Introduction
{ Creation of information security program begins with policies
{ Then, pick one or several models
{ Selection or creation of a detailed blueprint z Includes the three types of contingency plans
3
{ Initial step is to determine who gets access
{ How much should you trust resources or people?
{ Possible trust models z Trust everyone all of the time z Trust no one at no time z Trust some people some of the time
5
{ Assume you are the manager of xxx software company, the network administrator reports to you that employee y was caught visiting porn sites during work time. What would you do about it?
2
Definition
{ Policy z a plan or course of action used by organization to convey instructions from management to those who perform duties
4
{ Objectives: z Reduced risk z Assurance of operation continuity, information integrity, and confidentiality z Compliance with laws and regulations
{ Least expensive means of control
{ Often overlooked and difficult to implenent z legal
6
1

In a recent court case, an employee won a
$175,000 settlement because she accidentally viewed what she considered to be a pornographic Web site while on the job. How did she get away with holding her employer accountable? Was the questionable site located on a company owned Web server?
7
The court ruled that the company was liable for breach of contract because it did not block all so-called questionable sites. By instituting a policy stating that it would filter out these sites, the company was “accepting responsibility for the successful execution of this activity”- and was therefore accountable.
The damage award, as well as reimbursement for the employee’s “distress,” was based on this finding.
9
{ For policies to be effective, they must be z Properly disseminated z Read z Understood z Agreed-to
11
The company had a corporate policy stating that “pornographic sites will be blocked, and they cannot be accessed from the corporate network.” The company was filtering out access to sites that contained what is considered to be questionable subject matter.
8
{ Policies must z be implementable and enforceable z be concise and easy to understand z balance protection with productivity
{ Policies should z state reasons why policy is needed z describe what is covered by the policies z define contacts and responsibilities z discuss how violations will be handled z flexible
10
Policy Management
{ Policies must be managed as they constantly change
{ To remain viable, security policies must have: z Individual responsible for reviews z A schedule of reviews z Method for making recommendations for reviews z Specific policy issuance and revision date
12
2

Policies
Standards
Practices Procedures Guidelines
13
Enterprise Information Security Policy (EISP)
{ Sets strategic direction, scope, and tone for all security efforts within the organization
{ Executive-level document z usually drafted by or with CIO of the organization
{ Also known as Security Program Policy
(SPP), general security policy
15
{
{
{
Statement of Purpose: What the policy is for
Information Technology Security Elements: Defines information security
Need for Information Technology Security: justifies importance of information security in the organization
{
{
Information Technology Security Responsibilities and Roles: Defines organizational structure
References Information Technology standards and guidelines
17
{ Policy can be senior management's directives to create an information security program, establish its goals, and assign responsibilities.
{ The term policy is also used to refer to the specific security rules for particular systems.
{ Additionally, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization's e-mail privacy policy or fax security policy.
14
{ EISP documents should provide : z An overview of corporate philosophy on security z Information about information security organization and information security roles
{ Responsibilities for security shared by all members of the organization
{ Responsibilities for security unique to each role within the organization
16
{ Protection Of Information: Information must be protected in a manner commensurate with its sensitivity, value, and criticality
{
{
Use Of Information: Company X information must be used only for business purposes expressly authorized by management
Information Handling, Access, And Usage:
Information is a vital asset and all accesses to, uses of, and processing of Company X information must be consistent with policies and standards
18
3

