Security Management Practices

Security Management

includes risk management, information security policies, procedures, standards, guidelines, baselines, information classification, security organization, and security education.

Security Management Responsibilities: Who is in charge and why?

Analogy: Building a house

The Top-Down Approach to security is ideal. It means that the initiation, support, and direction come from top management and work their way down through middle management ant then to staff members

Bottom-Up Approach to security is the exact opposite. It refers to a situation in which the IT department tries to develop a security program without getting proper management support and direction.

Security Administration and Supporting Controls

• Administrative controls - developing and publishing of policies, standards, procedures, and guidelines; the screening of personnel; training and implementing change control procedures.
• Technical controls (logical controls) - implementing and maintaining access control mechanisms, password and resource management, identification and authentication methods, security devices and configuration of infrastructure.
• Physical controls - controlling individual access into facility, locking systems and removing unnecessary drives from computers, etc...

Fundamental Principles of security

The main three principles in all programs are:

1. Availability - "ensures reliability and timely access to data and resources to authorized individuals"
2. Integrity - "upheld when the assurance of accuracy and reliability of information and systems is provided, and unauthorized modification is prevented."
3. Confidentiality - "ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.

Terms

Shoulder surfing - when a person looks over another persons shoulder and watches their keystrokes or views data as it appears on the screen

Social engineering - when one person tricks another person into sharing confidential information by posing as someone authorized to have access to that information.

Security Definitions

A big part of this chapter are the words vulnerability, risk, and exposure. They are often used to represent the same thing however, they are all unique and related.

A vulnerability is a software, hardware, or procedural weakness that may provide and attacker the open door into a computer or network.

A threat is any potential danger to information or systems.

A risk is the likelihood of a threat agent taking advantage if a vulnerability and the corresponding business impact.

An exposure is an instance of being exposed to losses from a threat agent.

ISO 17799 Domains

• Information security policy for the organization
• Creation of information security infrastructure
• Asset classification and control
• Personnel security
• Physical and environmental security
• Communications and operations management
• Access control
• System development and maintenance
• Business continuity management
• Compliance

The text goes into further detail about Information Risk Management. Preventing from physical damage, human interaction, equipment malfunction, inside and outside attacks, misuse of data, loss of data, and application error. Risk analysis has four main goals

1. Identify assets and their values
2. Identify vulnerabilities and threats
3. Quantify the probability and business impact of these potential threats
4. Provide an economic balance between the impact of the threat and the cost of the countermeasure

Risk analysis provides a cost/benefit comparison, which compares the annualized cost of safeguards to the potential cost of loss.

Quantitative vs. Qualitative Risk Analysis

Delphi Methods

Defining Policies, Standards, Baselines, Guidelines, and Procedures.

A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Standards refer to mandatory activities, actions, rules, or regulations. A baseline can refer to a point in time that is used as a comparison for future changes or it can be defined as the minimum level of protection that is required. Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply. Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.

Private Business vs. Military Classifications

Commercial Business

• Confidential
• Private
• Sensitive
• Public

Military

• Top Secret
• Secret
• Confidential
• Sensitive but unclassified
• Unclassified

Layers of Responsibility

Data Owner

Data Custodian

System Owner

Security Administrator

Security Analyst

Application Owner

Supervisor

Change Control Analyst

Data Analyst

Process Owner

Solution Provider

User

Product Line Manager

Security Trends

How Security Became an Issue

About 25 years ago the only computers were mainframes. They had closed environments with little threat of secrurity breaches or vulnerabilities being exploited. Only a handful of people working in a "glass house" even knew how to operate the computer.
As networks were connected, it was done so only to accomplish specific tasks. As companies became more dependent on mainframes more functional applications were being developed. As PCs became more powerful, some jobs were given to the individual while all the large processing still took place on the mainframes.
It made no sense that each computer held information that was needed by all other computers. As a result servers were invented to hold the programs and data in a centralized location.
There were no barriers or protection from malicious users. Thus, information security is born.

Information Warfare
National:
Militaries used to only train its soldiers how to shoot, fight in combat, and practice evasive maneuvers. Now they need to also know how to use the technological tools that power vehicles, weapons systems, and communication systems. Disrupting communication or listening in on classified conversations can lead to sure victory or imminent defeat.
For example, in the Persian Gulf War it was reported that hackers from the Netherlands penetrated American military sites and extracted information about the exact location of troops, weapons on details, and movement of American ships. They offered to sell it to Saddam Hussein. Luckily he rejected the offer thinking it was a trick.

Corporate:
Organizations have trade secrets and other intellectual property. Several companies have had their databases attacked and lost data of their customers personal information including credit card numbers. Many companies now are insured in case of a natural disaster or a major security breach.

Government:
President Clinton, on July 15, 1996, approved the establishment of the Presidents Commission on Critical Infrastructure Protection (PCCIP). The role of this commission was to investigate attacks, how future attacks could be made, how they could affect the infrastructure, and assess our vulnerabilities to such attacks.
In 2002 Present Bush created the Office of Homeland Security. Departments of information technology and cybersecurity were included.


Internet and Web Activities
The internet was established for Universities and government organizations could communicate quickly and share information. As more and more sites connected to each other, the internet led to the development of the World Wide Web. The internet provides the hardware, platforms, and communication mechanisms, whereas the Web provides the software that sits on top of the internet.
With the introduction of HTML companies started to utilize the internet and bring their services to the web. Attackers had easy access if databases were directly connected to web servers with no protection mechanisms. This led to the two tier architecture. This consists of a server farm that sits behind a firewall and infront of the database.
The two tier is fine for environments that do not house very sensitive data, but for those companies that hold bank or credit card information a three tier system is far more secure. A three tier architecture has a front end server farm, middle servers running middleware software, and back-end databases with two distinct and uniquely configured firewalls.

A Layered Approach: As advised by the text

• Configure application, file, and registry access control lists (ACLs) to provide more granularity to users' and groups' file permissions
• Configure the system default user rights (in a Windows environment) to give certain types of users certain types of rights
• Consider the physical security of the environment and the computers, and apply restraints where required
• Place users into groups that have implicit permissions necessary to perform their duties and no more
• Draft and enforce a strict logon credential policy so that not all users are logging on as the same user
• Implement monitoring and auditing of file access and actions to identify and suspicious activity.
  

(ISC)²

The International Information Systems Security Certification Consortium, Inc or (ISC)2 is the organization in which to become a CISSP.  Their website is http://www.isc2.org/

The credentials for becoming a CISSP are as follows; Direct from isc2.org.

The Certification That Inspires Utmost Confidence If you plan to build a career in information security – one of today’s most visible professions – and if you have at least five full years of experience in information security, then the CISSP^® credential should be your next career goal.

The CISSP was the first credential in the field of information security, accredited by the ANSI (American National Standards Institute) to ISO (International Standards Organization) Standard 17024:2003. CISSP certification is not only an objective measure of excellence, but a globally recognized standard of achievement.

Brochure for a CISSP

Because I do not have the necessary five years of experience, I will aim to ultimately achieve the CISSP certification, however, in the mean time, (ISC)2 offers what is called an Associate of (ISC)2 credential as described below.

The Associate of (ISC)² status is available to qualified candidates who:

• Subscribe to the (ISC)² Code of Ethics
• Pass the CISSP^® or SSCP^® certification exams based on the (ISC)² CBK^®, our taxonomy of information security topics.

Information security is an immensely rewarding career with unlimited possibilities, with a career partner like (ISC)².

Brochure for Associate of (ISC)2