Security Management Practices Ben Rothke New York Metro eSecurity Solutions Group 732/516-4248 EY/COMM 6027684 CISSP

Topics to be covered Change control Data classification Employment policies & practices InfoSec policies Risk management Roles and responsibilities Security awareness training Security management planning

Change control

Data classification

Employment policies & practices

InfoSec policies

Risk management

Roles and responsibilities

Security awareness training

Security management planning

Change control & management Why is change control & change management a security issue? Many businesses live or die on data integrity Changes can break a security model Modifying system breaks warranty Gartner Group analyst recently stated that a rogue Y2K programmer can cause $1B in potential losses Needed since change requester does not understand the security implications of their request Security administrator must analyze and assess carefully the impact to the system

Why is change control & change management a security issue?

Many businesses live or die on data integrity

Changes can break a security model

Modifying system breaks warranty

Gartner Group analyst recently stated that a rogue Y2K programmer can cause $1B in potential losses

Needed since change requester does not understand the security implications of their request

Security administrator must analyze and assess carefully the impact to the system

Change control & management Tools Checksums Digital signatures Tripwire Effective change control can uncover: cases of policy violation by staff; where programs are installed or changed without following the proper notification procedures Possible hardware failure leading to data corruption Viruses, worms, malicious code

Tools

Checksums

Digital signatures

Tripwire

Effective change control can uncover:

cases of policy violation by staff; where programs are installed or changed without following the proper notification procedures

Possible hardware failure leading to data corruption

Viruses, worms, malicious code

For change control & management to work, you must have: Golden copies of the software, for comparison use or database generation Secure infrastructure. Software must be securely stored on physically protected media. If an intruder can get root, and change the golden copies, then the change control tools will be ineffective. Change control & management

For change control & management to work, you must have:

Golden copies of the software, for comparison use or database generation

Secure infrastructure. Software must be securely stored on physically protected media. If an intruder can get root, and change the golden copies, then the change control tools will be ineffective.

Hardware Disks, peripherals Device drivers BIOS Application and operating systems software Upgrades Service packs, patches, fixes Changes to the firewall rulebase/proxies NLM’s Router software Change control & management

Hardware

Disks, peripherals

Device drivers

BIOS

Application and operating systems software

Upgrades

Service packs, patches, fixes

Changes to the firewall rulebase/proxies

NLM’s

Router software

Policies, procedures and processes Develop polices that will stabilize the production processing environment by controlling all changes made to it Formal change control processes will help to ensure that only authorized changes are made, that they are made at the approved time, and that they are made in the approved manner Promptly implement security patches, command scripts, & similar from vendors, CERT, CIAC, etc. Have procedures for roll-back to prior versions in case of problems, AKA, don’t burn your software bridges Change control & management

Policies, procedures and processes

Develop polices that will stabilize the production processing environment by controlling all changes made to it

Formal change control processes will help to ensure that only authorized changes are made, that they are made at the approved time, and that they are made in the approved manner

Promptly implement security patches, command scripts, & similar from vendors, CERT, CIAC, etc.

Have procedures for roll-back to prior versions in case of problems, AKA, don’t burn your software bridges

Data classification Classification is part of a mandatory access control model to ensure that sensitive data is properly controlled and secured DoD multi-level security policy has 4 classifications: Top Secret Secret Confidential Unclassified Other levels in use are: Eyes only Officers only Company confidential Public

Classification is part of a mandatory access control model to ensure that sensitive data is properly controlled and secured

DoD multi-level security policy has 4 classifications:

Top Secret

Secret

Confidential

Unclassified

Other levels in use are:

Eyes only

Officers only

Company confidential

Public

Data classification benefits Data confidentiality, integrity & availability are improved since appropriate controls are used throughout the enterprise Protection mechanisms are maximized A process exists to review the values of company business data Decision quality is increased since the quality of the data upon which the decision is being made has been improved

Data confidentiality, integrity & availability are improved since appropriate controls are used throughout the enterprise

Protection mechanisms are maximized

A process exists to review the values of company business data

Decision quality is increased since the quality of the data upon which the decision is being made has been improved

Data classification Top Secret - applies to the most sensitive business information which is intended strictly for use within the organization. Unauthorized disclosure could seriously and adversely impact the company, stockholders, business partners, and/or its customers Secret - Applies to less sensitive business information which is intended for use within a company. Unauthorized disclosure could adversely impact the company, its stockholders, its business partners, and/or its customers Confidential - Applies to personal information which is intended for use within the company. Unauthorized disclosure could adversely impact the company and/or its employees Unclassified - Applies to all other information which does not clearly fit into any of the above three classifications. Unauthorized disclosure isn’t expected to seriously or adversely impact the company

Top Secret - applies to the most sensitive business information which is intended strictly for use within the organization. Unauthorized disclosure could seriously and adversely impact the company, stockholders, business partners, and/or its customers

