Chapter 12

Information Security Maintenance

Module 12 – Chapter 12

Based on the Fourth Edition of:M. E. Whitman, H. J. Mattord:. Principles of Information Security

School of Business, Department of Information Technology

Introduction Security Management Models The Security Maintenance Model Digital Forensics

The only thing we can predict with certainty is change.

Jayne Spain, Department ofChildren and Family Learning, State of Minnesota

Module 12 – Chapter 12 Information Security Maintenance 2


Learning Objectives

Discuss the need for ongoing maintenance of the informationsecurity program

List the recommended security management models, anddefine a model for a full maintenance program

Identify the key factors involved in monitoring the externaland internal environment, and describe how planning intoinformation security maintenance

Define digital forensics, and describe the management of thedigital forensics function

Describe the process of acquiring, analyzing, and maintainingpotential evidentiary material



Outline

1 Introduction

2 Security Management Models

3 The Security Maintenance Model

4 Digital Forensics



Introduction

Organizations should avoid overconfidence after improvingtheir information security profile

Organizational changes that may occur include:

Acquisition of new assets; emergence of new vulnerabilities;business priorities shift; partnerships form or dissolve;organizational divestiture and acquisition; employee hire andturnover

If program does not adjust, may be necessary to begin cycleagain

More expensive to re-engineer information security profileagain and again



Security Management Models

Management model must be adopted to manage and operateongoing security program

Models are frameworks that structure tasks of managingparticular set of activities or business functions



NIST SP 800-100 IS Handbook: A Guide for Managers

Provides managerial guidance for establishing andimplementing of an information security program

Thirteen areas of information security management

Provide for specific monitoring activities for each task

Tasks should be done on an ongoing basis

Not all issues are negative




1. Information security governance

Agencies should monitor the status of their programs toensure that:

Ongoing information security activities provide support toagency mission

Current policies and procedures are technology-aligned

Controls are accomplishing the intended purpose

2. System development life cycle:

The overall process of developing, implementing, and retiringinformation systems through a multi-step process




3. Awareness and training

Tracking system should capture key information on programactivities

Tracking compliance involves assessing the status of theprogram

The program must continue to evolve

4. Capital planning and investment control

Designed to facilitate and control the expenditure of agencyfunds

Select-control-evaluate investment life cycle




Figure 12-1 Select-Control-Evaluate Investment Life Cycle




5. Interconnecting systems

The direct connection of two or more information systems forsharing data and other information resources

Can expose the participating organizations to risk

When properly managed, the added benefits include greaterefficiency, centralized access to data, and greater functionality

6. Performance measures

Metrics: tools that support decision making

Six phase iterative process




Figure 12-3 Information Security Metrics Development Process




7. Security planning:

one of the most crucial ongoing responsibilities in securitymanagement

8. Information technology contingency planning:

consists of a process for recovery and documentation ofprocedures

9. Risk management

Ongoing effort

Tasks include performing risk identification, analysis, andmanagement




Figure 12-4 Information Security Metrics Program Implementation Process




Figure 12-5 The NIST Seven-Step Contingency Planning Process




Figure 12-6 Risk Management in the System Security Life Cycle




10. Certification, accreditation, and security assessments

An essential component in any security program

The status of security controls is checked regularly

Auditing: the process of reviewing the use of a system formisuse or malfeasance

11. Security services and products acquisition

12. Incident response: incident response life cycle

13. Configuration (or change) management: manages theeffects of changes in configurations




Figure 12-7 The Information Security Services Life Cycle




Figure 12-8 The Incident Response Life Cycle



Quick Quiz

1 True or False: If an organization deals successfully withchange and has created procedures and systems that can beadjusted to the environment, the existing securityimprovement program can continue to work well.Answer:

True

2 An effective information security governance program requiresreview.

Answer: constant

3 An is defined as the direct connection of two or moreinformation systems for sharing data and other informationresources.Answer: system interconnection



