Security management

download report

Transcript Security management

Security management
w.lilakiatsakun
Principles of Security
• Referred to as AIC/CIA triad • Availability
• Integrity
• Confidentiality
Availability (1/2)
• The system and networks should provide
adequate capability in order to perform in a
predictable manner with an acceptable level
of performance
– Recover from disruption in a secure and quick
manner
– Single point of failure should be avoided
– Back up measures should be taken
Availability (2/2)
– Redundancy mechanisms should be in place
when necessary
– System should be protected from some
environmental issues like heat, cold, humidity
static electricity and contamination.
– IDS should be used to protect Denial of
Service attack
– Certain firewall and router configuration can
also reduce the threat of DoS attacks
Integrity (1/3)
• Integrity is upheld when the assurance of
•
accuracy and reliability of information and
systems is provided and unauthorized
modification is prevented
Hardware, software and communication
mechanisms must work in a concerted manner
to maintain and process data correctly and
move data to intended destinations without
unexpected alternation
Integrity (2/3)
• The system and network should be
protected from outside interference and
contamination
– Users mistake
– Threats such as virus, back door into a
systems or data
• Strict access control, intrusion detection
and hashing can combat threats
Integrity (3/3)
• Security should streamline the user’ capabilities
and give them only certain choices and
functionality so that error become less common
and less devastating
– System critical files should be restricted from user
view and access
– Applications should provide mechanism that check
for valid and reasonable input values
– Databases should let only authorized individuals
modify data and data in transit should be protected
by encryption or other mechanism
Confidentiality (1/3)
• Confidentiality ensures that the necessary
level of secrecy is enforced at each
junction of data processing and prevents
unauthorized disclosure
• Attacker can thwart confidentiality
mechanism by monitoring, shoulder
surfing, stealing password files and social
engineering
Confidentiality (2/3)
• shoulder surfing is when a person looks over
•
another person ‘s shoulder and watches theirs
keystrokes or views data as it appears on a
computer screen
social engineering is when one person tricks
another person into sharing confidential
information by posing as someone authorized to
have access to that information
Confidentiality (3/3)
• Confidentiality can be provided by
– encrypting data as it is stored and transmitted
– Strict access control
– Data classification
– Training personnel on the proper procedures
Security definition (1/5)
• Vulnerability is a software, hardware or
procedural weakness that may provide an
attacker the open door he is looking for to enter
a computer or network and have unauthorized
access to resources within environment
–
–
–
–
–
Services running on a server
Unpatched application or operating system softwares
Unrestricted modem dial-in access
An open port on a firewall
Physical security that allows anyone to enter a server
room
– Nonforced password management on servers and
workstations
Security definition (2/5)
• Threat is any potential danger to
information or systems
• Threat is somone or somethings (threat
agent) will use a specific vulnerability
against individual or company
Security definition (3/5)
• Risk is the likelihood of a threat agent
taking advantage of the vulnerability and
the corresponding business impact
– If a firewall has several ports open, an
intruder will use one to access the network in
an authorized method
– If users are not educated on processes and
procedures, an employee will make an
unintentional mistake that destroy data
– If on IDS, an attack will go unnoticed until it is
too late
Security definition (4/5)
• Exposure is an instance of being exposed
to losses from a threat agent
• Vulnerability exposes an organization to
possible damages
– If password management is not used and
password rules are not enforced, the
company is exposed to possibility of having
users’ passwords captured and used in
unauthorized manner
Security definition (5/5)
• Countermeasure or safeguard is put into place to
•
mitigate the potential risk
Countermeasure may be a software
configuration, a hardware device or procedure
that eliminates a vulnerability or reduces the
likelihood that a threat agent will be able to
exploit a vulnerability
–
–
–
–
Strong password management
a security guard
Access control mechanism
Security awareness training
Security Management program
(1/3)
• Objectives - To protect the company and
its assets
• A security program should use a Top-down
approach meaning that the initiation,
support and direction come from top
management and work their way through
middle management and then to staff
members
Security Management program
(2/3)
• The security policy works as a blueprint
for the company’s security program and
provides the necessary foundation to build
upon
• The next step is to develop and implement
procedure, standards and guidelines that
support the security policy and identify the
security countermeasures and method
Security Management program
(3/3)
• Once these mentioned items are
developed, the security program increases
in granularity by developing baselines and
configurations for the chosen security
controls and methods
Security administration and
supporting controls
Organizational security model (1/3)
• It is a framework made up of many
entities, protection mechanisms, logical
(technical), administrative, and physical
components, procedures, business
processes and configurations that all work
together in a synergistic way to provide
security level for an environment
Organizational security model (2/3)
Organizational security model (3/3)
• Daily goals or operational goals focus on
•
•
productivity and task-oriented activities to ensure
that the company functions in a smooth and
predictable manner
Midterm goals or tactical goals could be to
integrate all workstations and resources into one
domain so that more central control can be
achieved
Long-term goals or strategic goals could be to
move all the branches from dedicated
communication lines to frame relay, implement
IPsec VPN for all remote users and integrate
wireless technology with necessary measures into
the environment
Security program component
• The most commonly used standard is ISO
