Transcript Chapter 3
Guide to Network Defense
and Countermeasures
Chapter 3
1
Chapter 3 - Risk Analysis and
Security Policy Design
Get started with basic concepts of risk
analysis
Decide how to minimize risk in your own
network
Explain what makes an effective security
policy
Formulate a network security policy
Perform ongoing risk analysis
2
Getting Started with Risk Analysis
The consensus among security
professionals is that there is no zero-risk
situation
The first task when undertaking the formulation of a
security policy is to assess the risk faced by
employees, the network, and corporate databases
The goal is not to reduce risks to zero, but to devise
ways to manage that risk in reasonable fashion
Because threats are changing all the time along with
technology, the process of determining risks and
developing a security policy to manage them is an
ongoing process rather than a one-time operation 3
4
Getting Started with Risk Analysis
Risk analysis is the study of how great the
possibility of loss is in a particular situation
The six concepts that go into creating a risk
analysis are:
1
2
Assets, which are physical (equipment and
buildings), data-related (employee and customer
records), application software, and personal assets
Threats, which are events that can happen, such as
weather-related disasters, hacker access, powerrelated issues, and crime-related risks
5
Getting Started with Risk Analysis
Six concepts of risk analysis (cont.):
3
4
Probabilities are geographic, physical, habitual, or
other factors that affect the possibility that a threat
will occur; it is a good idea to rank the biggest
threats to your organization, with their probabilities
described as: negligible, very low, low, medium,
high, very high, and extreme
Vulnerabilities are situations or conditions that
increase threat and that, in turn, increase risk; a key
example is putting computers on the Internet
6
7
Getting Started with Risk Analysis
Six concepts of risk analysis (cont.):
5
Consequences can result from a virus that forces
the organization to take its Web site offline for a
week; or a fire that destroys computer equipment;
the probability of threats can now be extended to
include a rating of the significance of their impact;
other consequences associated with getting a
system back online after an attack include cost
impact, insurance claims, police reports, shipping or
delivery, and the time and effort to restore systems
to pre-attack status; ROI calculators can help to
quantify these items
8
9
10
Getting Started with Risk Analysis
Six concepts of risk analysis (cont.):
6
Safeguards are measures you can take to reduce
threats such as installing firewalls and intrusion
detection systems, locking doors, and using
passwords and/or encryption; all assets have an
inherent amount of risk associated with them; threat
and vulnerability seek to make risk larger, whereas
countermeasures work to reduce risk; residual risk is
what is left over after counter-measures and
defenses are implemented; risk never actually
equals zero
11
12
Getting Started with Risk Analysis
When the six concepts of risk analysis are
addressed and codified, the building blocks
are in place to prepare the risk analysis
Different types of risk analysis are used to create a
security policy, and to evaluate how well the policy is
performing (so that it can be improved)
The ultimate goal is not to reduce the risks to zero, but
to manage the risk at reasonable levels
The two most common approaches to risk analysis
are Survivable Network Analysis (SNA) and Threat
and Risk Assessment (TRA)
13
Getting Started with Risk Analysis
Survivable Network Analysis (SNA) is a
security process developed by the CERT
Coordination Center security group
SNA starts with the assumption that a computer
system will be attacked; it leads you through a fourstep process designed to ensure the survivability of a
network should an attack occur
Survivability focuses on the essential services/assets
and the critical system capabilities of a system; it also
depends on resistance, recognition, and recovery
14
Getting Started with Risk Analysis
The steps involved in SNA are:
System definition is a high-level overview of the
requirements of the system organizationally
Essential capability definition is the identification of the
essential services and assets of the system
Compromise capability definition is determined by
designing scenarios in which intrusions occur, and
then tracing the intrusion through the system
Survivability analysis is where points of fault are
identified, along with recommendations for correction
and resistance improvement
15
16
Getting Started with Risk Analysis
Threat and Risk Assessment (TRA):
TRA approaches risk analysis from the standpoint of
the threats and risks that confront an organization’s
assets and the consequences of those threats and
risks should they occur; similar to SNA, TRA leads you
through a four-step process of analysis
TRA is carried out in different ways by different
security organizations around the world and a variety
of ratings systems are offered
17
Getting Started with Risk Analysis
The steps involved in TRA are:
Asset definition, where you identify software,
hardware, and any information you need to defend
Threat assessment, where you identify the kinds of
threats that place the asset at risk, including
vandalism, fire, natural disasters, Internet attacks
Risk assessment is the evaluation of each asset with
respect to: existing safeguards; the severity of the
threats and risks; the consequences of the threat or
risk actually taking place
Recommendations to reduce risk
18
19
20
Getting Started with Risk Analysis
Risk analysis is a group of related activities
that typically take the following sequence:
Initial tiger team sessions: hold meetings and conduct
interviews with stakeholders so as to collect pertinent
information and review scope
Asset valuation: identify the assets to protect and
determine their value; get manager input
Evaluating vulnerability: investigate the level of threat
and vulnerability in relation to asset value