Quick Quiz

1 True or False: If an organization deals successfully withchange and has created procedures and systems that can beadjusted to the environment, the existing securityimprovement program can continue to work well.Answer: True


Answer: constant




Quick Quiz



Answer:

constant




Quick Quiz



Answer: constant




Quick Quiz



Answer: constant

3 An is defined as the direct connection of two or moreinformation systems for sharing data and other informationresources.Answer:

system interconnection



Quick Quiz



Answer: constant




Quick Quiz

4 planning consists of a process for recovery anddocumentation of procedures for conducting recoveryAnswer:

Contingency

5 True or False: Information security technical controls are notaffected by the same factors as most computer-basedtechnologies.Answer: False

6 True or False: The first clue that an attack is underway oftencomes from reports by observant users.Answer: True

7 Reparing known vulnerabilities in any of the network or systemenvironments is known as .Answer: patching



Quick Quiz

4 planning consists of a process for recovery anddocumentation of procedures for conducting recoveryAnswer: Contingency






Quick Quiz


5 True or False: Information security technical controls are notaffected by the same factors as most computer-basedtechnologies.Answer:

False





Quick Quiz







Quick Quiz



6 True or False: The first clue that an attack is underway oftencomes from reports by observant users.Answer:

True




Quick Quiz







Quick Quiz




7 Reparing known vulnerabilities in any of the network or systemenvironments is known as .Answer:

patching



Quick Quiz







The Maintenance Model

Designed to focus organizational effort on maintainingsystems.

Recommended maintenance model based on five subject areas:

1 External monitoring

2 Internal monitoring

3 Planning and risk assessment

4 Vulnerability assessment and remediation

5 Readiness and review



The Security Maintenance Model(cont.)

Figure 12-10 The Maintenance Model



Monitoring the External Environment

Objective to provide early awareness of new threats, threatagents, vulnerabilities, and attacks that is needed to mount aneffective defense

Entails collecting intelligence from data sources and givingthat intelligence context and meaning for use byorganizational decision makers



Monitoring the external Environment (cont.)

Figure 12-11 External Monitoring




Data Sources

Acquiring threat and vulnerability data is not difficult

Turning data into information decision makers can use is thechallenge

External intelligence comes from three classes of sources:1 vendors

2 computer emergency response teams (CERTs)

3 public network sources

Regardless of where or how external monitoring data iscollected, must be analyzed in context of organization’ssecurity environment to be useful




Monitoring, Escalation, and Incident Response

Function of external monitoring process is to monitor activity,report results, and escalate warnings

Monitoring process has three primary deliverables:

1 Specific warning bulletins issued when developing threats andspecific attacks pose measurable risk to organization

2 Periodic summaries of external information.

3 Detailed intelligence on highest risk warnings.




Data Collection and Management

Over time, external monitoring processes should captureknowledge about external environment in appropriate formats

External monitoring collects raw intelligence, filters forrelevance, assigns a relative risk impact, and communicates todecision makers in time to make a difference




Figure 12-12 Data Flow Diagrams for External Data Collection



Monitoring the Internal Environment

Maintain informed awareness of state of organization’snetworks, systems, and security defenses

Internal monitoring accomplished by:

Doing inventory of network devices and channels, ITinfrastructure and applications, and information securityinfrastructure elements

Leading the IT governance process

Real-time monitoring of IT activity

Monitoring the internal state of the organization’s networksand systems



Monitoring the Internal Environment (cont.)