Secret - Applies to less sensitive business information which is intended for use within a company. Unauthorized disclosure could adversely impact the company, its stockholders, its business partners, and/or its customers

Confidential - Applies to personal information which is intended for use within the company. Unauthorized disclosure could adversely impact the company and/or its employees

Unclassified - Applies to all other information which does not clearly fit into any of the above three classifications. Unauthorized disclosure isn’t expected to seriously or adversely impact the company

MAC data classification In MAC systems, every subject and object in a system has a sensitivity label and a set of categories: classification [category] Top Secret [CEO, CFO, Board Members] Confidential [Internal employees, auditors] The function of categories is that even someone with the highest classification isn’t automatically cleared to see all information at that level. This support the concept of need to know

In MAC systems, every subject and object in a system has a sensitivity label and a set of categories:

classification [category]

Top Secret [CEO, CFO, Board Members]

Confidential [Internal employees, auditors]

The function of categories is that even someone with the highest classification isn’t automatically cleared to see all information at that level. This support the concept of need to know

Misc. data classification issues In a commercial setting, responsibility for assigning data classification labels is on the person who created or updated the information With the exception of general business correspondence, all externally-provided information which is not public in nature must have a data classification system label. All tape reels, floppy disks and other computer storage media containing secret, confidential, or private information must be externally labelled with the appropriate sensitivity classification Holders of sensitive information must take appropriate steps to ensure that these materials are not available to unauthorized persons.

In a commercial setting, responsibility for assigning data classification labels is on the person who created or updated the information

With the exception of general business correspondence, all externally-provided information which is not public in nature must have a data classification system label.

All tape reels, floppy disks and other computer storage media containing secret, confidential, or private information must be externally labelled with the appropriate sensitivity classification

Holders of sensitive information must take appropriate steps to ensure that these materials are not available to unauthorized persons.

Data classification Roles & responsibilities Information owner Information custodian Application owner User manager Security administrator Security analyst Change control analyst Data analyst Solution provider End user

Roles & responsibilities

Information owner

Information custodian

Application owner

User manager

Security administrator

Security analyst

Change control analyst

Data analyst

Solution provider

End user

Employment policies & practices Background checks/security clearances Checking public records provides critical information needed to make the best hiring decision. Conducting these often simple checks verifies the information provided on the application is current and true, and gives the employer an immediate measurement of an applicant’s integrity.

Background checks/security clearances

Checking public records provides critical information needed to make the best hiring decision.

Conducting these often simple checks verifies the information provided on the application is current and true, and gives the employer an immediate measurement of an applicant’s integrity.

Background checks What does a background check prevent potentially prevent against: lawsuits from terminated employees lawsuits from 3rd-parties or customers for negligent hiring unqualified employees lost business and profits time wasted recruiting, hiring and training theft, embezzlement or property damage money lost (to recruiters fees, signing bonus) negligent hiring lawsuit decrease in employee moral workplace violence, or sexual harassment suits

What does a background check prevent potentially prevent against:

lawsuits from terminated employees

lawsuits from 3rd-parties or customers for negligent hiring

unqualified employees

lost business and profits

time wasted recruiting, hiring and training

theft, embezzlement or property damage

money lost (to recruiters fees, signing bonus)

negligent hiring lawsuit

decrease in employee moral

workplace violence, or sexual harassment suits

Background checks Who should be checked? Employee background checks should be performed for all sensitive positions. Information security staff in sensitive positions include those responsible for: firewall administration e-commerce management Kerberos administrator SecurID & Password usage PKI and certificate management router administrator

Who should be checked? Employee background checks should be performed for all sensitive positions. Information security staff in sensitive positions include those responsible for:

firewall administration

e-commerce management

Kerberos administrator

SecurID & Password usage

PKI and certificate management

router administrator

Background checks What can be checked for an applicant: Credit Report SSN searches Workers Compensation Reports Criminal Records Motor Vehicle Report Education Verification & Credential Confirmation Reference Checks Prior Employer Verification

What can be checked for an applicant:

Credit Report

SSN searches

Workers Compensation Reports

Criminal Records

Motor Vehicle Report

Education Verification & Credential Confirmation

Reference Checks

Prior Employer Verification

Military security clearance Of the most meticulous background checks is those requiring a DoD security clearance. After reviewing the 30-page Defense Industrial Personnel Security Clearance Review , one will get a new understanding of painstaking review. A defense security clearances is generally only requested for individuals in the following categories whose employment involves access to sensitive government assets: Members of the military; Civilian employees working for the Department of Defense or other government agencies; Employees of government contractors.

Of the most meticulous background checks is those requiring a DoD security clearance. After reviewing the 30-page Defense Industrial Personnel Security Clearance Review , one will get a new understanding of painstaking review. A defense security clearances is generally only requested for individuals in the following categories whose employment involves access to sensitive government assets:

Members of the military;

Civilian employees working for the Department of Defense or other government agencies;

Employees of government contractors.