{
{
Data And Program Damage Disclaimers: Company X disclaims any responsibility for loss or damage to data or software that results from its efforts to protect the confidentiality, integrity, and availability of the information handled by computers and communications systems
Legal Conflicts: Company X information security policies were drafted to meet or exceed the protections found in existing laws and regulations, and any Company X information security policy believed to be in conflict with existing laws or regulations must be promptly reported to Information Security management
19
{ Violation Of Law: Company X management must seriously consider prosecution for all known violations of the law
{ Revocation Of Access Privileges: Company X reserves the right to revoke a user's information technology privileges at any time
{ Industry-Specific Information Security Standards:
Company X information systems must employ industry-specific information security standards
21
{
{
Exceptions To Policies: Exceptions to information security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a standard risk acceptance form has been prepared by the data
Owner or management, and where this form has been approved by both Information Security management and Internal Audit management
Policy Non-Enforcement: Management's nonenforcement of any policy requirement does not constitute its consent
20
{ Use Of Information Security Policies And
Procedures: All Company X information security documentation including, but not limited to, policies, standards, and procedures, must be classified as
“Internal Use Only,” unless expressly created for external business processes or partners
{ Security Controls Enforceability: All information systems security controls must be enforceable prior to being adopted as a part of standard operating procedure
22
Issue-Specific Security Policy (ISSP)
{ The ISSP: z Addresses specific areas of technology z Requires frequent updates z Contains statement on organization’s position on specific issue
{ Three approaches when creating and managing ISSPs: z Create a number of independent ISSP documents z Create a single comprehensive ISSP document z Create a modular ISSP document
23
Issue-Specific Security Policy (ISSP)
{ ISSP topics could include: z E-mail z use of Internet and World Wide Web z specific minimum configurations of computers to defend against worms and viruses z prohibitions against hacking or testing organization security controls z home use of company-owned computer equipment z use of personal equipment on company networks z use of telecommunications technologies z use of photocopy equipment
24
4

{
{
{ z z z
Statement of Purpose z Scope and Applicability z z
Definition of Technology Addressed
Responsibilities
Authorized Access and Usage of Equipment z z
User Access
Fair and Responsible Use z Protection of Privacy
Prohibited Usage of Equipment z z
Disruptive Use or Misuse
Criminal Use
Offensive or Harassing Materials
Copyrighted, Licensed or other Intellectual Property
Other Restrictions
25
Systems-Specific Policy (SysSP)
{ System administrators directions on implementing managerial policy
{ Each type of equipment has its own type of policies
{ Two general methods of implementing such technical controls: z Access control lists z Configuration rules
27
{
{
{
{
{
Include user access lists, matrices, and capability tables that govern rights and privileges
Can control access to z file storage systems z object brokers or other network communications devices
Capability Table: user profiles
Specifications are frequently complex matrices
Level of detail and specificity (often called granularity) may vary from system to system z ACLs enable administrations to restrict access according to user, computer, time, duration, or even a particular file
29
{
{
{
{
Systems Management z z
Management of Stored Materials
Employer Monitoring z z z
Virus Protection
Physical Security
Encryption
Violations of Policy z Procedures for Reporting Violations z Penalties for Violations
Policy Review and Modification z Scheduled Review of Policy and Procedures for Modification
Limitations of Liability z Statements of Liability or Disclaimers
26
28
{ In general ACLs regulate: z Who can use the system z What authorized users can access z When authorized users can access the system z Where authorized users can access the system from z How authorized users can access the system z Restricting what users can access, e.g. printers, files, communications, and applications
30
5

{ Administrators set user privileges, such as: z Read z Write z Create z Modify z Delete z Compare z Copy
31
{ Enterprise Wide/Corporate Policy
{ Division Wide Policy
{ Local Policy
{ Issue-Specific Policy
{ Security Procedures And Checklists
33
{ Use the knowledge you learned about viruses/worms/Trojan horses and policy development, create an issue-specific policy for malicious code protection, assume you are creating this policy for Utica College.
35
{ Configuration rules are specific configuration codes entered into security systems to guide execution of system when information is passing through it
{ Rule policies are more specific to system operation
{ Many security systems require specific configuration scripts telling systems what actions to perform on each set of information processed z IDS, firewalls, proxy servers
32
34
{ To create or maintain a secure environment
1.
Design working security plan
2.
Implement management model to execute and maintain the plan z May begin with creation or validation of security framework z followed by an information security blueprint
36
6

