
Administering Security





Planning: prepare and study what will verify our implementation meets security needs of today and tomorrow.
Risk Analysis: cost/benefit analysis of controls.
Policy: establish a framework to verify security needs are met.
Physical Control: what aspects of the computing environment have an impact on security?


“ The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable ” (SANS).








Policy: the goal of the computer security.
Current State: describe current status.
Requirements: how to meet goals. legal, etc.
Recommended Controls: map controls to vulnerabilities identified.
Accountability: who is responsible
Timetable: due dates for tasks
Continuous Attention: keep it up to date.

Table 8-1 The Six “ Requirements ” of the TSEC
Security Policy There must be an explicit and well-defined security policy enforced by the system.
Identification Every subject must be uniquely and convincingly identified.
Identification is necessary so that subject/object access can be checked
Marking Every object must be associated with a label that indicates its security level. The association must be done so that the label is available for comparison each time an access to the object is required.
Accountability The system must maintain complete, secure records of actions that affect security. Such actions include introducing new users to the system, assigning or changing the security level of a subject or an object, and denying access attempts.
Assurance The computing system must contain mechanisms that enforce security, and it must be possible to evaluate the effectiveness of these mechanisms.
Continuous protection
The mechanisms that implement security must be protected against unauthorized change.

Figure 8-1 Inputs to the Security Plan.









Risk Assessment
Risk Categorization and Prioritization
Risk Mitigation
Resources Available
Planning
Implementation
Testing
Updates to plan
Live Chat 5 4/16/2020 7

Threat Description
Risk Assessment
Organization:
High
Probability
Medium Low
Date:
High
Impact
Medium Low
What are the risks?
What is the probability of occurring?
What is the impact if it happens?
4/16/2020 Live Chat 5 8





Assets: what are we trying to protect?
Threats and Vulnerabilities: potential harmful occurrences (power loss, hackers, virus, earthquake).
◦ Vulnerability: a weakness that allows a threat to cause harm.
Risk = Threat * Vulnerability.
Risk = Threat * Vulnerability * Impact($).

Consequences
EVENT:
Almost Certain
Likely
Possible
Unlikely
Rare
Insignificant Minor Moderate Major Catastrophic
H H E E E
M
L
L
L
H
M
L
L
H
H
M
M
E
E
H
H
E
E
E
H
E-Extreme
H-High
M-Medium
L-Low









Annualized Loss Expectancy (ALE):
◦ annual cost of a loss due to a risk. Help to mitigate risk.
Asset Value (AV): value of asset you are protecting
Exposure Factor (EF): percentage of value an asset lost due to an incident.
Single Loss Expectancy(SLE): cost of a single loss. (AV x EF).
Annual Rate of Occurrence (ARE): number of losses per year.
Annualized Loss Expectancy: yearly cost due to a risk.
◦ SLE x ARO
Total Cost of Ownership (TCO): total cost of a mitigating safeguard.
Return On Investment (ROI): amount of $$$ saved by implementing a safeguard.





Accept: if low likelihood and low impact.
Mitigate: lower risk to acceptable level.
Transfer: buy insurance.
Avoid it: drop the project.

Figure 8-2 Vulnerabilities Suggested by
Attributes and Objects.

Figure 8-3 Vulnerabilities Enabling a Trojan Horse Attack .
Six attributes might enable a Trojan horse attack

Figure 8-4 Mapping Control Techniques to Vulnerabilities.
Example:Vulnerability E primarily controlled by Technique 2.

Figure 8-5 Matrix of Vulnerabilities and Controls.
Attributes leading to vulnerabilities on left, controls on top.

Figure 8-6 Valuation of Security Techniques.

Figure 8-7 Relevance of Certain Security Techniques to Roles and Attack Components.

Figure 8-8 Risk Calculation for Regression Testing.




Improve Awareness
◦ increase level of interest.
Relate Security Mission to Management
Objectives
◦ Security costs money.
◦ Need people to understand security balances harm and the costs of controls.
Identify Assets, Vulnerabilities & Controls.



Improve basis for decisions
◦ Risk analysis augments the manager ’ s judgment as a basis for the decision.
Justify Expenditures for Security
◦ Balance costs versus risks to identify the business case for a control.



False Sense of Precision and Confidence
◦ Uses empirical data to generate estimates of risk impact, risk probability and risk exposure.
Hard to Perform
◦ Assessment is subjective and time consuming.



Immutability
◦ Risk analysis is often quickly forgotten.
◦ Analysis must be a living document and not a one time event.
Lack of accuracy
◦ Hard to estimate risks.
◦ May be gaps due to our limited knowledge of the system.




Natural Disasters
◦ Earthquake, hurricane, flood, fire, storms, etc.
Environmental
◦ Electrical
 Brown/black outs, spikes, surges, sag, fault.
◦ HVAC, air conditioning, humidity controls.
◦ Electromagnetic Interference (EMI)
Theft
◦ Internal, external





◦ Certify emission free
◦ Enclose device or modify emanations.



◦ Ensure that business continues to operate before, during and after a disaster
◦ Ensure critical services can be delivered in the wake of a disruption and after it is over.





Short term plan for dealing with specific
IT oriented disruptions.
Tactical.
Mitigate the impact of a disaster.
◦ Recover critical IT systems.
Part of the Business Continuity Plan.





Redundant Site: exact production duplicate.
Hot $ite:
◦ fully configured site with all necessary hardware and critical applications.
Warm Site:
◦ Some aspects of hot site, rely on backup data to reconstitute systems after a disruption.
Cold Site (shell): alternative location.




Mobile Site: Datacenter in a box
Reciprocal Agreement
◦ Bi-directional agreement between two organizations to share space if a disaster occurs.
Backups
◦ Geographically distributed.
◦ Environmentally controlled.