TEL2813/IS2820 Security Management

1
TEL2813/IS2820 Security Management

• Lecture 1
• Jan 10, 2006

2
Contact

• James Joshi
• 706A, IS Building
• Phone 412-624-9982
• E-mail jjoshi_at_mail.sis.pitt.edu
• Web /jjoshi/TELCOM2813/Spring2005/
• Office Hours Wednesdays 1.00 3.00 p.m. or By
  appointments
• GSA will be announced later

3
Course objective

• The course is aimed at imparting knowledge and
  skill sets required to assume the overall
  responsibilities of administration and management
  of security of an enterprise information system.

4
Course objective

• After the course, ability to to carry out
• detailed analysis of enterprise security by
  performing various types of analysis
• vulnerability analysis, penetration testing,
• audit trail analysis,
• system and network monitoring, and
• Configuration management, etc.
• Carry out the task of security risk management
  using various practical and theoretical tools.

5
Course objective

• After the course, ability to carry out
• Design detailed enterprise wide security plans
  and policies, and deploy appropriate safeguards
  (models, mechanisms and tools) at all the levels
  due consideration to
• the life-cycle of the enterprise information
  systems and networks,
• legal and social environment
• Be able to certify products according to IA
  standards (Common Criteria Evaluations)

6
Course content

• Introduction to Security Management
• Security policies/models/mechanisms
• Security Management Principles, Models and
  Practices
• Security Planning/ Asset Protection
• Security Programs and Disaster Recovery Plans
• Standards and Security Certification Issues
• Rainbow Series, Common Criteria
• Security Certification Process
• National/International Security Laws and Ethical
  Issues

• Security Analysis and Safeguards
• Vulnerability analysis (Tools Tech.)
• Penetration testing
• Risk Management
• Protection Mechanisms and Incident handling
• Access Control and Authentication architecture
• Configuration Management
• Auditing systems audit trail analysis
• Network defense and countermeasures
• Intrusion Detection Systems (SNORT)
• Architectural configurations and survivability
• Firewall configurations
• Virtual private networks
• Computer and network forensic
• Privacy Protection
• Case studies on OS and application software
  (e.g., SELinux, Unix and Windows Security)

7
Course Material

• Recommended course material
• Management of Information Security, M. E.
  Whitman, H. J. Mattord
• Guide to Disaster Recovery, M. Erbschilde
• Guide to Network Defense and Countermeasures, G.
  Holden
• Real Digital Forensics Computer Security and
  Incident Response, 1/e Keith J. Jones, Richard
  Bejtlich, Curtis W. Rose
• Computer Security Art and Science, Matt Bishop
  (ISBN 0-201-44099-7), Addison-Wesley 2003
• Security in Computing, 2nd Edition, Charles P.
  Pfleeger, Prentice Hall
• A list of papers will be provided

8
Tentative Grading

• Assignments (50)
• Homework/Quiz/Paper review/Class
  Participation/Seminar attendance 40
• One/two presentation 10
• Exams 20
• Project 30

9
Course Policies

• Your work MUST be your own
• Zero tolerance for cheating/plagiarism
• You get an F for the course if you cheat in
  anything however small NO DISCUSSION
• Discussing the problem is encouraged
• Homework
• Penalty for late assignments (15 each day)
• Ensure clarity in your answers no credit will
  be given for vague answers
• Homework is primarily the GSAs responsibility
• Check webpage for everything!
• You are responsible for checking the webpage for
  updates

10
Introduction
11
Introduction

• Information technology is critical to business
  and society
• Computer security is evolving into information
  security
• Information security is the responsibility of
  every member of an organization, but managers
  play a critical role

12
Introduction

• Information security involves three distinct
  communities of interest
• Information security managers and professionals
• Information technology managers and professionals
  
• Non-technical business managers and professionals

13
Communities of Interest

• InfoSec community
• protect information assets from threats
• IT community
• support business objectives by supplying
  appropriate information technology
• Business community
• policy and resources

14
What Is Security?

• The quality or state of being secureto be free
  from danger
• Security is achieved using several strategies
  simultaneously

15
Security and Control

• Controls
• Physical Controls
• Technical Controls
• Administrative
• Prevention Detection Recovery
• Deterrence, Corrective

