The Importance of Proper Controls. 5 Network Controls Developing a secure network means developing...
-
Upload
nancy-hopkins -
Category
Documents
-
view
216 -
download
0
Transcript of The Importance of Proper Controls. 5 Network Controls Developing a secure network means developing...
The Importance of Proper Controls
5
Network Controls• Developing a secure network means developing
mechanisms that reduce or eliminate the threats to network security, called controls.
• There are three types of controls:– Preventative controls - mitigate or stop a person
from acting or an event from occurring (e.g. passwords).
– Detective controls - reveal or discover unwanted events (e.g., auditing software).
– Corrective controls - rectify an unwanted event or a trespass (e.g., reinitiating a network circuit).
6
The Risk Management ProcessIdentify IT
Risks
Assess IT Risks
Identify IT Controls
Document IT Controls
Monitor IT Risks and Controls
7
Risk Assessment• Risk assessment is the process of making a
network more secure, by comparing each security threat with the control designed to reduce it (where are controls needed?).
• Cost Benefit Assessment (which controls are appropriate based on cost reward tradeoff?)
• Vulnerability Assessment (how effective are the controls?; are they working properly?)
8
Risk Assessment
• One way to do this is by developing a control spreadsheet
• Network assets are listed down the side.• Threats are listed across the top of the
spreadsheet.• The cells of the spreadsheet list the controls
that are currently in use to address each threat.
9
Valuation of Asset
• Assets: People, Data, Hardware, Software, Facilities, (Procedures)
• Valuation Methods– Criticallity to the organization’s success– Revenue generated– Profitability– Cost to replace– Cost to protect– Embarrassment/Liability
10
Threats
Assets Disruption, Destruction, Disaster
Fire Flood Power Circuit Virus Loss Failure
Unauthorized AccessExternal Internal EavesdropIntruder Intruder
(92) Mail Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10
(90) Web Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10
(90) DNS Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10
(50) Computers on 6th floor 1,2 1,3 7, 8 10, 11 10
(50) 6th floor LAN circuits 1,2 1,3
(80) Building A Backbone 1,2 1,3 6
(70) Router in Building A 1,2 1,3 9 9
(30) Network Software 7, 8 9, 10, 11 9, 10
(100) Client Database 7, 8 9, 10, 11 9, 10
(100) Financial Database 7, 8 9, 10, 11 9, 10
(70) Network Technical staff 1 1
Sample control spreadsheet
11
Figure 10-6 (cont.) Sample control spreadsheet list of controls
Controls1. Disaster Recovery Plan2. Halon fire system in server room. Sprinklers in rest of building3. Not on or below ground level4. Uninterruptible Power Supply (UPS) on all major network servers5. Contract guarantees from inter-exchange carriers6. Extra backbone fiber cable laid in different conduits 7. Virus checking software present on the network8. Extensive user training on viruses and reminders in monthly
newsletter9. Strong password software10. Extensive user training on password security and reminders in
monthly newsletter11. Application Layer firewall
12
Evaluate the Network’s Security
• The last step in designing a control spreadsheet is evaluating the adequacy of the controls and the degree of risk associated with each threat.
• Based on this, priorities can be decided on for dealing with threats to network security.
• The assessment can be done by the network manager, but it is better done by a team of experts chosen for their in-depth knowledge about the network and environment being reviewed.