Administering Security

- By Manish Bhatt

Security Plan A security plan is a document that describes how an organization will address its security

needs. The plan is subject to periodic review and revision as the organizations security needs change.

Contents of a security plan

1. policy, indicating the goals of a computer security effort and the willingness of

the people involved to work to achieve those goals

2. current state, describing the status of security at the time of the plan

3. requirements, recommending ways to meet the security goals

4. recommended controls, mapping controls to the vulnerabilities identified in the

policy and requirements

5. accountability, describing who is responsible for each security activity

6. timetable, identifying when different security functions are to be done

7. continuing attention, specifying a structure for periodically updating the

security plan

1) Policy

A security plan must state the organizations policy on security.

A security policy is a high-level statement of purpose and intent.

The policy statement should specify the following:

The organization's goals on security. For example, should the system protect

data from leakage to outsiders, protect against loss of data due to physical

disaster, protect the data's integrity, or protect against loss of business when

computing resources fail? What is the higher priority: serving customers or

securing data?

Where the responsibility for security lies. For example, should the

responsibility rest with a small computer security group, with each employee,

or with relevant managers?

The organization's commitment to security. For example, who provides

security support for staff, and where does security fit into the organization's

structure?

2) Current Security Status

The status can be expressed as a listing of organizational assets, the

security threats to the assets, and the controls in place to protect the

assets.

Also defines the limits of responsibility for security.

3) Requirements

Requirements are usually derived from organizational needs.

Requirements explain what should be accomplished, not how.

Must have these characteristics : correctness, consistency, completeness,

realism, need, verifiability, traceability.

May be constrained by budget, schedule, performance, policies, government regulations and more.

4) Recommended Controls

The security plan must also recommend what controls should be

incorporated into the system to meet the requirements.

5) Responsibility for Implementation

A section of the security plan should identify which people are

responsible for implementing the security requirements.

At the same time, the plan makes explicit who is accountable should

some requirement not be met or some vulnerability not be addressed.

6) Time Table - shows how and when the elements of the plan will be

performed. These dates also give milestones so that management can track

the progress of implementation.

Security Planning Team Members

Computer hardware group

System administrators

Systems programmers

Applications programmers

Data entry personnel

Physical security personnel

Representative users

Business Continuity Plans

Documents how a business will continue to function during a computer security incident.

An ordinary security plan covers computer security during normal times and deals with protecting against a wide range of vulnerabilities from the usual sources.

A business continuity plan deals with situations having two characteristics:

1) catastrophic situations, in which all or a major part of a computing

capability is suddenly unavailable

2) long duration, in which the outage is expected to last for so long

that business will suffer

The steps in business continuity planning are these:

Assess the business impact of a crisis.

Develop a strategy to control impact.

Develop and implement a plan for the strategy

Incident Response Plans

Tells the staff how to deal with a security incident.

The goal of incident response is handling the current security incident, without regard for the business issues.

An incident response plan should

1) define what constitutes an incident

2) identify who is responsible for taking charge of the situation

3) describe the plan of action

Phases of Incident Response Plans

Advance Planning

Triage

Running the incident

Response Team

Response team is the set of people charged with responding to the

incident.

To develop policy and identify a response team, you need to consider certain matters.

1) Legal Issues

2) Preserving Evidence

3) Records

4) Public Relations

Risk Analysis

A risk is a potential problem that the system or its users may experience.

Characteristics of an event to be considered as a risk :

1. A loss associated with an event.

2. The likelihood that the event will occur.

3. The degree to which we can change the outcome.

Strategies used :

1. Avoiding the risk

2. Transferring the risk

3. Assuming the risk

Risk leverage is the difference in risk exposure divided by the cost of reducing the risk. In other words, risk leverage is

If the leverage value of a proposed action is not high enough, then we look for alternative but less costly actions or more effective reduction

techniques.