• Examples
• Physical security
• Personal security
• Operations security
• Communications security
• Network security

16
InfoSec Components
17
CIA Triangle

• The C.I.A. triangle is made up of
• Confidentiality
• Integrity
• Availability
• Over time the list of characteristics has
  expanded, but these three remain central
• CNSS model is based on CIA

18
NSTISSC Security Model (4011)
19
Key Concepts Confidentiality

• Some threats
• Hackers
• Masqueraders
• Unauthorized users
• Unprotected download of files
• LANS
• Trojan horses

• Confidentiality
• only those with sufficient privileges may access
  certain information
• Confidentiality model
• Bell-LaPadula
• No write down No read up
• TCSEC/TNI (Orange, Red Book)

20
Key Concepts Integrity

• Other issues
• Origin integrity
• Data integrity

• Integrity
• Integrity is the quality or state of being whole,
  complete, and uncorrupted
• Integrity model
• Biba/low water mark
• No write up No read down
• Clark-Wilson
• Separation of duty
• Lipner

21
Key Concepts Availability

• Availability
• making information accessible to user access
  without interference or obstruction
• Survivability
• Ensuring availability in presence of attacks

22
Key Concepts privacy

• Privacy
• Information is to be used only for purposes known
  to the data owner
• This does not focus on freedom from observation,
  but rather that information will be used only in
  ways known to the owner

23
Key Concepts Identification

• Identification
• Information systems possess the characteristic of
  identification when they are able to recognize
  individual users
• Identification and authentication are essential
  to establishing the level of access or
  authorization that an individual is granted

24
Key Concepts Authentication Authorization

• Authentication
• Authentication occurs when a control provides
  proof that a user possesses the identity that he
  or she claims
• Authorization
• authorization provides assurance that the user
  has been specifically and explicitly authorized
  by the proper authority to access the contents of
  an information asset

25
Key Concepts Accountability Assurance

• Accountability
• The characteristic of accountability exists when
  a control provides assurance that every activity
  undertaken can be attributed to a named person or
  automated process
• Assurance
• Assurance that all security objectives are met

26
What Is Management?

• A process of achieving objectives using a given
  set of resources
• To manage the information security process, first
  understand core principles of management
• A manager is
• someone who works with and through other people
  by coordinating their work activities in order to
  accomplish organizational goals

27
Managerial Roles

• Informational role Collecting, processing, and
  using information to achieve the objective
• Interpersonal role Interacting with superiors,
  subordinates, outside stakeholders, and other
• Decisional role Selecting from alternative
  approaches and resolving conflicts, dilemmas, or
  challenges

28
Differences Between Leadership and Management

• The leader influences employees so that they are
  willing to accomplish objectives
• He or she is expected to lead by example and
  demonstrate personal traits that instill a desire
  in others to follow
• Leadership provides purpose, direction, and
  motivation to those that follow
• A manager administers the resources of the
  organization, budgets, authorizes expenditure

29
Characteristics of a Leader

• Bearing
• Courage
• Decisiveness
• Dependability
• Endurance
• Enthusiasm
• Initiative

1. Integrity
2. Judgment
3. Justice
4. Knowledge
5. Loyalty
6. Tact
7. Unselfishness

Used by US military
30
What Makes a Good Leader?Action plan

1. Know yourself and seek self-improvement
2. Be technically and tactically proficient
3. Seek responsibility and take responsibility for
   your actions
4. Make sound and timely decisions
5. Set the example
6. Know your subordinates and look out for their
   well-being

1. Keep your subordinates informed
2. Develop a sense of responsibility in your
   subordinates
3. Ensure the task is understood, supervised, and
   accomplished
4. Build the team
5. Employ your team in accordance with its
   capabilities

31
Leadership quality and types

• A leader must
• BE a person of strong and honorable character
• KNOW you, the details of your situation, the
  standards to which you work, human nature, and
  your team
• DO by providing purpose, direction, and
  motivation to your team
• Three basic behavioral types of leaders
• Autocratic
• Democratic
• Laissez-faire

32
Characteristics of Management

• Two well-known approaches to management
• Traditional management theory using principles of
  planning, organizing, staffing, directing, and
  controlling (POSDC)
• Popular management theory using principles of
  management into planning, organizing, leading,
  and controlling (POLC)