17799 (BS7799)
– Part 1 is an implementation guide with
guidelines on how to build a comprehensive
information security infrastructure (ISO 27002)
– Part2 is an auditing guide based on
requirement that must be met for an
organization to be compliant with ISO 17799
(Currently - ISO 27001)
ISO27002 (1/2)
• The content sections are:
– Structure
– Risk Assessment and Treatment
– Security Policy
– Organization of Information Security
– Asset Management
– Human Resources Security
ISO27002 (2/2)
•
•
•
•
•
•
•
Physical Security
Communications and Ops Management
Access Control
Information Systems Acquisition, Development,
Maintenance
Information Security Incident management
Business Continuity
Compliance
ISO 27001
• The content sections of the standard are:
– Management Responsibility
– Internal Audits
– ISMS Improvement
– Annex A - Control objectives and controls
– Annex B - OECD principles and this international
standard
– Annex C - Correspondence between ISO 9001,
ISO 14001 and this standard
Security policy (1/4)
• A security policy is an overall general
statement that dictates what role security
plays within an organization
• A security policy can be an organization
security policy, issue-specific policy or
system-specific policy
Security policy (2/4)
• Organization security policy address relative
•
laws, regulations and liability issues and how
they are to be satisfied
Organization security policy has several
characteristics such as
– Business objectives should drive the policy ‘s creation,
implementation and enforcement
– It should be developed and used to integrated
security into all business function and process
– It should be derived from and support all legislation
and regulation applicable to the company
Security policy (3/4)
• Issue-specific policy, also called functional
implementing policy addresses specific
security issues that management feels
need more attention
• For example - Email security policy
– policy states that employees cannot use
email to share confidential information
Security policy (4/4)
• System-specific policy presents the management
•
•
•
•
‘s decision that are specific to the actual
computers, networks, application and data.
Example
This type of policy may provide an approved
software list for a workstation.
How computers are to be lock downed
How printers, scanners are to be used
Type of policies
• Regulatory – ensure that the organization is following
standard set by specific industry regulations
– Financial institutions, health care facilities
• Advisory – strongly advise employees regarding which
types of behaviors and activities should and should not
take place within organization
– How to handle financial transactions or process confidential
information
• Informative – inform employees of certain topics , it is
not an enforceable policy
– How the company interact with partners, company ‘s goal or
mission
Definitions (1)
• Standards refers to mandatory activities, actions,
•
rules, or regulations
Standards could be internal and external
mandated (regulations and government laws)
– Organization security standards may specify how
hardware and software products are to be used
– Expected user behavior
• These rules are usually compulsory within
company and needed to be enforced
Definitions (2)
• A baseline refers to a point n time that is
used as a comparison for future changes
• Baselines are used to define minimum
level of protection that is required
• In security, specific baselines can be
defined per system type which indicates
the necessary setting and the level of
protection required
Definitions (3)
• Guidelines are recommended actions and
operational guides to users, IT ‘ staff, operations
staffs and others when a specific a standard does
not apply
– A policy state that access to confidential data must be
audited
– A supporting guideline could further explain that audit
should contain sufficient information to allow for
reconciliation with prior reviews
– A supporting procedure would outline the necessary
steps to configure, implement and maintain this type of
auditing
Definitions (4)
• Procedures are detailed step by step tasks
that should be performed to achieve a
certain goal
• How to install operating systems,
configure security mechanisms, implement
access control list
Network security policy:
best practices
Ref: document ID 13601
www.cisco.com
Process
• Preparation
– Create usage policy statement
– Conduct a risk analysis
– Establish a security team structure
• Prevention
– Approving security changes
– Monitoring security of your network
• Response
– Security violation
– Restoration
– Review
Preparation: Create usage policy
statement (1)
• Outline user’s roles and responsibilities with
regard to security
• General policy : cover all network system and
data within your company, by providing :
– Understanding of the security policy, its purpose
– Guidelines for improving their security practices
– Definitions of their security responsibilities
– Identify specific action that could result in
punitive
Preparation: Create usage policy
statement (2)
• Partner acceptable use statement : it provides
– Partner with an understanding of the information
that is available to them
– The expected disposition of that information
– The conduct of the employee of your company
– Clearly explain any specific acts that have been
identified as security attacks and the punitive
action
Preparation: Create usage policy
statement (3)
• Administrator acceptable use statement: to explain
– The procedures for user account administration
– Policy enforcement
– Privilege review
• It should be clearly presented specific policies
•
concerning user passwords and handling data
Check the policy with the partner acceptable use and
user acceptable use statement to ensure uniformity
• Make sure that admin requirement listed in policy are
reflected in training plan and performance evaluation
Preparation: Conduct a risk
analysis (1)
• A risk analysis should identify the risk to
– Network , resources and data
• To identify portion of your network, assign a threat
•
rating to each portion and apply appropriate level
of security
Each network resources can be assigned as 3 risk
level
– Low risk:
• system or data that if compromised would not disrupt the
business or cause legal or financial ramification, not provide
further access to other system
• The targeted system or data can be easily restored
Preparation: Conduct a risk analysis
(2)
– Medium risk
• system or data that if compromised would cause a