The Information Security Blueprint
{ Basis for the whole information security program
{ More detailed version of security framework
{ Should specify tasks to be accomplished and the order in which they are to be realized
{ Should be scalable, upgradeable, and comprehensive
{ One common approach z Adapt or adopt a published model (benchmarking)
37
{ ISO 17799/BS7799
{ NIST Security Models z NIST SP800-18
{ IETF security Architecture
{ Visa International Security Model
38
What Is Contingency Planning?
{ The overall planning for unexpected events is called contingency planning (CP)
{ It is how organizational planners position their organizations to prepare for, detect, react to, and recover from events that threaten the security of information resources and assets
{ Main goal: z restoration to normal modes of operation z with minimum cost and disruption to normal business activities
40
40%
41 42
7

CP Components
{ Incident response planning (IRP) focuses on immediate response
{ Disaster recovery planning (DRP) focuses on restoring operations at the primary site after disasters occur
{ Business continuity planning (BCP) facilitates establishment of operations at an alternate site
43
CP Components (Continued)
{ To ensure continuity across all CP processes during planning process, contingency planners should: z Identify the mission- or business-critical functions z Identify resources that support critical functions z Anticipate potential contingencies or disasters z Select contingency planning strategies z Implement selected strategy z Test and revise contingency plans
45
Major Tasks in Contingency Planning
44
CP Operations
{ Four teams are involved in contingency planning and contingency operations: z CP team z Incident recovery (IR) team z Disaster recovery (DR) team z Business continuity plan (BC) team
46
47
8

Business Impact Analysis (BIA)
{
{
BIA z z z
Provides information about systems/threats and detailed scenarios for each potential attack
Not risk management focusing on identifying threats, vulnerabilities, and attacks to determine controls
Assumes controls have been bypassed or are ineffective and attack was successful
CP team conducts BIA in the following stages: z z z z z
Threat attack identification
Business unit analysis
Attack success scenarios
Potential damage assessment
Subordinate plan classification
49
Business Unit Analysis
{ Second major BIA task is analysis and prioritization of business functions within the organization
51
{ Attack name/description
{ Threat
{ Known or possible vulnerabilities
{ Likely precursor activities or indicators
{ Likely attack activities
{ Information asset at risk
{ Damage or loss to information assets likely
{ Immediate actions indicated when this attack is under way
53
Threat/Attack Identification and Prioritization
{ risk management process have identified and prioritized threats
{ update threat list and add one additional piece of information -- the attack profile z Attack profile: detailed description of activities that occur during an attack
50
Attack Success Scenario Development
{ Next create a series of scenarios depicting impact of successful attack on each functional area
{ Attack profiles should include scenarios depicting typical attack including: z Methodology z Indicators z Broad consequences
{ More details are added including alternate outcomes—best, worst, and most likely
52
Potential Damage Assessment
{ Estimate the cost of the best, worst, and most likely outcomes by preparing an attack scenario end case
{ This will allow identification of what must be done to recover from each possible case
54
9

55
{ Very important for all the three types of planning
{ Normally backup to tape z Where should these tapes be stored?
{ Make it easy to backup
{ Always backup!!!
57
{ Six-tape rotation z Benefit z Drawback
{ Grandfather-father-son z Benefit z Drawback
{ Towers of Hanoi z Benefit z Drawback
59
{ Full backup
{ Incremental backup
{ Differential backup
{ Electronic Vaulting
58
60
10