Steps of Risk Analysis

1. Identify assets

2. Determine vulnerabilities

3. Estimate likelihood of exploitation

4. Compute expected annual loss

5. Survey applicable controls and their costs

6. Project annual savings of control

1. Identify Assets

The assets can be considered in categories, as listed below.

Hardware: processors, boards, keyboards, monitors, terminals,

microcomputers, workstations, tape drives, printers, disks, disk drives,

cables, connections, communications controllers, and communications

media

Software: source programs, object programs, purchased programs, in-

house programs, utility programs, operating systems, systems programs

(such as compilers), and maintenance diagnostic programs

Data: data used during execution, stored data on various media, printed

data, archival data, update logs, and audit records

People: skills needed to run the computing system or specific programs

Documentation: on programs, hardware, systems, administrative

procedures, and the entire system

Supplies: paper, forms, laser cartridges, magnetic media, and printer fluid

2. Determine Vulnerabilities

Asset Secrecy Integrity Availability

Hardware Overloaded, destroyed, tampered with

Failed, stolen, destroyed, unavailable

Software Stolen, copied, pirated

Impaired by Trojan Horse, modified, tampered with

Deleted, misplaced,usage expired

Data Disclosed, accessed by outsider, inferred

Damaged- softwareerror-hardware error- user error

Deleted, misplaced, destroyed

People Quit, retired, terminated, on vacation

Documentation Lost, stolen, destroyed

Supplies Lost, stolen, damaged

Attributes Contributing to vulnerabilities

Design/Architecture Behavioral General

Singularity uniqueness, centrality, homogeneity

Behavioral sensitivity/fragility Accessible, detectable, identifiable,transparent, interceptable

Separability Malevolence Hard to manage or control

Logic/implementation errors,fallibility

Rigidity Self-unawareness and unpredictability

Design sensitivity, fragility, limits, finiteness

Malleability Predictability

Unrecoverability Gullibility, deceivability, naivete

Complacency

Corruptibility, controllability

3. Estimate Likelihood of Exploitation

Determining how often each exposure is likely to be exploited.

Ratings of Likelihood

Frequency Rating

More than once a day 10

Once a day 9

Once every three days 8

Once a week 7

Once in two weeks 6

Once a month 5

Once every four months 4

Once a year 3

Once every three years 2

Less than once in three years 1

4. Compute Expected Loss

Determine the likely loss if the exploitation does indeed occur.

5. Survey and Select New Controls

Analysis of the controls to see which ones address the risks we have

identified.

Match each vulnerability with at least one appropriate security

technique.

Valuation of Security Technique

Interpretation of numbers in the table :

2 means that the control mitigates the vulnerability significantly and should be a prime candidate for addressing it.

1 means that the control mitigates the vulnerability somewhat, but not as well as one labeled 2, so it should be a secondary candidate for addressing it.

0 means that the vulnerability may have beneficial side effects that enhance some aspect of security. (Example: homogeneity can facilitate both static and dynamic resource allocation. It can also facilitate rapid recovery and reconstitution.)

-1 means that the control worsens the vulnerability somewhat or incurs new vulnerabilities.

-2 means that the control worsens the vulnerability significantly or incurs new vulnerabilities

6. Project Savings

Determine whether the costs outweigh the benefits of preventing or mitigating the risks.

Item Amount

Risks: disclosure of company confidential data, computation based on

incorrect data

Cost to reconstruct correct data: $1,000,000 $100,000

@ 10% likelihood per year

Effectiveness of access control software: 60% -60,000

Cost of access control software +25,000

Expected annual costs due to loss and $65,000

controls (100,000 60,000 + 25,000)

Savings (100,000 65,000) $35,000

Advantages of Risk Analysis

Improve awareness

Relate security mission to management objectives

Identify assets, vulnerabilities and controls

Improve basis for decisions

Justify expenditures for security

Disadvantages of Risk Analysis

False sense of precision and confidence

Hard to perform

Immutability

Lack of Accuracy

Organizational Security Policies

Purpose

recognizing sensitive information assets

clarifying security responsibilities

promoting awareness for existing employees

Guiding new employees

Audience Users, owners, beneficiaries

Contents

A security policy must identify its audiences: the beneficiaries,

users, and owners.