moderate disruption in the business or minor legal
or financial ramification, provide further access to
other system
• The targeted system or data requires a moderate
effort to restore
• The restoration process is disruptive to the system
Preparation: Conduct a risk
analysis (3)
– High risk
• system or data that if compromised would cause an
extreme disruption in the business or major legal or
financial ramification,
• Threaten the health and safety of a person
• provide further access to other system
• The targeted system or data requires a significant effort
to restore
• The restoration process is disruptive to the business or
the other systems
Preparation: Conduct a risk
analysis (3)
• Identify the type of users as 5 most common
types:
– Administrators : internal users responsible for
network resources
– Privileged: internal users with a need for greater
access
– Users: internal users with a general access
– Partners: external users with a need to access
some resources
– Others: external users or customer
Preparation: Establish team
structure
• Create a cross functional security led by a Security
•
Manager with participants from each of your
company’s operational area
The security team has 3 areas of responsibilities
– Policy development : establishing and reviewing security
policies for the company
– Practice: conduct the risk analysis, the approval of security
change requests, review security alerts from both vendor
and the CERT (Community Emergency Response Team)
and turn the policy to implementations
– Response: to do the troubleshooting and fixing of such a
violation, each team member should know in detail the
security features provided by the equipment
Prevention: Approving security
changes (1)
• Recommendation on reviewing the following
types of changes:
– Any changes to the firewall configuration
– Any change to access control list (ACL)
– Any change to Simple Network Management
Protocol (SNMP) configuration
– Any change or update in software that differs from
the approved software revision level list
Prevention: Approving security
changes (2)
• Recommended guidelines
– Change passwords to network devices on a routine
basis
– Restrict access to network devices to an approved
list of personnel
– Ensure that the current software revision levels of
network equipment and server environments are
in compliance with the security configuration
requirement
Prevention: Monitoring security
of your network (1)
• Similar to network monitoring except it focuses on
•
detecting changes in the network that indicating a
security violation
In the Risk analysis matrix
– the firewall is considered as high risk network device –
monitor it in real time
• From the Approving security changes
– Any changes to the firewall should be monitored
– It means SNMP agent should monitor such things as
failed login attempts, unusual traffic, changes to the
firewall, access granted to the firewall and connection set
up through the firewall
Prevention: Monitoring security
of your network (2)
• Following this example, create a monitoring
policy for each area identified in your risk
analysis
– Low-risk equipment : monitoring weekly
– Medium-risk equipment : monitoring daily
– High-risk equipment : monitoring hourly
• Lastly, security policy should address how to
notify the security team of security violations
such as email, SMS
Response:
Security violation (1)
• First action after detection of an intrusion is the
notification of the security team
– Define a procedure in security policy that is available 24
hours a day, 7 days a week
• Next define the level of the authority given to the
security team to make changes, possible corrective
actions are
– Implementing changes to prevent further access to the
violation
– Isolating the violated systems
– Contacting the carrier or ISP in an attempt to trace the
attack
Response:
Security violation (2)
– Using recording devices to gather evidence
– Disconnecting violated systems or the source of
the violation
– Contacting the police or other government
agencies
– Shutting down violated system
– Restoring system according to a prioritized list
– Notify internal managerial and legal personnel
Response:
Security violation (3)
• Lastly, collecting and maintaining information during
security attack
– To determine the extent to which systems have been
compromised
– To prosecute external violations
• To determine the extent of the violation
– Record the event by obtaining sniffer traces of the
network, copies of log files, active user accounts and
network connections
– Limit further compromise by disabling account,
disconnecting the network equipment from the network
and disconnecting from the internet
Response:
Security violation (4)
– Back up the compromised system to aid in a
detailed analysis of the damage and method of
attack
– Look for other signs of compromise.
• Often when system is compromised there are other
systems or accounts involved
– Maintain and review security device log files and
network monitoring log files and the often
provide clues to the method of attack
Response: Restoration
• Define in the security policy how to conduct
secure and make available normal backup
• As each system has its own means and
procedures for backing up the security policy
should act as a meta-policy
– detailing for each system security condition that
require restoration from backup
• If approval is required before restoration can
be done include the process for obtaining
approval as well
Response: Review (1)
• It is the final effort in creating and maintaining
a security policy
• 3 things to be reviewed
– Policy / Posture / Practice
• Security policy should be a living document
– Reviewing against known best practices
– Check the CERT website for useful tips, practices
security improvement and alert
Response: Review (2)
• Review network posture in comparison with
the desired security posture
– Outside firm that specializes in security can
attempt to penetrate the network and test not
only the posture of the network but the security
response of organization as well
– For high-availability networks, recommend
conducting such a test annually
Response: Review (3)
• Finally, practice is defined as a test of the
support staff to insure that they have clear
understanding of what to do during a
security violation
– Often the test is unannounced and done
conjunction with the network posture test
– It show the gaps in procedure and training of
personnel so that corrective action can be
taken