Security Risk Management

1
Security Risk Management

• Eduardo Rivadeneira
• IT pro
• Microsoft Mexico

2
Session Prerequisites

• Hands-on experience installing, configuring,
  administering, and planning the deployment of
  Windows 2000 Server or Windows Server 2003
• Knowledge of Active Directory and Group Policy
  concepts

Level 200
3
Agenda

• Dia 1
• Comunidades Technet Mexico
• Entrenamiento Comunidades Mexico
• Essentials of Security Parte 1
• Dia 2
• Essentials of Security Parte 2
• Security Risk Management Parte 1
• Dia 3
• Security Risk Managemnt Parte 2
• Peguntas y Respuestas

4
Comunidades Technet Mexico

• Dia 1

5
Comunidades en Mexico

• On Line
• http//groups.msn.com/itpromexico
• Presénciales
• Comunidad DF
• IT Pro Mexico
• Aida Lara
• alora_at_hubbell.com.mx
• Victor Guadarrama Olivares
• vmgo_at_mvps.org
• http//itpromexico.com.mx

6
Comunidades

• Comunidad Monterrey
• Carlos Alberto Morales
• cmorales_at_madisa.com
• Astrid Rodríguez Garza
• Vrodriguez_at_mail.risoul.com.mx
• http//groups.msn.com/itpromonterrey
• Comunidad San Quintín Baja California
• Genaro N. Lopez Norori gnlopez_at_hotmail.com
• http//groups.msn.com/ITproSanQuintin

7
Comunidades

• Comunidad Guadalajara
• Oscar T. Aceves Dávalos
• itan040_at_hotmail.com
• http//groups.msn.com/itprogdl
• Comunidad Coatzacoalcos
• Gabriel Castillo
• jcastillo_at_celanese.com.mx
• http//groups.msn.com/ITcoatzacoalcos

8
Comunidades

• Tijuana
• Andree Ochoa
• andreeochoa_at_netscape.net
• http//groups.msn.com/itprotijuana
• Puebla
• Jorge Garcia
• MasterFx_at_masterfx.net
• http//groups.msn.com/ITICOPuebla

9
Procedimientos Comunidades

• Evento presencial
• Enviar la información de las reuniones del
  siguiente mes
• Lugar, fecha, hora, descripción del evento, lugar
  del evento
• Confirmar que el evento este dado de alta en
  http//wwww.microsoft.com/mexico/eventos
• Todos los participantes deberán registrarse vía
  Web en el evento y entregar su registro con el
  código de barra el dia del evento
• El instructor deberá recolectar las evaluaciones
  y hojas de registro para entregárselas al
  director del área

10
Essentials of Security

• Dia 1

11
Business Case

• Business Case
• Security Risk Management Discipline
• Defense in Depth
• Security Incident Response
• Best Practices
• 10 Immutable Laws of Security

12
Impact of Security Breaches
13
2003 CSI/FBI Survey

• The cost of implementing security measures is
  not trivial however, it is a fraction of the
  cost of mitigating security compromises

14
Benefits of Investing in Security
Reduced downtime and costs associated with
non-availability of systems and applications
Reduced labor costs associated with inefficient
security update deployment
Reduced data loss due to viruses or information
security breaches
Increased protection of intellectual property
15
Security Risk Management Discipline

• Business Case
• Security Risk Management Discipline
• Defense in Depth
• Security Incident Response
• Best Practices
• 10 Immutable Laws of Security

16
Security Risk Management Discipline (SRMD)
Processes

• Assessment
• Assess and valuate assets
• Identify security risks and threats
• Analyze and prioritize security risks
• Security risk tracking, planning, and scheduling
  
• Development and Implementation
• Develop security remediation
• Test security remediation
• Capture security knowledge
• Operation
• Reassess assets and security risks
• Stabilize and deploy new or changed
  countermeasures

17
Assessment Assess and Valuate Assets
Asset Priorities (Scale of 1 to 10) Example

For example purposes only not prescriptive
guidance
18
Assessment Identify Security Risks and Threats
STRIDE
19
Assessment Analyze and Prioritize Security Risks
DREAD
Example Worksheet

• DREAD
• Damage
• Reproducibility
• Exploitability
• Affected Users
• Discoverability
• Risk Exposure Asset Priority x Threat Rank

20
Assessment Security Risk Tracking, Planning, and
Scheduling
Detailed Security Action Plans
Example Worksheets
21
Development and Implementation
Security Remediation Strategy
Testing Lab
Production Environment
Knowledge Documented for Future Use
22
Operation Reassess Assets and Security Risks

• Reassess risks when there is a significant change
  in assets, operation, or structure
• Assess risks continually

Production Environment
Documented Knowledge
New Web Site
Internet Services
Testing Lab
23
Operation Stabilize and Deploy New or Changed
Countermeasures
System Administration Team
New or Changed Countermeasures
Security Administration Team
Network Administration Team
24
Defense in Depth

• Business Case
• Security Risk Management Discipline
• Defense in Depth
• Security Incident Response
• Best Practices
• 10 Immutable Laws of Security

25
The Defense-in-Depth Model

• Using a layered approach
• Increases an attackers risk of detection
• Reduces an attackers chance of success

Policies, Procedures, Awareness
Physical Security
Data
ACLs, encryption, EFS
Application
Application hardening, antivirus
OS hardening, authentication, patch management,
HIDS
Host
Internal Network
Network segments, IPSec, NIDS
Firewalls, Network Access Quarantine Control
Perimeter
Guards, locks, tracking devices
Security documents, user education
26
Description of the Policies, Procedures, and
Awareness Layer
27
Policies, Procedures, and Awareness Layer
Compromise
28
Policies, Procedures, and Awareness Layer
Protection

• Employee security training helps users
  support thesecurity policy

Firewall Configuration Procedure
Physical Access Security Policy
Device Request Procedure
User Information Secrecy Policy
29
Description of the Physical Security Layer

• All of the assets within an organizations IT
  infrastructure must be physically secured

30
Physical Security Layer Compromise
31
Physical Security Layer Protection
32
Description of the Perimeter Layer
33
Perimeter Layer Compromise
34
Perimeter Layer Protection
35
Description of the Internal Network Layer
36
Internal Network Layer Compromise
37
Internal Network Layer Protection
Require mutual authentication
Segment the network
Encrypt network communications
Restrict traffic even when it is segmented
Sign network packets
Implement IPSec port filters to restrict traffic
to servers
38
Demonstration 1 Configuring IPSec Port Filtering

• Your instructor will demonstrate how to
• Create and configure an IP Security policy that
  contains IPSec port filters that will be used to
  lock down unnecessary ports on an IIS server
• View IPSec port filter properties

39
Description of the Host Layer

• Contains individual computer systems on the
  network
• Often have specific roles or functions
• The term host is used to refer to both clients
  and servers

40
Host Layer Compromise
Exploit Operating System Weakness
Distribute Viruses
41
Host Layer Protection
Harden client and server operating systems
Disable unnecessary services
Monitor and audit access and attempted access
Install and maintain antivirus software
Use firewalls
Keep security patches and service packs up to date
42
Windows XP SP2 Advanced Security Technologies

• Network protection
• Memory protection
• Safer e-mail handling
• More secure browsing
• Improved computer maintenance
• Get more information on Windows XP Service
  Pack 2 at http//www.microsoft.com/sp2preview

43
Demonstration 2 Overview of Windows XP SP2

• Your instructor will demonstrate the new and
  enhanced security features in Windows XP SP2
• Security Center
• Windows Firewall
• Internet Explorer

44
Preguntas

• http//groups.msn.com/itpromexico
• Sección de webcast