33
The PlanningControlling Link
34
Planning Organization

• Planning process that develops, creates, and
  implements strategies for the accomplishment of
  objectives
• Three levels of planning
• Strategic
• Tactical
• Operational
• Organization structuring of resources to support
  the accomplishment of objectives

35
Leadership

• Encourages the implementation of
• the planning and organizing functions,
• Includes supervising employee behavior,
  performance, attendance, and attitude
• Leadership generally addresses the direction and
  motivation of the human resource

36
Control

• Control
• Monitoring progress toward completion
• Making necessary adjustments to achieve the
  desired objectives
• Controlling function determines what must be
  monitored as well as using specific control tools
  to gather and evaluate information

37
Control Tools

• Four categories
• Information
• Information flows/ communications
• Financial
• Guide use of monetary resources (ROI,CBA,..)
• Operational
• PERT, Gantt, process flow
• Behavioral
• Human resources

38
The Control Process
39
Solving Problems

• Step 1 Recognize and Define the Problem
• Step 2 Gather Facts and Make Assumptions
• Step 3 Develop Possible Solutions
  (Brainstorming)
• Step 4 Analyze and Compare the Possible
  Solutions (Feasibility analysis)
• Step 5 Select, Implement, and Evaluate a Solution

40
Feasibility Analyses

• Economic feasibility assesses costs and benefits
  of a solution
• Technological feasibility assesses an
  organizations ability to acquire and manage a
  solution
• Behavioral feasibility assesses whether members
  of the organization will support a solution
• Operational feasibility assesses if an
  organization can integrate a solution

41
Principles Of Information Security Management

• The extended characteristics of information
  security are known as the six Ps
• Planning
• Policy
• Programs
• Protection
• People
• Project Management

42
InfoSec Planning

• Planning as part of InfoSec management
• is an extension of the basic planning model
  discussed earlier
• Included in the InfoSec planning model are
• activities necessary to support the design,
  creation, and implementation of information
  security strategies as they exist within the IT
  planning environment

43
InfoSec Planning Types

• Several types of InfoSec plans exist
• Incident response
• Business continuity
• Disaster recovery
• Policy
• Personnel
• Technology rollout
• Risk management and
• Security program including education, training
  and awareness

44
Policy

• Policy set of organizational guidelines that
  dictates certain behavior within the organization
• In InfoSec, there are three general categories of
  policy
• General program policy (Enterprise Security
  Policy)
• An issue-specific security policy (ISSP)
• E.g., email, Intenert use
• System-specific policies (SSSPs)
• E.g., Access control list (ACLs) for a device

45
Programs

• Programs are operations managed as
• specific entities in the information security
  domain
• Example
• A security education training and awareness
  (SETA) program is one such entity
• Other programs that may emerge include
• a physical security program, complete with fire,
  physical access, gates, guards, and so on

46
Protection

• Risk management activities, including
• risk assessment and control,
• Protection mechanisms, technologies tools
• Each of these mechanisms represents some aspect
  of the management of specific controls in the
  overall security plan

47
People

• People are the most critical link in the
  information security program
• Human firewall
• It is imperative that managers continuously
  recognize the crucial role that people play
  includes
• information security personnel and the security
  of personnel, as well as aspects of the SETA
  program

48
Project Management

• Project management discipline should be present
  throughout all elements of the information
  security program
• Involves
• Identifying and controlling the resources applied
  to the project
• Measuring progress and adjusting the process as
  progress is made toward the goal

49
(No Transcript)
50
Security Planning
51
Introduction

• Successful organizations utilize planning
• Planning involves
• Employees
• Management
• Stockholders
• Other outside stakeholders
• Physical environment
• Political and legal environment
• Competitive environment
• Technological environment

52
Introduction

• Strategic planning includes
• Vision statement
• Mission statement
• Strategy
• Coordinated plans for sub units
• Knowing how the general organizational planning
  process works helps in the information security
  planning process

53
Introduction

• Planning
• Is creating action steps toward goals, and then
  controlling them
• Provides direction for the organizations future
• Top-down method
• Organizations leaders choose the direction
• Planning begins with the general and ends with
  the specific

