Chapter 8 – Administering Security
Security Planning
 Risk Analysis
 Security Policies
 Physical Security

Security Planning
Policy
 Current state – risk analysis
 Requirements
 Recommended controls
 Accountability
 Timetable
 Continuing attention

Security Planning - Policy
Who should be allowed access?
 To what system and organizational
resources should access be allowed?
 What types of access should each
user be allowed for each resource?

Security Planning - Policy
What are the organization’s goals on
security?
 Where does the responsibility for
security lie?
 What is the organization’s
commitment to security?

OCTAVE Methodology
http://www.cert.org/octave/








Identify enterprise knowledge.
Identify operational area knowledge.
Identify staff knowledge.
Establish security requirements.
Map high-priority information assests to
information infrastructure.
Perform an infrastructure vulnerability
evaluation.
Conduct a multidimensional risk analysis.
Develop a protection strategy.
Security Planning – Requirements
of the TCSEC






Security Policy – must be an explicit and welldefined security policy enforced by the system.
Every subject must be uniquely and convincingly
identified.
Every object must be associated with a label that
indicates its security level.
The system must maintain complete, secure
records of actions that affect security.
The computing system must contain mechanisms
that enforce security.
The mechanisms that implement security must
be protected against unauthorized change.
Security Planning Team Members
Computer hardware group
 System administrators
 Systems programmers
 Application programmers
 Data entry personnel
 Physical security personnel
 Representative users

Security Planning


Assuring Commitment to a Security Plan
Business Continuity Plans
• Assess Business Impact
• Develop Strategy
• Develop Plan

Incident Response Plans
• Advance Planning
• Response Team
• After the Incident is Resolved
Risk Analysis
Risk impact - loss associated with
an event
 risk probability – likelihood that
the event will occur
 Risk control – degree to which we
can change the outcome
 Risk exposure – risk impact * risk
probability

Risk Analysis – risk reduction
Avoid the risk
 Transfer the risk
 Assume the risk




Risk leverage = [(risk exposure before
reduction) – (risk exposure after
reduction)] / cost of risk reduction
Cannot guarantee systems are risk free
Security plans must address action
needed should an unexpected risk
becomes a problem
Steps of a Risk Analysis
Identify assets
 Determine vulnerabilities
 Estimate likelihood of exploitation
 Compute expected annual loss
 Survey applicable controls and their
costs
 Project annual savings of control

Identify Assets








Hardware
Software
Data
People
Procedures (policies, training)
Documentation
Supplies
Infrastructure (building, power, water,…)
Determine Vulnerabilities
Asset
Hardware
Software
Data
People
procedures
Confidentiality Integrity
Availability
Determine Vulnerabilities
What are the effects
errors?
 What are the effects
malicious insiders?
 What are the effects
 What are the effects
physical disasters?

of unintentional
of willfully
of outsiders?
of natural and
Risk Analysis

Estimate Likelihood of Exploitation
• Classical probability
• Frequency probability (simulation)
• Subjective probability (Delphi approach)

Computer Expected Lost
costs)
• Legal obligations
• Side effects
• Psychological effects
(look for hidden
Risk Analysis

Survey and Select New Controls
• What Criteria Are Used for Selecting Controls?

Vulnerability Assessment and Mitigation (VAM)
Methodology
• How Do Controls Affect What They Control?
• Which Controls Are Best?

Project Savings
• Do costs outweigh benefits of preventing /
mitigating risks
Arguments for Risk Analysis
Improve awareness
 Relate security mission to
management objectives
 Identify assets, vulnerabilities, and
controls
 Improve basis for decisions
 Justify expenditures for security

Arguments against Risk Analysis





False sense of precision and confidence
Hard to perform
Immutability (filed and forgotten)
Lack of accuracy
“Today’s complex Internet networks cannot be made
watertight…. A system administrator has to get everything
right all the time; a hacker only has to find one small hole.
A sysadmin has to be lucky all of the time; a hacker only
has to get lucky once. It is easier to destroy than to
create.”
• Robert Graham, lead architect of Internet Security Systems
Organizational Security Policies
Who can access which resources in
what manner?
 Security policy - high-level
management document that informs
all users of the goals and constraints
on using a system.

Security Policies Purpose
Recognize sensitive information
assets
 Clarify security responsibilities
 Promote awareness for existing
employees
 Guide new employees

Security Policies Audience
Users
 Owners
 Beneficiaries
 Balance Among All Parties

Contents



Purpose
Protected Resources (what - asset
list)
Nature of the Protection (who and
how)
Characteristics of a Good Security
Policy
Coverage (comprehensive)
 Durability
 Realism
 Usefulness
 Examples

Physical Security

Natural Disasters
• Flood
• Fire
• Other

Power Loss
• UPS; surge suppressors (line conditioners)

Human Vandals
• Unauthorized Access and Use
• Theft
Physical Security

Interception of Sensitive Information
• Dumpster Diving
-
Shredding
• Remanence (slack bits)
Overwriting Magnetic Data
 DiskWipe
 Degaussing

• Emanation - Tempest
Contingency Planning

BACKUP!!!!!
• Complete backup
• Revolving backup
• Selective backup
OFFSITE BACKUP!!!!!
 Networked Storage (SAN)
 Cold site (shell)
 Hot site