{ Remote journaling
{ Database Shadowing
61
Incident Planning
{ Critical to a successful response to a security incident.
{ Allows the organization to plan and practice z CD Universe
{ Allows the participants to have a consistent level of knowledge and expectation when the incident occurs z What is to be done?
z Who will be doing it?
65
62
Incident Response Planning
{ Incident response planning covers identification of, classification of, and response to an incident
{ Attacks classified as incidents if they: z Are directed against information assets z Have a realistic chance of success z Could threaten confidentiality, integrity, or availability of information resources
{ Incident response (IR) is more reactive, than proactive z Exception: planning must occur prior to the incident to prepare
IR teams to react to an incident
64
Incident Response Planning
{ Should also include z Which processes have what level of priority z Circumstances that will indicate an incident and determine direction of response
{ Some cases, may want to disconnect from network
{ Some cases, may want to collect more information z Should document procedures involving remote systems and connections to partners and public networks
{ Individual who will be authorized to disconnect
{ Notification process
66
11

Incident Detection/Determination
{ Seems simple
{ however, “Is the event that has been detected really an incident?”
{ Might be just z Symptoms of an impending hardware failure z A simple error caused by a user or an administrator
{ Should have clear definition of when to invoke the plan or when the appropriate people who can invoke the plan needs to be notified z Define what constitute a security incident z Different for different organizations
67
Possible Indicators
{ Those unusual things that might indicate that there is a security incident underway z Unfamiliar files z Unknown programs or processes z Consumption of resources z System crashes
69
Definite Indicators
{ Surely a security incident is there z Use of dormant accounts z Changes to logs z Presence of hacker tools z Notification by partner z Notification by hacker
71
Incident Determination
{ What a system administrator knows about the system?
z How the system should behave
{ Indicators: some unusual behavior that, when detected, require more investigation z Possible indicators z Probable indicators z Definite indicators
68
Probable Indicators
{ Those things that could not occur on the system without someone actually instigating them z Activities at unexpected time z Presence of new accounts z Reported attack z Notification from IDS
70
Occurrences of Actual Incidents
{ Loss of availability
{ Loss of integrity
{ Loss of confidentiality
{ Violation of policy
{ Violation of law
72
12

Incident Response Plan
{ Incident detection/determination
{ Incident notification
{ Incident documentation
{ Incident containment
{ Assessing the damage
{ Incident recovery
{ Reflection
73
Incident Notification - Internal
{
{
{ z z z
Initial notification z z z
Automated threats spread very fast
Should have rapid internal notification
Acting incident security manager
Response team z z
Alert message: explicit
Documentation should start now
Management
After the incident is confirmed and
Severity determined
Should be before the news media
75
Law Enforcement Involvement
{ When incident violates civil or criminal law, it is organization’s responsibility to notify proper authorities
{ Selecting appropriate law enforcement agency z Federal z State z Local
{ Some questions are best answered by organization’s legal department
77
Incident Notification
{
{
Who is the most likely to be the first person that notices a security incident?
z z
Users
May not be reported as security incident
Help desk and system operations: best place for originating notification
{ Incident notification z z z
Notification procedure should be pre-arranged
An alert roster should be decided
Should be made out-of-band
74
Incident Notification - External
{ Computer security incident organizations
{ Affected partners
{ News media
{ Law enforcement
76
Benefits and Drawbacks of Law Enforcement
Involvement
{ Involving law enforcement agencies has advantages: z Agencies may be better equipped at processing evidence z Organization may be less effective in convicting suspects z Law enforcement agencies prepared to handle warrants and subpoenas needed z Law enforcement skilled at obtaining witness statements and other information collection
78
13

Benefits and Drawbacks of Law Enforcement
Involvement (continued)
{ Involving law enforcement agencies has disadvantages: z Once a law enforcement agency takes over case, organization loses complete control over chain of events z Organization may not hear about case for weeks or months z Equipment vital to the organization’s business may be tagged evidence
79
Assess the Damage
{ Several sources of information on damage z system logs; z intrusion detection logs; z configuration logs and documents; z documentation from incident response; z results of detailed assessment of systems and data storage
{ Computer evidence must be carefully collected, documented, and maintained to be acceptable in formal proceedings z Computer Forensics
{ Individuals who assess damage need special training
81
z Repair the vulnerability z Improve the safeguard z Update detection z Restoration of data if necessary z Restoration of services z Monitor for additional sign of attack z Restoration of confidence
83
Incident Containment
{
{ to stop the incident or minimize its impact
Incident containment strategy z z z z z z z
Stopping the spread
{ The Internet Worm infected about ten percent of the
60,000 systems linked to the Internet within hours of its release
Determine affected system
Deny access
Eliminate rogue processes
Regain control
Scrub the system
Rebuild the system
80
Incident Recovery
{
82
Documentation and Reflection
{ AAR (After Action Review): detailed examination of events that occurred
{ All team members: z Review their actions during the incident z Identify areas where the IR plan worked, didn’t work, or should improve
84
14

