Security Risk Tracking, Planning, and Scheduling

advertisement
Security Risk
Management
Eduardo Rivadeneira
IT pro
Microsoft Mexico
Session Prerequisites
Hands-on experience installing, configuring,
administering, and planning the deployment of
Windows 2000 Server or Windows Server 2003
Knowledge of Active Directory and Group Policy
concepts
Level 200
Agenda
Dia 1
 Comunidades Technet Mexico
 Entrenamiento Comunidades Mexico
 Essentials of Security Parte 1
Dia 2
 Essentials of Security Parte 2
 Security Risk Management Parte 1
Dia 3
 Security Risk Managemnt Parte 2
 Peguntas y Respuestas
Comunidades Technet
Mexico
Dia 1
Comunidades en Mexico
On Line
 http://groups.msn.com/itpromexico
Presénciales
Comunidad DF
 IT Pro Mexico
 Aida Lara
alora@hubbell.com.mx
 Victor Guadarrama Olivares
vmgo@mvps.org
 http://itpromexico.com.mx
Comunidades
Comunidad Monterrey
 Carlos Alberto Morales
cmorales@madisa.com
 Astrid Rodríguez Garza
Vrodriguez@mail.risoul.com.mx
http://groups.msn.com/itpromonterrey
Comunidad San Quintín Baja California
 Genaro N. Lopez Norori gnlopez@hotmail.com
 http://groups.msn.com/ITproSanQuintin
Comunidades
Comunidad Guadalajara
 Oscar T. Aceves Dávalos
 itan040@hotmail.com
 http://groups.msn.com/itprogdl
Comunidad Coatzacoalcos
 Gabriel Castillo
 jcastillo@celanese.com.mx
 http://groups.msn.com/ITcoatzacoalcos
Comunidades
Tijuana
 Andree Ochoa
 andreeochoa@netscape.net
 http://groups.msn.com/itprotijuana
Puebla
 Jorge Garcia
 MasterFx@masterfx.net
 http://groups.msn.com/ITICOPuebla
Procedimientos Comunidades
Evento presencial
1. Enviar la información de las reuniones del siguiente
mes
Lugar, fecha, hora, descripción del evento, lugar del evento
2. Confirmar que el evento este dado de alta en
http://wwww.microsoft.com/mexico/eventos
3. Todos los participantes deberán registrarse vía Web
en el evento y entregar su registro con el código de
barra el dia del evento
4. El instructor deberá recolectar las evaluaciones y
hojas de registro para entregárselas al director del
área
Essentials of Security
Dia 1
Business Case
Business Case
Security Risk Management Discipline
Defense in Depth
Security Incident Response
Best Practices
10 Immutable Laws of Security
Impact of Security Breaches
Loss of Revenue
Damage to
Reputation
Damage to Investor
Confidence
Loss or Compromise
of Data
Damage to Customer
Confidence
Interruption of
Business Processes
Legal Consequences
2003 CSI/FBI Survey
The cost of implementing security measures is not trivial;
however, it is a fraction of the cost of mitigating security
compromises
Benefits of Investing in Security
Reduced downtime and costs associated with
non-availability of systems and applications
Reduced labor costs associated with inefficient
security update deployment
Reduced data loss due to viruses or information
security breaches
Increased protection of intellectual property
Security Risk Management Discipline
Business Case
Security Risk Management Discipline
Defense in Depth
Security Incident Response
Best Practices
10 Immutable Laws of Security
Security Risk Management Discipline (SRMD)
Processes
Assessment
 Assess and valuate assets
 Identify security risks and threats
 Analyze and prioritize security risks
 Security risk tracking, planning, and scheduling
Development and Implementation
 Develop security remediation
 Test security remediation
 Capture security knowledge
Operation
 Reassess assets and security risks
 Stabilize and deploy new or changed countermeasures
Assessment: Assess and Valuate Assets
Asset Priorities (Scale of 1 to 10) – Example
*
* For example purposes only – not prescriptive guidance
Assessment: Identify Security Risks and Threats –
STRIDE
Types of threats
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
Examples
Forge e-mail messages
Replay authentication packets
Alter data during transmission
Change data in files
Delete a critical file and deny it
Purchase a product and later deny it
Expose information in error messages
Expose code on Web sites
Flood a network with SYN packets
Flood a network with forged ICMP packets
Exploit buffer overruns to gain system privileges
Obtain administrator privileges illegitimately
Assessment: Analyze and Prioritize Security Risks
– DREAD
DREAD
Example Worksheet
 Damage
 Reproducibility
 Exploitability
 Affected Users
 Discoverability
Risk Exposure = Asset Priority x Threat Rank
Assessment: Security Risk Tracking, Planning,
and Scheduling
Types of threats
Spoofing
Tampering
Repudiation
Information
disclosure
Denial of service
Elevation of privilege
Examples
Forge e-mail messages
Replay authentication packets
Alter data during transmission
Change data in files
Delete a critical file and deny it
Purchase a product and later deny it
Expose information in error messages
Expose code on Web sites
Flood a network with SYN packets
Flood a network with forged ICMP packets
Exploit buffer overruns to gain system privileges
Obtain administrator privileges illegitimately
Example Worksheets
Detailed
Security
Action
Plans
Development and Implementation
Security Remediation Strategy
Detailed
Security
Action
Plans
Configuration management
Patch management
System monitoring
System auditing
Operational policies
Operational procedures
Production
Environment
Testing Lab
Knowledge Documented for Future Use
Operation: Reassess Assets and Security Risks
Reassess risks when there is a significant change
in assets, operation, or structure
Assess risks continually
Production Environment
Documented Knowledge
New Web
Site
Testing Lab
Internet Services
Operation: Stabilize and Deploy New or Changed
Countermeasures
System
Administration
Team
New or
Changed
Countermeasures
Security
Administration
Team
Network
Administration
Team
Production
Environment
Defense in Depth
Business Case
Security Risk Management Discipline
Defense in Depth
Security Incident Response
Best Practices
10 Immutable Laws of Security
The Defense-in-Depth Model
Using a layered approach:
 Increases an attacker’s risk of detection
 Reduces an attacker’s chance of success
Data
ACLs, encryption, EFS
Application
Application hardening, antivirus
Host
OS hardening, authentication,
patch management, HIDS
Network segments, IPSec, NIDS
Internal Network
Perimeter
Physical Security
Policies, Procedures, & Awareness
Firewalls, Network Access
Quarantine Control
Guards, locks, tracking devices
Security documents, user
education
Description of the Policies, Procedures, and
Awareness Layer
Hey, I need to
configure a firewall.
