Scribd
Upload
83 views25 pages

Security - Chapter 6

The document discusses various aspects of administering computer security, including security planning, risk analysis, security policies, and physical security. Security planning involves defining security policies and assessing risks to develop controls and recommendations. Risk analysis identifies assets, vulnerabilities, likelihood of threats, and potential losses to help select and implement appropriate security controls. Security policies define who can access what resources and how to provide guidelines for users. Physical security controls protect against threats from natural disasters, power loss, unauthorized access, theft, and information interception.

Uploaded by

Workneh Edimealem
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
83 views25 pages

Security - Chapter 6

The document discusses various aspects of administering computer security, including security planning, risk analysis, security policies, and physical security. Security planning involves defining security policies and assessing risks to develop controls and recommendations. Risk analysis identifies assets, vulnerabilities, likelihood of threats, and potential losses to help select and implement appropriate security controls. Security policies define who can access what resources and how to provide guidelines for users. Physical security controls protect against threats from natural disasters, power loss, unauthorized access, theft, and information interception.

Uploaded by

Workneh Edimealem
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 25

COMPUTER SECURITY

CHAPTER 6 – ADMINISTERING
SECURITY
ADMINISTERING SECURITY OUTLINES

 Security Planning
 Risk Analysis
 Security Policies
 Physical Security
SECURITY PLANNING
 Policy
 Current state – risk analysis
 Requirements
 Recommended controls
 Accountability
 Timetable
 Continuing attention
SECURITY PLANNING - POLICY
 Who should be allowed access?
 To what system and organizational resources should
access be allowed?
 What types of access should each user be allowed for
each resource?
 What are the organization’s goals on security?
 Where does the responsibility for security lie?
 What is the organization’s commitment to security?
SECURITY PLANNING
 Security Policy – must be an explicit and well-defined security
policy enforced by the system.
 Every subject must be uniquely and convincingly identified.
 Every object must be associated with a label that indicates its
security level.
 The system must maintain complete, secure records of actions that
affect security.
 The computing system must contain mechanisms that enforce
security.
 The mechanisms that implement security must be protected against
unauthorized change.
SECURITY PLANNING TEAM
MEMBERS
 Computer hardware group
 System administrators
 Systems programmers
 Application programmers
 Data entry personnel
 Physical security personnel
 Representative users
SECURITY PLANNING
 Assuring Commitment to a Security Plan
 Business Continuity Plans
 Assess Business Impact
 Develop Strategy
 Develop Plan

 Incident Response Plans


 Advance Planning
 Response Team

 After the Incident is Resolved


RISK ANALYSIS
 Risk impact - loss associated with an event
 risk probability – likelihood that the event will occur
 Risk control – degree to which we can change the outcome
 Risk exposure – risk impact * risk probability
RISK ANALYSIS – RISK REDUCTION
 Avoid the risk
 Transfer the risk
 Assume the risk

 Risk leverage = [(risk exposure before reduction) – (risk


exposure after reduction)] / cost of risk reduction
 Cannot guarantee systems are risk free
 Security plans must address action needed should an
unexpected risk becomes a problem
STEPS OF A RISK ANALYSIS
 Identify assets
 Determine vulnerabilities
 Estimate likelihood of exploitation
 Compute expected annual loss
 Survey applicable controls and their costs
 Project annual savings of control
IDENTIFY ASSETS
 Hardware

 Software

 Data

 People

 Procedures (policies, training)


 Documentation

 Supplies

 Infrastructure (building, power, water,…)


DETERMINE VULNERABILITIES
Asset Confidentiality Integrity Availability

Hardware

Software

Data

People

procedures
DETERMINE VULNERABILITIES

 What are the effects of unintentional errors?


 What are the effects of willfully malicious insiders?
 What are the effects of outsiders?
 What are the effects of natural and physical disasters?
RISK ANALYSIS

 Estimate Likelihood of Exploitation


 Classical probability
 Frequency probability (simulation)
 Subjective probability (Delphi approach)

 Computer Expected Lost (look for hidden costs)


 Legal obligations
 Side effects
 Psychological effects
RISK ANALYSIS
 Survey and Select New Controls
 What Criteria Are Used for Selecting Controls?
 Vulnerability Assessment and Mitigation (VAM)
Methodology

 How Do Controls Affect What They Control?


 Which Controls Are Best?

 Project Savings
 Do costs outweigh benefits of preventing / mitigating
risks
ARGUMENTS FOR RISK ANALYSIS

 Improve awareness
 Relate security mission to management objectives
 Identify assets, vulnerabilities, and controls
 Improve basis for decisions
 Justify expenditures for security
ARGUMENTS AGAINST RISK ANALYSIS
 False sense of precision and confidence
 Hard to perform
 Immutability (filed and forgotten)
 Lack of accuracy
 “Today’s complex Internet networks cannot be made watertight…. A
system administrator has to get everything right all the time; a hacker
only has to find one small hole. A sysadmin has to be lucky all of the
time; a hacker only has to get lucky once. It is easier to destroy than to
create.”
 Robert Graham, lead architect of Internet Security Systems
ORGANIZATIONAL SECURITY POLICIES

 Who can access which resources in what manner?


 Security policy - high-level management document that
informs all users of the goals and constraints on using a
system.
SECURITY POLICIES PURPOSE

 Recognize sensitive information assets


 Clarify security responsibilities
 Promote awareness for existing employees
 Guide new employees
SECURITY POLICIES AUDIENCE

 Users
 Owners
 Beneficiaries
 Balance Among All Parties
CONTENTS
 Purpose

 Protected Resources (what - asset list)

 Nature of the Protection (who and how)


CHARACTERISTICS OF A GOOD SECURITY
POLICY

 Coverage (comprehensive)
 Durability
 Realism
 Usefulness
 Examples
PHYSICAL SECURITY

 Natural Disasters
 Flood
 Fire
 Other

 Power Loss
 UPS; surge suppressors (line conditioners)

 Human Vandals
 Unauthorized Access and Use
 Theft
PHYSICAL SECURITY

 Interception of Sensitive Information


Dumpster Diving - Shredding
 Remanence (slack bits)
 Overwriting Magnetic Data
 DiskWipe
 Degaussing

 Emanation - Tempest
CONTINGENCY PLANNING
 BACKUP!!!!!
 Complete backup
 Revolving backup
 Selective backup
 OFFSITE BACKUP!!!!!
 Networked Storage (SAN)
 Cold site (shell)
 Hot site

You might also like