Calculate risk: assign a numeric values to low-level
through very high security issues
21
Getting Started with Risk Analysis
Risk analysis is not a one-time activity that is
used solely to create a security policy
Risk analysis evolves to take into account the
changing size and activities of an organization, the
progression to larger and more complex computer
systems, and new threats from both inside and
outside the corporate network
The initial risk analysis is used to formulate a security
policy which is then enforced and monitored; new
threats and intrusion attempts cause a reassessment
of the risks faced
22
23
Getting Started with Risk Analysis
An important part of risk analysis is preparing
estimates of the financial impact of losses
There are a number of different models for estimating
the impact; software is often used to help prepare
reports that substantiate estimates and provide charts
and graphs to support figures
Project Risk Analysis by Katmar Software gives an
excellent structure with which to list organizational
assets, and it allows cost estimates to be made using
a variety of statistical models including likely cost, low
cost, and high cost
24
25
26
27
Deciding How to Minimize Risk
Risk management is the process of
identifying, choosing, and setting up
countermeasures justified by identified risks
The countermeasures described in this process are
the statements that go into the security policy
The risk management issues that will need to be
considered are: how to secure physical resources
(hardware); how to secure network information
databases; how to conduct routine analysis; how to
respond to security incidents when they occur
28
Deciding How to Minimize Risk
Deciding how to secure hardware:
Consider obvious physical protection, such as
environmental controls and locking up hardware
List all servers, routers, cables, workstations, printers,
and all other pieces of hardware; make a topology
map to that shows device connections, along with an
IP allocation register
Rank resources in order of importance so that security
efforts focus first on the most critical resources; rank
can be assigned using arbitrary numbers, but a scale
of 1 to 10 is suggested
29
30
Deciding How to Minimize Risk
Deciding how to secure information:
Information needs to be protected; the logical assets
of a company include documents, spreadsheets, Web
pages, email, log files, personnel data, customer data,
and financial data
One means of protecting customer and employee
information is to isolate it from the Internet so that
hackers cannot gain access to it
Other protection mechanisms are data encryption,
message filtering, data encapsulation, redundancy,
and systematic data back ups
31
Deciding How to Minimize Risk
Deciding how to secure information (cont.):
Corporate information, that which is confidential,
proprietary, or private, must also be protected
The security policy must cover the corporate
information that employees handle and minimize the
associated risks by specifying these measures: never
leave laptops or palm devices unattended; always
password protect corporate information; encrypt all
financial data; password-protect all job-records and
customer information; restrict personnel information to
HR staff and/or upper management
32
Deciding How to Minimize Risk
Deciding how to conduct routine analysis:
Risk analysis must be done on a routine basis and
starts with the following questions: How often will risk
analysis be performed? Who will perform the risk
analysis? Do all hardware and software resources
need to be reviewed every time?
The calculations and evaluations associated with risk
analysis require subjective assessments of how much
a resource is worth and how valuable it is; due to
these issues and the often complex nature of
calculations involved, risk analysis software helps
alleviate potential roadblocks
33
Deciding How to Minimize Risk
Deciding how to handle security incidents:
Use the security policy to define how to respond to
security break-ins; if a break-in form is required,
consider using one of the published forms on the
Federal Agency Security Practices Web site of the
National Institute of Standards and Technology
Address the incident response section of the security
policy by describing the need for careful and
expeditious handling of an intrusion; include types of
intrusions such as: IDS alarms; repeated unsuccessful
logins; unexplained new user accounts and files;
system issues
34
35
Deciding How to Minimize Risk
Handling security incidents (cont.):
If an incident occurs, the security policy should spell
out exactly which security staff needs to be notified,
and where they should assemble
It is common for an organization to designate a
Security Incident Response Team (SIRT), which is a
group of employees designated to take
countermeasures when an incident is reported
Typically, the SIRT contains IT operations and
technical support staff, IT application staff, a chief
security officer, and other security specialists
36
Deciding How to Minimize Risk
Describing escalation procedures:
Escalation procedures are sets of responsibilities,
roles, and measures taken to respond to incidents
To determine how a response may escalate, come up
with a system for ranking the severity of an incident;
each ranking can be mapped to an escalation chain,
which is a hierarchy of staff members who need to be
involved in responding to incidents and making
decisions
To help determine the value of a resource at risk,
develop worst-case scenarios that describe the worst
possible threat consequences
37
38
What Makes a Good
Security Policy?
A good security policy is comprehensive and
flexible; it is often a group of documents,
each with its own specific emphasis
The information gathered during the risk analysis
phase should go into the security policy, along with a
list of the policy goals, and the importance of
employees reading and following its guidelines
An ongoing security cycle is started which follows the
sequence of: policy design; implementation; ongoing
monitoring; and reassessment
39
What Makes a Good
Security Policy?