54
Information Security Planning
55
Components Of PlanningMission Statement

• Mission statement
• Declares the business of the organization and its
  intended areas of operations
• Explains what the organization does and for whom
• Example
• Random Widget Works, Inc. designs and
  manufactures quality widgets, associated
  equipment and supplies for use in modern business
  environments

CSSD http//technology.pitt.edu/security.html
56
Components Of PlanningVision Statement

• Vision statement
• Expresses what the organization wants to become
• Should be ambitious
• Example
• Random Widget Works will be the preferred
  manufacturer of choice for every businesss
  widget equipment needs, with an RWW widget in
  every machine they use

57
Components Of PlanningValues

• By establishing organizational principles in a
  values statement, an organization makes its
  conduct standards clear
• Example
• RWW values commitment, honesty, integrity and
  social responsibility among its employees, and is
  committed to providing its services in harmony
  with its corporate, social, legal and natural
  environments.
• The mission, vision, and values statements
  together provide the foundation for planning

58
Components Of PlanningStrategy

• Strategy is the basis for long-term direction
• Strategic planning
• Guides organizational efforts
• Focuses resources on clearly defined goals
• strategic planning is a disciplined effort to
  produce fundamental decisions and actions that
  shape and guide what an organization is, what it
  does, and why it does it, with a focus on the
  future.

59
Strategic Planning
60
Strategic Planning

• Organization
• Develops a general strategy
• Creates specific strategic plans for major
  divisions
• Each level of division
• translates those objectives into more specific
  objectives for the level below
• In order to execute this broad strategy,
• executives must define individual managerial
  responsibilities

61
Planning for the Organization
62
Strategic Planning

• Strategic goals are then translated
• into tasks with specific, measurable, achievable,
  reasonably high and time-bound objectives (SMART)
• Strategic planning
• then begins a transformation from general to
  specific objectives

63
Planning Levels
64
Planning levels

• Tactical Planning
• Shorter focus than strategic planning
• Usually one to three years
• Breaks applicable strategic goals into a series
  of incremental objectives

65
Planning levels

• Operational Planning
• Used by managers and employees to organize the
  ongoing, day-to-day performance of tasks
• Includes clearly identified coordination
  activities across department boundaries such as
• Communications requirements
• Weekly meetings
• Summaries
• Progress reports

66
Typical Strategic Plan Elements

• Introduction by senior executive (President/CEO)
• Executive Summary
• Mission Statement and Vision Statement
• Organizational Profile and History
• Strategic Issues and Core Values
• Program Goals and Objectives
• Management/Operations Goals and Objectives
• Appendices (optional)
• Strengths, weaknesses, opportunities and threats
  (SWOT) analyses, surveys, budgets etc

67
Tips For Planning

• Create a compelling vision statement that frames
  the evolving plan, and acts as a magnet for
  people who want to make a difference
• Embrace the use of balanced scorecard approach
• Deploy a draft high level plan early, and ask for
  input from stakeholders in the organization
• Make the evolving plan visible

68
Tips For Planning

• Make the process invigorating for everyone
• Be persistent
• Make the process continuous
• Provide meaning
• Be yourself
• Lighten up and have some fun

69
Planning For Information Security Implementation

• The CIO and CISO play important roles
• in translating overall strategic planning into
  tactical and operational information security
  plans
• CISO plays a more active role
• in the development of the planning details than
  does the CIO

70
CISO Job Description

• Creates strategic information security plan with
  a vision for the future of information security
  at Company X
• Understands fundamental business activities
  performed by Company X
• Based on this understanding, suggests appropriate
  information security solutions that uniquely
  protect these activities
• Develops action plans, schedules, budgets, status
  reports and other top management communications
  intended to improve the status of information
  security at Company X

71
Planning for InfoSec

• Once plan has been translated into IT and
  information security objectives and tactical and
  operational plans for information security,
  implementation can begin
• Implementation of information security can be
  accomplished in two ways
• Bottom-up
• OR
• Top-down

72
Approaches to Security Implementation
73
The Systems Development Life Cycle (SDLC)

• SDLC methodology for the design and
  implementation of an information system
• SDLC-based projects may be initiated by events or
  planned
• At the end of each phase, a review occurs when
  reviewers determine if the project should be
  continued, discontinued, outsourced, or postponed