Automated Response
{ New systems can respond to incident threat autonomously
{ Downsides of current automated response systems may outweigh benefits
85
Honey Pots, Honey Nets, and Padded Cell
Systems (continued)
{ Padded cell: hardened honey pot
{ In addition to attracting attackers with tempting data, a padded cell operates in tandem with a traditional IDS
{ When the IDS detects attackers, it seamlessly transfers them to a special simulated environment where they can cause no
87
Honey Pots, Honey Nets, and Padded Cell Systems
(continued)
{ Disadvantages z Legal implications of using such devices are not well defined z Honey pots and padded cells have not yet been shown to be generally useful security technologies z Expert attacker, once diverted into a decoy system, may become angry z Administrators and security managers will need a high level of expertise to use these systems
89
Trap and Trace
{ Honey pots
{ Honey nets
{ Honey pots designed to: z Divert attacker from accessing critical systems z Collect information about attacker’s activity z Encourage attacker to stay on system long enough for administrators to document event and, perhaps, respond
86
Honey Pots, Honey Nets, and Padded Cell Systems
(continued)
{ Advantages z Attackers can be diverted to targets they cannot damage z Administrators have time to decide how to respond to attacker z Attackers’ actions can be easily and more extensively monitored, and records can be used to refine threat models and improve system protections z Honey pots may be effective at catching insiders who are snooping around a network
88
Trap and Trace Systems
{ Legal drawbacks to trap and trace z Enticement: process of attracting attention to system by placing tantalizing bits of information in key locations z Entrapment: action of luring an individual into committing a crime to get a conviction.
z Enticement is legal and ethical, whereas entrapment is not
90
15

Data Backup
{ Three types of backup z Full-backup z Incremental backup z Differential backup
{ Common practice z Full backup during the weekend, and incremental or differential backup for weekdays
{ Full backup + incremental backup vs full backup + differential backup
91
Rotation Strategies
{
{
Father-son z z z
A set of four backup media sets for M-Th
Another group of 5 for weekly backup
A final group of 3 for monthly backup
Tower of Hanoi z z z z z
The 1 st etc.) set is used for every other backup, starting day 1 (1, 3, 5,
The 2 nd
10, etc) set is used for every 4 th backup, starting on day 2 (2, 6,
The 3 rd etc) set is used for every 8 th backup, starting day 4 (4, 12, 20,
The 4 th set is used for every 16 th backup, starting day 8 (8, 24, 40, etc)
The final set is used for every 16 th
32, 48, etc) backup, starting day 16 (16,
92
Disaster Recovery
{ Disaster recovery planning (DRP) is the preparation for and recovery from a disaster, whether natural or man made
{ In general, an incident is a disaster when: z organization is unable to contain or control the impact of an incident
OR z level of damage or destruction from incident is so severe, the organization is unable to quickly recover
{ Key role of DRP: defining how to reestablish operations at location where organization is usually located
93
Disaster or not
{
{
{
{
{
A hacker gets into the network and deletes files from a server.
A fire breaks out in the storeroom and sets off sprinklers on that floor. Some computers are damaged, but the fire is contained before it moves out of the area.
A tornado hits a local power company, and the company will be without power for three to five days.
Employees go on strike, and the company could be without critical workers for weeks.
A disgruntled employee takes a critical server home, sneaking it out after hours.
94
Disaster Classifications
{ A DRP can classify disasters in a number of ways
{ Most common method: separate natural disasters from man-made disasters
{ Another way: by speed of development z Rapid onset disasters z Slow onset disasters
95
Planning for Disaster
{ Scenario development and impact analysis are used to categorize the level of threat of each potential disaster
{ DRP must be tested regularly
{ Key points in the DRP: z z z
Clear delegation of roles and responsibilities
Execution of alert roster and notification of key personnel
Clear establishment of priorities z z z
Documentation of the disaster
Action steps to mitigate the impact
Alternative implementations for various systems components
96
16