Good security policies (cont.):
The cornerstone of a good policy is the Acceptable
Use Policy, which spells out how employees may use
organizational resources
Security policies identify the most important corporate
security priorities for managers
Security policies help administrators by specifying
employee security tasks; the Privileged Access Policy
covers administrator network access/use
Once a policy is in effect, it must be determined how
often additional risk analysis should be done
40
Formulating a Security Policy
The steps involved in creating a policy:
1
2
3
4
5
6
7
Call for the assembly of a group that will meet to
formulate the security policy
Determine approach: restrictive or permissive
Identify the assets to be protected
Determine which network communications to audit
and the frequency of review
List the security risks that need to be addressed
Define acceptable uses of resources / passwords
Create the security policy
41
Formulating a Security Policy
Categories of security policies:
Acceptable Use defines acceptable, as well as
unacceptable, use of organizational resources; is
usually listed first in a security policy because it affects
the largest number of employees
User Account specifically spells out use of user
(employee, contractor, supplier) accounts
Remote Access spells out exactly what security
measures need to be present on remote desktops
before users can connect to the corporate network
42
Formulating a Security Policy
Categories of security policies (cont.):
Password Protection states password particulars such
as character length and type, number of incorrect
login attempts, and administrator password checking
capability
Internet Use covers how employees can access and
use the Internet, including e-mail use, software
downloads, Web site access, and privacy
Local Area Network defines and establishes
responsibilities for the protection of data that is
processed, stored, and transmitted on the LAN
43
Performing Ongoing Risk Analysis
When performing the routine reassessment
of the company and asset risks, consider:
How frequently risk analysis should be performed in
terms of a routine timeframe, and the conditions that
warrant a new analysis
Working with management in regards their approach
in determining the costs associated with security and
how these costs affect company ROI
Dealing with the security policy approval process that
can take several weeks to several months
44
Performing Ongoing Risk Analysis
Performing routine reassessment (cont.):
The process of amending the security policy; in
particular, informing those affected (security policy
team, management, employees) by changes to the
organization’s security configuration
Responding to security incidents as indicated in the
policy’s Incident Handling and Escalation Procedures;
incident handling defines what to look out for and to
what level of escalation; escalation describes how to
increase corporate state of readiness (who responds
and in what timeframe) when a threat arises
45
Performing Ongoing Risk Analysis
Performing routine reassessment (cont.):
Updating the security policy based on security
incidents that are reported as a result of ongoing
security monitoring, and based on any new risks the
company faces
The ultimate goal of changing the security policy is to
change employee habits so that they behave more
responsibly; better protection will result in fewer
intrusions and disputes and ultimately enables a
company to focus on its primary mission
46
Chapter Summary
Risk analysis is key in the formulation of one of
the most essential elements in corporate network
defense configuration: a security policy. Risks
need to be calculated and security policies
amended on an ongoing basis as a network
configuration evolves
47
Chapter Summary
Risk analysis covers hardware, software, and
informational assets; it covers their threats and
the likelihood of threat occurrence. Vulnerabilities
are described, as well as related consequences.
The first task is to assess network and user
levels of risk. Risk analysis should be performed
before and after the creation of a security policy,
and its goal is to manage risk at reasonable
levels on an ongoing basis
48
Chapter Summary
After assessing the level of asset risk, determine
countermeasures that will minimize risk. Decide how to
secure the physical assets, the logical assets, databases,
applications, and employee personal assets. Then come
up with a plan for conducting risk analysis on a routine
basis and plan for handling security incidents. As well,
assess network threats, such as hackers, power outages,
and environmental disasters. Next, determine threat
probabilities, and implement the safeguards and
countermeasures that reduce their likelihood. First,
though, use assembled data to perform a risk analysis
using an approach such as SNA or TRA. A risk analysis
describes the level of risk faced by each organizational
asset, as well as the economic impact if lost/damaged
49
Chapter Summary
Once the risk level of network assets has been
determined, develop safeguards that can manage that
risk. Determine ways to secure hardware assets, such as
environmental controls, locks, or alarms. Laptop data can
be protected through passwords and through file
encryption. Logical assets such as word processing, or
other documents can be protected by backups and by
isolation from the Internet. Corporate data can be
protected by effective use of passwords. The
countermeasures described will form the basis of the
security policy. In addition, risk analysis includes some
provision for regular updates. It also includes
recommendations of measures to be taken in case
security incidents occur
50
Chapter Summary
An effective network security policy should
provide management with a way to express to all
employees the overall security stance of the
organization, and protects management in case
of legal disputes. A good security policy is based
on risk assessment, covers acceptable use of
system resources, sets priorities for the most
critical resources that need to be protected, and
specifies the use of network resources by
administrators and security staff as well
51
Chapter Summary
The actual formulation of a security policy may not be a
single long document, but is often comprised of multiple
specific policies. There are six steps to follow to create a
policy: the formulation of a security policy group; the
determination of the overall security approach; the
identification of assets to protect; the specification of
auditing procedures; the listing of security risks and
acceptable use; and the writing of specific policies
themselves, such as User Account, Password Protection,
and Internet Use policies. Finally, security policies should
be regularly updated as intrusions or attempts occur, and
to account for personnel changes and equipment
acquisition
52