Figure 12-13 Internal Monitoring




Network Characterization and Inventory

Organizations should have carefully planned and fullypopulated inventory for network devices, communicationchannels, and computing devices

Once characteristics identified, they must be carefullyorganized and stored using a mechanism (manual orautomated) that allows timely retrieval and rapid integrationof disparate facts




Making Intrusion Detection and Prevention Systems Work

The most important value of raw intelligence provided byintrusion detection systems (IDS) is providing indicators ofcurrent or imminent vulnerabilities

Log files from IDS engines can be mined for information

Another IDS monitoring element is traffic analysis

Analyzing attack signatures for unsuccessful system attackscan identify weaknesses in various security efforts




Detecting deferences

Difference analysis: procedure that compares current state ofnetwork segment against known previous state of samesegment

Differences between the current state and the baseline statethat are unexpected could be a sign of trouble and needinvestigation



Planning and Risk assessment

Primary objective is to keep lookout over entire IS program

Accomplished by identifying and planning ongoing informationsecurity activities that further reduce risk

Primary objectives:

Establishing a formal information security program review

Instituting formal project identification, selection, planning,and management processes

Coordinating with IT project teams to introduce riskassessment and review for all IT projects.

Integrating a mindset of risk assessment across organization



Planning and Risk assessment (cont.)

Figure 12-14 Planning and Risk Assessment




Information security Program Planning and Review

Periodic review of ongoing IS program coupled with planningfor enhancements and extensions is recommended

Should examine IT needs of future organization and impactthose needs have on information security

recommended approach takes advantage of the fact mostorganizations have annual capital budget planning cycles andmanage security projects as part of that process




Large projects should be broken into smaller projects forseveral reasons:

Smaller projects tend to have more manageable impacts onnetworks and users

Larger projects tend to complicate change control process inimplementation phase

Shorter planning, development, and implementation schedulesreduce uncertainty

Most large projects can easily be broken down into smallerprojects, giving more opportunities to change direction andgain flexibility.




Risk Security Assessments

A key component for driving security program change isinformation security operational risk assessment (RA)

RA identifies and documents risk that project, process, oraction introduces to organization and offers suggestions forcontrols

Information security group coordinates preparation of manytypes of RA documents



Quick Quiz

1 The objective of the is to provide the early awarenessof new and emerging threats, threat agents, vulnerabilities,and attacks that is needed to mount an effective and timelydefense.Answer:

external monitoring domain

2 The primary goal of the is to maintain an informedawareness of the state of all of the organization’s networks,information systems, and information security defenses.Answer: internal monitoring domain

3 The primary objective of the is to keep a lookout overthe entire information security program.Answer: planning and risk assessment domain



Quick Quiz

1 The objective of the is to provide the early awarenessof new and emerging threats, threat agents, vulnerabilities,and attacks that is needed to mount an effective and timelydefense.Answer: external monitoring domain





Quick Quiz


2 The primary goal of the is to maintain an informedawareness of the state of all of the organization’s networks,information systems, and information security defenses.Answer:

internal monitoring domain




Quick Quiz






Quick Quiz



3 The primary objective of the is to keep a lookout overthe entire information security program.Answer:

planning and risk assessment domain



Quick Quiz






Vulnerability Assessment and Remediation

Primary goal: identification of specific, documentedvulnerabilities and their timely remediation

Accomplished by:

blue Using vulnerability assessment procedures

Documenting background information and providing testedremediation procedures for vulnerabilities

Tracking vulnerabilities from when they are identified

Communicating vulnerability information to owners ofvulnerable systems

Reporting on the status of vulnerabilities

Ensuring the proper level of management is involved



Vulnerability Assessment and Remediation (cont.)

Figure 12-15 Vulnerability Assessment and Remediation




Process of identifying and documenting specific and provableflaws in organization’s information asset environment

Five vulnerability assessment processes that follow can servemany organizations as they attempt to balance intrusivenessof vulnerability assessment with need for stable and productiveproduction environment




Penetration Testing:

A level beyond vulnerability testing

Is a set of security tests and evaluations that simulate attacksby a malicious external source (hacker)

Penetration test (pen test): usually performed periodically aspart of a full security audit

Can be conducted one of two ways: black box or white box




Internet Vulnerability Assessment

Designed to find and document vulnerabilities present inorganization’s public-facing network

Steps in the process include:

Planning, scheduling, and notification

Target selection

Test selection

Scanning

Analysis

Record keeping




Intranet Vulnerability Assessment

Designed to find and document selected vulnerabilities presenton the internal network