74
Phases of An SDLC
75
Investigation

• Identifies problem to be solved
• Begins with the objectives, constraints, and
  scope of the project
• A preliminary cost/benefit analysis is developed
  to evaluate the perceived benefits and the
  appropriate costs for those benefits

76
Analysis

• Begins with information from the Investigation
  phase
• Assesses the organizations readiness, its
  current systems status, and its capability to
  implement and then support the proposed system(s)
• Analysts determine what the new system is
  expected to do, and how it will interact with
  existing systems

77
Logical Design

• Information obtained from analysis phase is used
  to create a proposed solution for the problem
• A system and/or application is selected based on
  the business need
• The logical design is the implementation
  independent blueprint for the desired solution

78
Physical Design

• During the physical design phase, the team
  selects specific technologies
• The selected components are evaluated further as
  a make-or-buy decision
• A final design is chosen that optimally
  integrates required components

79
Implementation

• Develop any software that is not purchased, and
  create integration capability
• Customized elements are tested and documented
• Users are trained and supporting documentation is
  created
• Once all components have been tested
  individually, they are installed and tested as a
  whole

80
Maintenance

• Tasks necessary to support and modify the system
  for the remainder of its useful life
• System is tested periodically for compliance with
  specifications
• Feasibility of continuance versus discontinuance
  is evaluated
• Upgrades, updates, and patches are managed
• When current system can no longer support the
  mission of the organization, it is terminated and
  a new systems development project is undertaken

81
The Security SDLC

• May differ in several specifics, but overall
  methodology is similar to the SDLC
• SecSDLC process involves
• Identification of specific threats and the risks
  that they represent
• Subsequent design and implementation of specific
  controls to counter those threats and assist in
  the management of the risk those threats pose to
  the organization

82
Investigation in the SecSDLC

• Often begins as directive from management
  specifying the process, outcomes, and goals of
  the project and its budget
• Frequently begins with the affirmation or
  creation of security policies
• Teams assembled to analyze problems, define
  scope, specify goals and identify constraints
• Feasibility analysis determines whether the
  organization has resources and commitment to
  conduct a successful security analysis and design

83
Analysis in the SecSDLC

• A preliminary analysis of existing security
  policies or programs is prepared along with known
  threats and current controls
• Includes an analysis of relevant legal issues
  that could affect the design of the security
  solution
• Risk management begins in this stage

84
Risk Management

• Risk Management process of identifying,
  assessing, and evaluating the levels of risk
  facing the organization
• Specifically the threats to the information
  stored and processed by the organization
• To better understand the analysis phase of the
  SecSDLC, you should know something about the
  kinds of threats facing organizations
• In this context, a threat is an object, person,
  or other entity that represents a constant danger
  to an asset

85
Key Terms

• Attack deliberate act that exploits a
  vulnerability to achieve the compromise of a
  controlled system
• Accomplished by a threat agent that damages or
  steals an organizations information or physical
  asset
• Exploit technique or mechanism used to
  compromise a system
• Vulnerability identified weakness of a
  controlled system in which necessary controls are
  not present or are no longer effective

86
Threats to Information Security
87
Some Common Attacks

• Malicious code
• Hoaxes
• Back doors
• Password crack
• Brute force
• Dictionary
• Denial-of-service (DoS) and distributed
  denial-of-service (DDoS)

• Spoofing
• Man-in-the-middle
• Spam
• Mail bombing
• Sniffer
• Social engineering
• Buffer overflow
• Timing

88
Risk Management

• Use some method of prioritizing risk posed by
  each category of threat and its related methods
  of attack
• To manage risk, you must identify and assess the
  value of your information assets
• Risk assessment assigns comparative risk rating
  or score to each specific information asset
• Risk management identifies vulnerabilities in an
  organizations information systems and takes
  carefully reasoned steps to assure the
  confidentiality, integrity, and availability of
  all the components in organizations information
  system

89
Design in the SecSDLC

• Design phase actually consists of two distinct
  phases
• Logical design phase team members create and
  develop a blueprint for security, and examine and
  implement key policies
• Physical design phase team members evaluate the
  technology needed to support the security
  blueprint, generate alternative solutions, and
  agree upon a final design

90
Security Models

• Security managers often use established security
  models to guide the design process
• Security models provide frameworks for ensuring
  that all areas of security are addressed
• Organizations can adapt or adopt a framework to
  meet their own information security needs

