Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Administering Security ***IMP*** Exam Question on this Topic Security planning Risk analysis Physical security
Security Planning
Points to remember while writing the answer 1) 2) 3) 4) 5) Definition Diagram Main points in Security Plan Contains of Security Plan Security Plan Team Member
Answer) A security plan is a document that describes how an organization will address its security needs.
A good security plan is an official record of current security practices, plus a blueprint for orderly change to improve those practices. By following the plan, developers and users can measure the effect of proposed changes, leading eventually to further improvements. The impact of the security plan is important, too. A carefully written plan, supported by management, notifies employees that security is important to management (and therefore to everyone). Thus, the security plan has to have the appropriate content and produce the desired effects. We focus on three aspects of writing a security plan: What it should contain? Who writes it? How to obtain support for it?
1. Policy
A security plan must state the organization's policy on security. A security policy is a high-level statement of purpose and intent. Initially, you might think that all policies would be the same: to prevent security breaches. But in fact the policy is one of the most difficult sections to write well The policy statement must answer three essential questions: 1) Who should be allowed access? 2) To what system and organizational resources should access be allowed? 3) What types of access should each user be allowed for each resource?
The organization's goals on security. For example, Should the system protect data from leakage to outsiders, protect against loss of data due to physical disaster, protect the data's integrity, or protect against loss of business when computing resources fail? What is the higher priority: serving customers or securing data? Where the responsibility for security lies. For example, Should the responsibility rest with a small computer security group, with each employee, or with relevant managers? The organization's commitment to security. For example, Who provides security support for staff, and where does security fit into the organization's structure?
3. Requirements
The heart of the security plan is its set of security requirements: functional or performance demands placed on a system to ensure a desired level of security. The requirements are usually derived from organizational needs. Sometimes these needs include the need to conform to specific security requirements imposed from outside, Government agency Commercial standard.
We must distinguish the requirements from constraints and controls. Constraint is an aspect of the security policy that constrains, circumscribes, or directs the implementation of the requirements. Control is an action, device, procedure, or technique that removes or reduces vulnerability. These distinctions are important because the requirements explain what should be accomplished, not how. That is, the requirements should always leave the implementation details to the designers, whenever possible. For example, Rather than writing a requirement that certain data records should require passwords for access (an implementation decision), a security planner should state only that access to the data records should be restricted (and note to whom the access should be restricted). This more flexible requirement allows the designers to decide among several other access controls (such as access control lists) and to balance the security requirements with other system requirements, such as performance and reliability. We should make characteristics: sure that the requirements have these
Correctness: Are the requirements understandable? Are they stated without error? Consistency: Are there any conflicting or ambiguous requirements? Completeness: requirements? Are all possible situations addressed by the
Need: Are the requirements unnecessarily restrictive? Verifiability: Can tests be written to demonstrate conclusively and objectively that the requirements have been met? Can the system or its functionality be measured in some way that will assess the degree to which the requirements are met? Traceability: Can each requirement be traced to the functions and data related to it so that changes in a requirement can lead to easy reevaluation?
4. Recommended Controls
What all control that we studied so far come under this topic
Information officers may be responsible for overseeing the creation and use of data; these officers may also be responsible for retention and proper disposal of data. Personnel staff members may be responsible for security involving employees, for example, screening potential employees for trustworthiness and arranging security training programs.
6. Timetable
The security plan includes a timetable that shows how and when the elements of the plan will be performed. These dates also give milestones so that management can track the progress of implementation. The plan should specify the order in which the controls are to be implemented so that the most serious exposures are covered as soon as possible. A timetable also gives milestones by which to judge the progress of the security program.
7. Continuing Attention
The inventory of objects and the list of controls should periodically updated, and risk analysis performed a new. The security plan should set times for these periodic reviews, based either on calendar time (such as, review the plan every nine months) or on the nature of system changes (such as, review the plan after every major system release).
Risk Analysis
Points in risk analysis
1) 2) 3) 4) 5) 6) 7)
Risk Impact Problem Risk Control Risk Exposure Strategies for Risk reduction Risk Leverage Step in risk analysis
Answer) A risk is a potential problem that the system or its users may experience. We distinguish a risk from other project events by looking for three things, 1. A loss associated with an event. The event must generate a negative effect: compromised security, lost time, diminished quality, lost money, lost control, lost understanding, and so on. This loss is called he risk impact. 2. The likelihood that the event will occur. The probability of occurrence associated with each risk is measured from 0 (impossible) to 1 (certain). When the risk probability is 1, we say we have a problem. 3. The degree to which we can change the outcome. We must determine what, if anything, we can do to avoid the impact or at least reduce its effects. Risk control involves a set of actions to reduce or eliminate the risk. Many of the security controls we describe in this book are examples of risk control. For example, If the likelihood of virus attack is 0.3 and the cost to clean up the affected files is $10,000, then the risk exposure is $3,000. So we can use a calculation like this one to decide that a virus checker is worth an investment of $100, since it will prevent a much larger potential loss. Clearly, risk probabilities can change over time, so it is important to track them and plan for events accordingly. RISK EXPOSURE :- ( risk impact X risk probability) Risk is inevitable in life: Crossing the street is risky but that does not keep us from doing it. We can identify, limit, avoid, or transfer risk but we can seldom eliminate it.
We have three strategies for dealing with risk: 1. avoiding the risk, by changing requirements for security or other system characteristics 2. transferring the risk, by allocating the risk to other systems, people, organizations, or assets; or by buying insurance to cover any financial loss should the risk become a reality 3. assuming the risk, by accepting it, controlling it with available resources, and preparing to deal with the loss if it occurs Thus, costs are associated not only with the risk's potential impact but also with reducing it.