Attackers are often internal members of organization, affiliatesof business partners, or automated attack vectors (such asviruses and worms)

This assessment is usually performed against selected criticalinternal devices with a known, high value by using selectivepenetration testing

Steps in process almost identical to steps in Internetvulnerability assessment




Platform security Validation

Designed to find and document vulnerabilities that may bepresent because of mis-configured systems in use withinorganization

These mis-configured systems fail to comply with companypolicy or standards

Fortunately, automated measurement systems are available tohelp with the intensive process of validating compliance ofplatform configuration with policy




Wireless Vulnerability Assessment

Designed to find and document vulnerabilities that may bepresent in wireless local area networks of organization

Since attackers from this direction are likely to take advantageof any loophole or flaw, assessment is usually performedagainst all publicly accessible areas using every possiblewireless penetration testing approach




Modem Vulnerability Assessment

Designed to find and document any vulnerability present ondial-up modems connected to organization’s networks

Since attackers from this direction take advantage of anyloophole or flaw, assessment is usually performed against alltelephone numbers owned by the organization

One element of this process, often called war dialing, usesscripted dialing attacks against pool of phone numbers




Documenting Vulnerability

Vulnerability tracking database should provide details as wellas a link to the information assets

Low-cost and ease of use makes relational databases arealistic choice

Vulnerability database is an essential part of effectiveremediation




Remediating Vulnerability

Objective is to repair flaw causing a vulnerability instance orremove risk associated with vulnerability

As last resort, informed decision makers with proper authoritycan accept risk

Important to recognize that building relationships with thosewho control information assets is key to success

Success depends on organization adopting team approach toremediation, in place of cross-organizational push and pull




Acceptance or Transference of Risk

In some instances, risk must simply be acknowledged as partof organization’s business process

Management must be assured that decisions made to assumerisk the organization are made by properly informed decisionmakers

Information security must make sure the right people makerisk assumption decisions with complete knowledge of theimpact of the decision




Threat Removal

In some circumstances, threats can be removed withoutrepairing vulnerability

Vulnerability can no longer be exploited, and risk has beenremoved

Other vulnerabilities may be amenable to other controls thatdo not allow an expensive repair and still remove risk fromsituation




Vulnerability Repair

Optimum solution in most cases is to repair vulnerability

Applying patch software or implementing a workaround oftenaccomplishes this

In some cases, simply disabling the service removesvulnerability; in other cases, simple remedies are possible

Most common repair is application of a software patch



Readiness and Review

Primary goal is to keep information security programfunctioning as designed and continuously improving

Accomplished by:

Policy review

Program review

Rehearsals



Readiness and Review

Figure 12-16 Readiness and Review



Quick Quiz

1 True or False: The objective of the internal monitoringdomain is to provide the early awareness of new and emergingthreats, threat agents, vulnerabilities, and attacks that isneeded to mount an effective and timely defense.Answer:

False

2 The primary goal of the is to maintain an informedawareness of the state of all of the organization’s networks,information systems, and information security defenses.

(a) awareness monitoring domain(b) information monitoring domain(c) internal monitoring domain(d) external monitoring domain

Answer: (c)



Quick Quiz

1 True or False: The objective of the internal monitoringdomain is to provide the early awareness of new and emergingthreats, threat agents, vulnerabilities, and attacks that isneeded to mount an effective and timely defense.Answer: False



Answer: (c)



Quick Quiz




Answer:

(c)



Quick Quiz




Answer: (c)



Quick Quiz

3 The primary goal of the to identify specific,documented vulnerabilities and their timely remediation.Answer:

vulnerability assessment and remediation domain

4 The primary goal of the is to keep the informationsecurity program functioning as designed and to keep itcontinuously improving over time.Answer: readiness and review domain

5 The process is designed to find and document thevulnerabilities that may be present because of mis-configuredsystems in use within the organization.Answer: platform security validation (PSV)



