• Block packets with IP options set
• Egress Filtering
• Block spoofed packets originating from your
  network.
• Allow packets sourced from your assigned
  addresses to be routed out of your organization

14
What is Source Routing?

• Defined in RFC791
• IP option which allows the originator of a packet
  to specify
• What path that packet will take
• What path return packets will take
• Useful when the default route that a connection
  uses fails or is in a sub-optimal state
• Source routing is often abused by malicious users
  on the Internet
• Make machine A think it is talking to machine B,
  when it is really talking to a third machine (C)
• This means that C (the attacker) has control over
  B's IP address for some purposes
• Resolution Configure network devices to ignore
  source-routed packets where appropriate
• For some operating systems, a kernel patch is
  required to make this work correctly (notably
  SunOS 4.1.3)
• Last Resort - If disabling source routing on all
  your clients is not possible
• Disable source routing at every router
• foobar(config-if)no ip source-route

15
System Security Considerations

• Most worms and cyber attacks target
  vulnerabilities in a few common operating system
  services.
• Attackers are opportunistic
• Count on organizations not fixing the problems
• Scan the Internet for vulnerable systems
• Attack indiscriminately, usually taking the path
  of least resistance
• Exploit the best-known flaws
• Utilize the most effective and widely available
  attack tools
• The spread of worms is tied to exploited
  vulnerabilities

16
SANS - Top Vulnerabilities to Windows Systems
(2005)

• Web Servers Services
• Workstation Service
• Windows Remote Access Services
• Microsoft SQL Server (MSSQL)
• Windows Authentication
• Web Browsers
• File-Sharing Applications
• LSAS Exposures
• Mail Client
• Instant Messaging

17
SANS - Top Vulnerabilities to UNIX Systems (2005)

• BIND Domain Name System
• Web Server
• Authentication
• Version Control Systems
• Mail Transport Service
• Simple Network Management Protocol (SNMP)
• Open Secure Sockets Layer (SSL)
• Mis-Configuration of Enterprise Services NIS/NFS
• Databases
• Kernel

18
SANS Institute

• Instead of OS specific vulnerabilities, now
  publishes vulnerabilities by area
• OS
• Cross-Platform
• Network Devices
• Security Policy Personnel
• Special Areas

19
Security Management Policy

• Must meet the needs of the business from both a
  productivity perspective as well as a security
  perspective
• Requirements generated both internally
  (operational requirements) and externally (legal
  requirements)
• Ultimately, businesses are responsible for
  protecting their assets

20
System Security Strategy

• Keep an inventory of all software installed on
  network systems
• Prevent users from installing software
• Keep ALL systems patched with the latest updates
  for system software
• Dont forget to patch system firmware!
• Manage Risk

21
Risk Management

• The purpose of risk management is to balance the
  needs of the business to have access to all
  resources against the cost of guaranteeing access
  to those resources via necessary safeguards

22
Risk Management Process

• Determine Value of Assets
• Itemize Threats to Assets
• Estimate Likelihood of Attack
• Calculate Total Cost of Threats
• Develop Action Plan
• Mitigation
• Insurance
• Acceptance

23
Security Management Policy

• Multiple levels of policies
• Granularity
• Organizational
• Functional
• System
• Incidents/Attacks will occur need to have a
  policy to deal with Incident Response
• Document compliance with every policy for every
  user, application, system, piece of equipment,
  etc.

24
Security Management Trends

• Centralized Automated Solutions
• Policy-Based Event Notification
• Asset-Based Event Prioritization
• Multi-Platform Correlation
• Advanced Reporting
• Auditing Systems Compliance Verification

25
Topics for Further Study

• Identity Management
• Security Management with Biometrics
• Risk Management for IT (CIT 55x)
• Securing Wireless Networks
• VoIP Security Special Considerations
• Kerberos
• Security Assertion Markup Language
• Security Information Management?
• Network Security Architecture

26
Security Management Network Elements

• PBX
• Hubs
• Routers
• Switches
• Servers
• Workstations
• Firewalls
• Wireless Access Points
• Power Management Systems
• Network SCADA Systems
• Temperature Management Systems (HVAC)
• Home Appliances?
• Others?

27
References

• Sullivan, D. (2006). The Definitive Guide to
  Security Management. San Francisco, CA
  Realtimepublishers.
• http//www.ccert.edu.cn/education/cissp/hism/003-0
  06.htmlHeading1
• http//www.sans.org/top20/