Crisis Management.
{ Which component is most important in a disaster?
z Human safety
{ Crisis management team manages event: z Supporting personnel and their loved ones during crisis z z z z Determining event's impact on normal business operations
When necessary, making a disaster declaration
Keeping public informed about event
Communicating with outside parties
{ Two key tasks of crisis management team: z z
Verifying personnel status
Activating alert roster
97
Responding to the Disaster
{ Actual events often outstrip even best of plans
{ To be prepared, DRP should be flexible
{ If physical facilities are intact, begin restoration there
{ If organization’s facilities are unusable, take alternative actions
{ When disaster threatens organization at the primary site, DRP becomes BCP
98
Disaster Recovery and Business Continuity
Planning Sample Disaster Recovery Plan
7.
8.
9.
5.
6.
3.
4.
1.
2.
Name of agency
Date of completion or update of the plan and test date
Agency staff to be called in the event of a disaster
Emergency services to be called (if needed) in event of a disaster
Locations of in-house emergency equipment and supplies
Sources of off-site equipment and supplies
Salvage Priority List
Agency Disaster Recovery Procedures
Follow-up Assessment
99
Business Continuity Planning (BCP)
{ BCP z Ensures critical business functions can continue in a disaster z Most properly managed by CEO of organization z Activated and executed concurrently with the DRP when needed z Reestablishes critical functions at alternate site (DRP focuses on reestablishment at primary site) z Relies on identification of critical business functions and the resources to support them
101
100
{ Several continuity strategies for business continuity z Determining factor is usually cost
{ Four exclusive-use options: z z z z
Hot sites
Warm sites
Cold sites
Mobile sites
{ Shared-use options: z z z
Timeshare
Service bureaus
Mutual assistance agreements (MAA)
102
17

Exclusive Use Options
{ Hot Sites z Fully configured computer facility with all services
{ Warm Sites z Like hot site, but software applications not kept fully prepared
{ Cold Sites z Only rudimentary services and facilities
{ Mobile Sites z Non-mainstream alternatives to the previous three
103
Database Recovery
{ To get any BCP site running quickly, organization must be able to recover data
{ Options: z Electronic vaulting z Remote Journaling z Database mirroring
105
Testing Contingency Plans
{ Once problems are identified during the testing process, improvements can be made, and the resulting plan can be relied on in times of need
{ There are five testing strategies that can be used to test contingency plans: z Checklist test z Structured walkthrough z Simulation z Parallel testing z Full interruption
107
Shared Use Options
{ Timeshares z Like an exclusive use site but leased
{ Service Bureaus z Agency that provides physical facilities
{ Mutual Agreements z Contract between two organizations to assist each other z Problems:
{ Difficult to enforce
{ Locations
{ Confidentiality
104
Software Escrow Agreement
{ A unique tool used to protect a company against the failure of a software developer to provide adequate support for its product or the possibility that the developer will go out of business.
{ Usually consider this for small software companies.
106
A Single Contingency Plan Format
108
18

Continuous Improvement
{ Iteration results in improvement
{ A formal implementation of this methodology is a process known as continuous process improvement
(CPI)
{ Each time plan is rehearsed, it should be improved
{ Constant evaluation and improvement leads to an improved outcome
109
19