91
Policy

• A critical design element of the information
  security program is the information security
  policy
• Management must define three types of security
  policy
• General or security program policy
• Issue-specific security policies
• Systems-specific security policies

92
SETA

• An integral part of the InfoSec program is
• Security education and training (SETA) program
• SETA program consists of three elements
• security education, security training, and
  security awareness
• Purpose of SETA is to enhance security by
• Improving awareness
• Developing skills and knowledge
• Building in-depth knowledge

93
Design

• Attention turns to the design of the controls and
  safeguards used to protect information from
  attacks by threats
• Three categories of controls
• Managerial
• Operational
• Technical

94
Managerial Controls

• Address design/implementation of the
• security planning process and
• security program management
• Management controls also address
• Risk management
• Security control reviews

95
Operational Controls

• Cover management functions and lower level
  planning including
• Disaster recovery
• Incident response planning
• Operational controls also address
• Personnel security
• Physical security
• Protection of production inputs and outputs

96
Technical Controls

• Address those tactical and technical issues
  related to
• designing and implementing security in the
  organization
• Technologies necessary to protect information are
  examined and selected

97
Contingency Planning

• Essential preparedness documents provide
  contingency planning (CP) to prepare, react and
  recover from circumstances that threaten the
  organization
• Incident response planning (IRP)
• Disaster recovery planning (DRP)
• Business continuity planning (BCP)

98
Physical Security

• Physical Securityaddresses
• the design, implementation, and maintenance of
  countermeasures that protect the physical
  resources of an organization
• Physical resources include
• People
• Hardware
• Supporting information system elements

99
Implementation in the SecSDLC

• Security solutions are acquired, tested,
  implemented, and tested again
• Personnel issues are evaluated and specific
  training and education programs conducted
• Perhaps most important element of implementation
  phase is management of project plan
• Planning the project
• Supervising tasks and action steps within the
  project
• Wrapping up the project

100
InfoSec Project Team

• Should consist of individuals experienced in one
  or multiple technical and non-technical areas
  including
• Champion
• Team leader
• Security policy developers
• Risk assessment specialists
• Security professionals
• Systems administrators
• End users

101
Staffing the InfoSec Function

• Each organization should examine the options for
  staffing of the information security function
• Decide how to position and name the security
  function
• Plan for proper staffing of information security
  function
• Understand impact of information security across
  every role in IT
• Integrate solid information security concepts
  into personnel management practices of the
  organization

102
InfoSec Professionals

• It takes a wide range of professionals to support
  a diverse information security program
• Chief Information Officer (CIO)
• Chief Information Security Officer (CISO)
• Security Managers
• Security Technicians
• Data Owners
• Data Custodians
• Data Users

103
Certifications

• Many organizations seek professional
  certification so that they can more easily
  identify the proficiency of job applicants
• CISSP
• SSCP
• GIAC
• SCP
• ICSA
• Security
• CISM

104
Maintenance and Change in the SecSDLC

• Once information security program is implemented,
  
• it must be properly operated, managed, and kept
  up to date by means of established procedures
• If the program is not adjusting adequately to the
  changes in the internal or external environment,
  it may be necessary to begin the cycle again

105
Maintenance Model

• While a systems management model is designed to
  manage and operate systems, a maintenance model
  is intended to focus organizational effort on
  system maintenance
• External monitoring
• Internal monitoring
• Planning and risk assessment
• Vulnerability assessment and remediation
• Readiness and review
• Vulnerability assessment

106
(No Transcript)
107
ISO Management Model

• One issue planned in the SecSDLC is the systems
  management model
• ISO network management model - five areas
• Fault management
• Configuration and name management
• Accounting management
• Performance management
• Security management

108
Security Management Model

• Fault Management involves identifying and
  addressing faults
• Configuration and Change Management involve
  administration of components involved in the
  security program and administration of changes
• Accounting and Auditing Management involves
  chargeback accounting and systems monitoring
• Performance Management determines if security
  systems are effectively doing the job for which
  they were implemented

109
Security Program Management

• Once an information security program is
  functional, it must be operated and managed
• In order to assist in the actual management of
  information security programs, a formal
  management standard can provide some insight into
  the processes and procedures needed
• This could be based on the BS7799/ISO17799 model
  or the NIST models described earlier