The policy should describe the nature of each audience and their

security goals.

Several other sections are required, including the purpose of the

computing system, the resources needing protection, and the

nature of the protection to be supplied. We discuss each one in

turn.

Goals

1. Promote efficient business operation.

2. Facilitate sharing of information throughout the organization.

3. Safeguard business and personal information.

4. Ensure that accurate information is available to support business

processes.

5. Ensure a safe and productive place to work.

6. Comply with applicable laws and regulations.

Protected resources - protected assets should be listed in the policy.

Nature of Protection - indicate who should have access to the protected items. It may also indicate how that access will be ensured and how unauthorized people will be denied access.

Characteristics of Good Security Policy

Coverage - It must either apply to or explicitly exclude all possible situations.

Durability - grow and adapt well. If written in a flexible way, the existing policy will be applicable to new situations.

Realism - must be realistic. It must be possible to implement the stated security requirements with existing technology.

Usefulness - The policy must be written in language that can be

read, understood, and followed by anyone who must implement it

or is affected by it.

Physical Security

Natural Disasters

Flood

Fire

Power Loss

Solutions UPS, surge supressors

Human Vandals

Unauthorized access and use theft

Interception of Sensitive Information - Shredding

Overwriting Magnetic Data Degaussing

Protecting Against Emanation : Tempest

Contingency Planning

Backup

Offsite Backup

Networked Storage

Cold Site or shell - facility with power and cooling available, in which a

computing system can be installed to begin immediate operation.

Hot site - computer facility with an installed and ready-to-run computing system.

Legal And Ethical Issues In Computing

Protecting Programs and Data

1) Copyrights designed to protect the expression of ideas. Applies to a creative work, such as a story, photograph, song, or

pencil sketch. Intention is to allow regular and free exchange of ideas. Gives the author exclusive right to make copies of the expression

and sell them in public. Intellectual Property Originality of work Fair use of Material copyrighted object is subjected to fair use.

A purchaser has the right to use the product in the manner for which it was intended and in a way that does not interfere with the author's rights.

Requirements for registering a copyright. Notice - Any potential user must be made aware that the work is copyrighted. Officially filed.

Copyright Infringement

The holder of the copyright must go to court to prove that someone

has infringed on the copyright.

The infringement must be substantial, and it must be copying, not

independent work.

Copyrights for Digital Objects

2) Patents

Protect inventions, tangible objects, or ways to make them, not

works of the mind.

Designed to protect the device or process for carrying out an idea,

not the idea itself.

The distinction between patents and copyrights is that patents were intended to apply to the results of science, technology, and engineering, whereas copyrights were meant to cover works in the arts, literature, and written scholarship. A patent can protect a "new and useful process, machine, manufacture, or composition of matter."

Requirement of Novelty

A patent can be valid only for something that is truly novel or unique, so

there can be only one patent for a given invention.

An object patented must also be nonobvious.

Registering a Patent

Patent Infringement

A patent holder must oppose all infringement.

Failing to sue a patent infringement even a small one or one the

patent holder does not know about can mean losing the patent rights

entirely.

Applicability of Patents to Computer Objects

3)Trade Secrets

The information has value only as a secret, and an infringer is one who divulges the secret. Once divulged, the information usually cannot be made secret again.

Characteristics of Trade Secrets

1. Must always be kept secret.

2. If someone else happens to discover the secret independently,

there is no infringement and trade secret rights are gone.

Reverse Engineering - one studies a finished object to determine how it is manufactured or how it works.

Trade secret protection works best when the secret is not apparent in the product.