Quick Quiz

3 The primary goal of the to identify specific,documented vulnerabilities and their timely remediation.Answer: vulnerability assessment and remediation domain





Quick Quiz


4 The primary goal of the is to keep the informationsecurity program functioning as designed and to keep itcontinuously improving over time.Answer:

readiness and review domain




Quick Quiz






Quick Quiz



5 The process is designed to find and document thevulnerabilities that may be present because of mis-configuredsystems in use within the organization.Answer:

platform security validation (PSV)



Quick Quiz






Digital Forensics

Digital forensics is used to investigate what happened duringattack on assets and how attack occurred

Based on the field of traditional forensics

Involves preservation, identification, extraction,documentation, and interpretation of computer media forevidentiary and/or root cause analysis

Evidentiary material (EM) is any information that couldpotentially support organizations legal or policy-based caseagainst suspect



Digital Forensics (cont.)

Used for two key purposes:

1 To investigate allegations of digital malfeasance

2 To perform root cause analysis

Organization chooses one of two approaches:

1 Protect and forget (patch and proceed): defense of data andsystems that house, use, and transmit it

2 Apprehend and prosecute (pursue and prosecute):identification and apprehension of responsible individuals, withadditional attention on collection and preservation of potentialEM that might support administrative or criminal prosecution



Digital Forensics Team

Most organizations

Cannot sustain a permanent digital forensics team

Collect data and outsource analysis

Information security group personnel should be trained tounderstand and manage the forensics process to avoidcontamination of potential EM

Expertise can be obtained by training



Affidavits and Search Warrants

Affidavit

Sworn testimony that certain facts are in the possession of theinvestigating officer that they feel warrant the examination ofspecific items located at a specific place

The facts, the items, and the place must be specified

When an approving authority signs the affidavit, it becomes asearch warrant, giving permission to:

Search the EM at the specified location

Seize items to return to the investigator for examination



Digital Forensics Methodology

All investigations follow the same basic methodology:

1 Identify relevant items of evidentiary value (EM)

2 Acquire (seize) the evidence without alteration or damage

3 Take steps to assure that the evidence is at every stepverifiably authentic and is unchanged from the time it wasseized

4 Analyze the data without risking modification or unauthorizedaccess

5 Report the findings to the proper authority



Digital Forensics Methodology

Figure 12-17 The Digital Forensics Process



Evidentiary Procedures

Strong procedures for the handling of potential EM canminimize the probability of an organization’s losing a legalchallenge

Organizations should develop specific procedures withguidance, for example:

Who may conduct an investigation and who is authorized in aninvestigation

What affidavit and search warrant-related issues are required

The methodology to be followed

The final report format



Quick Quiz

1 is the coherent application of methodical investigatorytechniques to present evidence of crimes in a court ofcourt-like setting.Answer:

Forensics

2 The v model of data acquisition is where theinvestigator removes the power source and then uses a utilityor special device to make a bit-stream sector-by-sector copy ofthe hard drives contained in the system.Answer: offline

3 In information security, most operation focus on .Answer: policies



Quick Quiz

1 is the coherent application of methodical investigatorytechniques to present evidence of crimes in a court ofcourt-like setting.Answer: Forensics





Quick Quiz


2 The v model of data acquisition is where theinvestigator removes the power source and then uses a utilityor special device to make a bit-stream sector-by-sector copy ofthe hard drives contained in the system.Answer:

offline




Quick Quiz






Quick Quiz



3 In information security, most operation focus on .Answer:

policies



Quick Quiz






Additional resources

1 Computer Forensics Investigatorhttp://www.jobprofiles.org/govcpolicie1.htm

2 SANS Reading Room – Penetration Testinghttp://www.sans.org/reading room/whitepapers/testing/

3 High Tecdh Crime Institutehttp://www.hightechcrimeinstitute.com/

4 High Tech Crime Networkhttp://www.htcn.org/


Chapter 12

Documents

Transcript of Chapter 12