If the leverage value of a proposed action is not high enough, then we look for alternative but less costly actions or more effective reduction techniques.
their
Before we can identify vulnerabilities, we must first decide what we need to protect. Thus, the first step of a risk analysis is to identify the assets of the computing system. The assets can be considered in categories, as listed below.
1) Hardware: processors, boards, keyboards, monitors, terminals, microcomputers, workstations, tape drives, printers, disks, disk drives, cables, connections, communications controllers, and communications media 2) Software: source programs, object programs, purchased programs, in-house programs, utility programs, operating systems, systems programs (such as compilers), and maintenance diagnostic programs 3) Data: data used during execution, stored data on various media, printed data, archival data, update logs, and audit records 4) People: skills needed to run the computing system or specific programs 5) Documentation: on programs, hardware, systems, administrative procedures, and the entire system 6) Supplies: paper, forms, laser cartridges, magnetic media, and printer fluid
Assets and Attacks. Asset Hardware Secrecy Integrity Availability overloaded failed stolen destroyed tampered destroyed with unavailable stolen pirated disclosed accessed outsider inferred copied impaired by Trojan deleted horse modified misplaced usage tampered with expired damaged - software deleted by error - hardware misplaced error - user error destroyed quit retired terminated on vacation lost stolen destroyed lost stolen damaged
Software
Data
People
Documentatio n Supplies
Ratings of Likelihood. Frequency Once a day Once every three days Once a week Once in two weeks Once a month Once every four months Once a year Once every three years Rating 9 8 7 6 5 4 3 2
1) What are the legal obligations for preserving the confidentiality or integrity of a given data item? 2) What business requirements and agreements cover the situation? Does the organization have to pay a penalty if it cannot provide a service? 3) Could release of a data item cause harm to a person or organization? Would there be the possibility of legal action if harm were done? 4) Could unauthorized access to a data item cause the loss of future business opportunity? Might it give a competitor an unfair advantage? What would be the estimated loss in revenue? 5) What is the psychological effect of lack of computer service? Embarrassment? Loss of credibility? Loss of business? How many customers would be affected? What is their value as customers? 6) What is the value of access to data or programs? Could this computation be deferred? Could this computation be performed elsewhere? How much would it cost to have a third party do the computing elsewhere? 7) What is the value to someone else of having access to data or programs? How much would a competitor be willing to pay for access? 8) What other problems would arise from loss of data? Could the data be replaced or reconstructed? With what amount of work?
For example, consider the risk of losing data. This loss could be addressed by several of the controls we have discussed in previous chapters: periodic backups, redundant data storage, access controls to prevent unauthorized deletion, physical security to keep someone from stealing a disk, or program development standards to limit the effect of programs on the data. We must determine the effectiveness of each control in a given situation; for instance, using physical security in a building already equipped with guards and limited access may be more effective than sophisticated software-based controls.
For example, Suppose a department has determined that some users have gained unauthorized access to the computing system. It is feared that the intruders might intercept or even modify sensitive data on the system. One approach to addressing this problem is to install a more secure data access control program. Even though the cost of the access control software is high ($25,000), its cost is easily justified when compared to its value, as shown in Table. Because the entire cost of the package is charged in the first year, even greater benefits are expected for subsequent years.
Table 8-7. Justification of Access Control Software. Item Amount Risks: disclosure of company confidential data, computation based on incorrect data Cost to reconstruct correct data: $1,000,000 @ 10% $100,00 likelihood per year 0 Effectiveness of access control software: 60% Cost of access control software -60,000 +25,000
Expected annual costs due to loss and controls (100,000 $65,000 60,000 + 25,000) Savings (100,000 65,000) $35,000
Another company uses a common carrier to link to a network for certain computing applications. The company has identified the risks of unauthorized access to data and computing facilities through the network. These risks can be eliminated by replacement of remote network access with the requirement to access the system only from a machine operated on the company premises. The machine is not owned; a new one would have to be acquired. The economics of this example are not promising, as shown in Table
Table . Cost/Benefit Analysis for Replacing Network Access. Item Risk: unauthorized access and use Access to unauthorized data and programs $100,000 @ 2% $2,000 likelihood per year Unauthorized use of computing facilities $10,000 @ 40% 4,000 likelihood per year Expected annual loss (2,000 + 4,000) Effectiveness of network control: 100% Control cost: Hardware (50,000 amortized over 5 years) Software (20,000 amortized over 5 years) Support personnel (each year) Annual cost Expected annual loss (6,000 6,000 + 54,000) Savings (6,000 54,000) +10,000 +4,000 +40,000 54,000 $54,000 $48,000 6,000 -6,000 Amount
Physical Security
Physical security is the term used to describe protection needed outside the computer system. Typical physical security controls include guards, locks, and fences to deter direct attacks. In addition, there are other kinds of protection against less direct disasters, such as floods and power outages; these, too, are part of physical security. But many threats to security involve human or natural disasters, events that should also be addressed in the security plan. For this reason, we consider how to cope with the non-technical things that can go wrong. There are two pieces to the process of dealing with non-technical problems: preventing things that can be prevented and recovering from the things that cannot be prevented. Points for this Answer 1) Definition 2) Natural Disasters Flood Fire Other Natural Disasters 3) Power Loss Uninterruptible Power Supply Surge suppressor 4) Human Vandals Unauthorized access and Use Theft 5) Control 1) Backup Complete Backup Revolving Backup Selective backup 2) Offsite Backup 3) Network Storage Cold site Hot site