Security - Chapter 6
Security - Chapter 6
CHAPTER 6 – ADMINISTERING
SECURITY
ADMINISTERING SECURITY OUTLINES
Security Planning
Risk Analysis
Security Policies
Physical Security
SECURITY PLANNING
Policy
Current state – risk analysis
Requirements
Recommended controls
Accountability
Timetable
Continuing attention
SECURITY PLANNING - POLICY
Who should be allowed access?
To what system and organizational resources should
access be allowed?
What types of access should each user be allowed for
each resource?
What are the organization’s goals on security?
Where does the responsibility for security lie?
What is the organization’s commitment to security?
SECURITY PLANNING
Security Policy – must be an explicit and well-defined security
policy enforced by the system.
Every subject must be uniquely and convincingly identified.
Every object must be associated with a label that indicates its
security level.
The system must maintain complete, secure records of actions that
affect security.
The computing system must contain mechanisms that enforce
security.
The mechanisms that implement security must be protected against
unauthorized change.
SECURITY PLANNING TEAM
MEMBERS
Computer hardware group
System administrators
Systems programmers
Application programmers
Data entry personnel
Physical security personnel
Representative users
SECURITY PLANNING
Assuring Commitment to a Security Plan
Business Continuity Plans
Assess Business Impact
Develop Strategy
Develop Plan
Software
Data
People
Supplies
Hardware
Software
Data
People
procedures
DETERMINE VULNERABILITIES
Project Savings
Do costs outweigh benefits of preventing / mitigating
risks
ARGUMENTS FOR RISK ANALYSIS
Improve awareness
Relate security mission to management objectives
Identify assets, vulnerabilities, and controls
Improve basis for decisions
Justify expenditures for security
ARGUMENTS AGAINST RISK ANALYSIS
False sense of precision and confidence
Hard to perform
Immutability (filed and forgotten)
Lack of accuracy
“Today’s complex Internet networks cannot be made watertight…. A
system administrator has to get everything right all the time; a hacker
only has to find one small hole. A sysadmin has to be lucky all of the
time; a hacker only has to get lucky once. It is easier to destroy than to
create.”
Robert Graham, lead architect of Internet Security Systems
ORGANIZATIONAL SECURITY POLICIES
Users
Owners
Beneficiaries
Balance Among All Parties
CONTENTS
Purpose
Coverage (comprehensive)
Durability
Realism
Usefulness
Examples
PHYSICAL SECURITY
Natural Disasters
Flood
Fire
Other
Power Loss
UPS; surge suppressors (line conditioners)
Human Vandals
Unauthorized Access and Use
Theft
PHYSICAL SECURITY
Dumpster Diving - Shredding
Remanence (slack bits)
Overwriting Magnetic Data
DiskWipe
Degaussing
Emanation - Tempest
CONTINGENCY PLANNING
BACKUP!!!!!
Complete backup
Revolving backup
Selective backup
OFFSITE BACKUP!!!!!
Networked Storage (SAN)
Cold site (shell)
Hot site