Applicability to computer objects

Trade secret protection allows distribution of the result of a secret

(the executable program) while still keeping the program design

hidden.

Trade secret protection does not cover copying a product (specifically

a computer program), so it cannot protect against a pirate who sells

copies of someone else's program without permission.

Difficulty with computer programs is that reverse engineering works.

Difficulty of Enforcement - Trade secret protection is of no help when someone infers a program's design by studying its output or, worse yet, decoding the object

code. Both of these are legitimate (that is, legal) activities, and both cause trade secret protection to disappear.

Copyright Patent Trade Secret

Protects Expression of idea, not idea itself

Invention the way something works

A secret, competitive advantage

Protected object made public

Yes; intention is to promote publication

Design filed at Patent Office

No

Requirement to distribute

Yes No No

Ease of filing Very easy, do-it-yourself Very complicated; specialist lawyer suggested

No filing

Duration Life of human originator plus 70 years, or total of 95 years for a company

19 years Indefinite

Legal protection Sue if unauthorized copy sold

Sue if invention copied Sue if secret improperly obtained

Comparing Copyright, Patent, and Trade Secret Protection

Protecting Hardware Hardware can be patented.

Protecting Firmware - Trade secret protection is appropriate for the code embedded in a chip.

Protecting Object Code Software - copyright protection is appropriate.

Protecting source code software copyright or trade secret protection.

Protecting Documentation - A program and its documentation must be copyrighted separately.

Protecting Web Content - most appropriate protection is copyright

Protecting Domain Names and URLs - Domain names, URLs, company names, product names, and commercial symbols are protected by a trademark, which gives exclusive rights of use to the owner of such identifying marks.

Characteristics of Information

Information as an object

Information is not depletable

Information can be Replicated

Information has a Minimal Marginal Cost

The Value of Information is often Time Dependent

Information is often transferred Intangibly

These characteristics of information affect its legal treatment.

Legal Issues Relating To Information

Example 1- Information Commerce

Information is unlike most other goods traded, even though it

has value and is the basis of some forms of commerce.

Example 2- Electronic Publishing

Many newspapers and magazines post a version of their content

on the Internet, as do wire services and television news

organizations.

Example 3- Protecting Data in a Database Databases are a particular form of software that has posed significant

problems for legal interpretation. How does one determine that a set of data came from a particular

database (so that the database owner can claim some compensation)? Who even owns the data in a database if it is public data, such as names

and addresses?

Example 4- Electronic Commerce Suppose the information you order is not suitable for use or never arrives

or arrives damaged or arrives too late to use. How do you prove conditions of the delivery?

For catalog sales, you often have receipts or some paper form of acknowledgment of time, date, and location.

But for digital sales, such verification may not exist or can be easily modified.

Protecting Information

Criminal and Civil Law

Criminal Law - Goal is to punish a criminal

Civil Law Goal is restitution: to make the victim whole

again by repairing the harm.

Tort Law - A tort is harm not occurring from violation of a statute or from

breach of a contract but instead from being counter to the accumulated

body of precedents.

Contract Law

Differences between Law and Ethics

Law Ethics

Described by formal, written documents Described by unwritten principles

Interpreted by courts Interpreted by each individual

Established by legislatures representing all people

Presented by philosophers, religions, professionalgroups

Applicable to everyone Personal choice

Priority determined by courts if two laws conflict

Priority determined by an individual if twoprinciples conflict

Court is final arbiter of "right" No external arbiter

Enforceable by police and courts Limited enforcement

Characteristics of Ethics

Ethics and Religion

Two people with different religious backgrounds may develop the

same ethical philosophy, while two exponents of the same religion

might reach opposite ethical conclusions in a particular situation.

We can analyze a situation from an ethical perspective and reach ethical conclusions without appealing to any particular religion or religious framework.

Ethical Principles are not universal

Ethics does not provide answers

Ethical Reasoning Principles

Consequence-Based - focuses on the consequences of an action.

Rule-Based