Which ports should I
block?
They have blocked
my favorite Web
site. Lucky I have a
modem.
I think I will wedge
the computer room
door open. Much
easier.
I think I will use
my first name as
a password.
Policies, Procedures, and Awareness Layer
Compromise
Say, I run a network
too. How do you
configure your
firewalls?
Hey, nice modem.
What's the number
of that line?
Hi, do you know
where the
computer room is?
I can never think
of a good
password. What
do you use?
Policies, Procedures, and Awareness Layer
Protection
Employee security training helps users support the
security policy
Description of the Physical Security Layer
All of the assets within an organization’s IT
infrastructure must be physically secured
Physical Security Layer Compromise
View, Change, or
Remove Files
Damage Hardware
Remove Hardware
Install Malicious Code
Physical Security Layer Protection
Lock doors and install alarms
Employ security personnel
Enforce access procedures
Monitor access
Limit data input devices
Use remote access tools to enhance security
Description of the Perimeter Layer
Business Partner
LAN
Main Office
LAN
Internet
Internet Services
Internet Services
Network perimeters can
include connections to:
The Internet
Branch offices
Business partners
Remote users
Wireless networks
Internet applications
Branch Office
Remote User
Wireless
Network
LAN
Perimeter Layer Compromise
Business Partner
LAN
Main Office
LAN
Internet
Internet Services
Internet Services
Network perimeter compromise
may result in a successful:
Attack on corporate network
Attack on remote users
Attack from business partners
Attack from a branch office
Attack on Internet services
Attack from the Internet
Branch Office
Remote User
Wireless
Network
LAN
Perimeter Layer Protection
Business Partner
LAN
Main Office
LAN
Internet
Internet Services
Internet Services
Network perimeter protection
includes:
Firewalls
Blocking communication ports
Port and IP address translation
Virtual private networks (VPNs)
Tunneling protocols
VPN quarantine
Branch Office
Remote User
Wireless
Network
LAN
Description of the Internal Network Layer
Sales
Wireless Network
Marketing
Finance
Human Resources
Internal Network Layer Compromise
Unauthorized
Access to Systems
Unexpected
Communication Ports
Unauthorized Access to
Wireless Networks
Sniff Packets from
the Network
Access All
Network Traffic
Internal Network Layer Protection
Require mutual authentication
Segment the network
Encrypt network communications
Restrict traffic even when it is segmented
Sign network packets
Implement IPSec port filters to restrict traffic to
servers
Demonstration 1: Configuring IPSec Port
Filtering
Your instructor will demonstrate how to:
 Create and configure an IP Security policy
that contains IPSec port filters that will be
used to lock down unnecessary ports on
an IIS server
 View IPSec port filter properties
Description of the Host Layer
Contains individual computer systems on the network
Often have specific roles or functions
The term “host” is used to refer to both clients and
servers
Host Layer Compromise
Exploit Unsecured
Operating System
Configuration
Distribute
Viruses
Exploit Operating
System
Weakness
Unmonitored
Access
Host Layer Protection
Harden client and server operating systems
Disable unnecessary services
Monitor and audit access and attempted access
Install and maintain antivirus software
Use firewalls
Keep security patches and service packs up to
date
Windows XP SP2 Advanced Security
Technologies
Network protection
Memory protection
Safer e-mail handling
More secure browsing
Improved computer maintenance
Get more information on Windows XP Service Pack 2
at http://www.microsoft.com/sp2preview
Demonstration 2: Overview of Windows XP SP2
Your instructor will demonstrate the new
and enhanced security features in
Windows XP SP2:
 Security Center
 Windows Firewall
 Internet Explorer
Preguntas
http://groups.msn.com/itpromexico
 Sección de webcast
Download