Military security clearance A DoD review, more correctly known as a personnel security investigation is comprised of the following: a search of investigative files and other records held by federal agencies, including the FBI and, if appropriate, overseas countries a financial check field interviews of references (in writing, by telephone, or in person), to include coworkers, employers, personal friends, educators, neighbors, and other individuals, as appropriate a personal interview with the applicant conducted by an Investigator

A DoD review, more correctly known as a personnel security investigation is comprised of the following:

a search of investigative files and other records held by federal agencies, including the FBI and, if appropriate, overseas countries

a financial check

field interviews of references (in writing, by telephone, or in person), to include coworkers, employers, personal friends, educators, neighbors, and other individuals, as appropriate

a personal interview with the applicant conducted by an Investigator

Employment agreement Non-compete Non-disclosure Restrictions on dissemination of corporate information, i.e., press, analysts, law enforcement

Non-compete

Non-disclosure

Restrictions on dissemination of corporate information, i.e., press, analysts, law enforcement

Hiring & termination Policies and procedures should come down from HR Should address: how to handle employee’s departure shutting down accounts forwarding e-mail and voice-mail lock and combination changes system password changes

Policies and procedures should come down from HR

Should address:

how to handle employee’s departure

shutting down accounts

forwarding e-mail and voice-mail

lock and combination changes

system password changes

Separation of duties The principle of separating of duties is that an organization should carefully separate duties, so that people involved in checking for inappropriate use are not also capable of make such inappropriate use No person should be responsible for completing a task involving sensitive, valuable or critical information from beginning to end. Likewise, a single person must not be responsible for approving their own work

The principle of separating of duties is that an organization should carefully separate duties, so that people involved in checking for inappropriate use are not also capable of make such inappropriate use

No person should be responsible for completing a task involving sensitive, valuable or critical information from beginning to end. Likewise, a single person must not be responsible for approving their own work

Separation of duties Separate: development/production security/audit accounts payable/accounts receivable encryption key management/changing of keys Split knowledge Encryption keys are separated into two components, each of which does not reveal the other

Separate:

development/production

security/audit

accounts payable/accounts receivable

encryption key management/changing of keys

Split knowledge

Encryption keys are separated into two components, each of which does not reveal the other

Information security policies Policy is perhaps the most crucial element in a corporate information security infrastructure Marcus Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do” Corporate computing is a complex operation. Effective policies can rectify many of the weaknesses and faults

Policy is perhaps the most crucial element in a corporate information security infrastructure

Marcus Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do”

Corporate computing is a complex operation. Effective policies can rectify many of the weaknesses and faults

Information security policies Benefits: Ensure systems are utilized in the manner intended for Ensure users understand their roles & responsibilities Control legal liability

Benefits:

Ensure systems are utilized in the manner intended for

Ensure users understand their roles & responsibilities

Control legal liability

Information security policies Components of an effective policy: Title Purpose Authorizing individual Author/sponsor Reference to other policies Scope Measurement expectations Exception process Accountability Effective/expiration dates Definitions

Components of an effective policy:

Title

Purpose

Authorizing individual

Author/sponsor

Reference to other policies

Scope

Measurement expectations

Exception process

Accountability

Effective/expiration dates

Definitions

Information security policies How to ensure that policies are understood: Jargon free/non-technical language Rather then, “when creating software authentication codes, users must endeavor to use codes that do not facilitate nor submit the company to vulnerabilities in the event that external operatives break such codes”, use “passwords that are guessable should not be used”. Focused Job position independent No procedures, techniques or methods Policy is the approach. The specific details & implementations should be in another document Responsibility for adherence Users must understand the magnitude & significance of the policy. “ I thought this policy didn’t apply to me” should never be heard.

How to ensure that policies are understood:

Jargon free/non-technical language

Rather then, “when creating software authentication codes, users must endeavor to use codes that do not facilitate nor submit the company to vulnerabilities in the event that external operatives break such codes”, use “passwords that are guessable should not be used”.

Focused

Job position independent

No procedures, techniques or methods

Policy is the approach. The specific details & implementations should be in another document

Responsibility for adherence

Users must understand the magnitude & significance of the policy. “ I thought this policy didn’t apply to me” should never be heard.

Information security policies How should policies be disseminated? New hires should get hard copies at orientation Rehires should go through orientation Hard copies Web/corporate intranet Brochures Videos Posters e-mail/voice-mail

How should policies be disseminated?

New hires should get hard copies at orientation

Rehires should go through orientation

Hard copies

Web/corporate intranet

Brochures

Videos

Posters

e-mail/voice-mail

Risk management Security risks start when the power is turned-on. At that point, security risks commence. The only way to deal with those security risks is via risk management Risks can be identified & reduced, but never eliminated No matter how secure you make a system, it can always be broken into given sufficient resources, time, motivation and money People are usually cheaper & easier to compromise than advance technological safeguards

Security risks start when the power is turned-on. At that point, security risks commence. The only way to deal with those security risks is via risk management

Risks can be identified & reduced, but never eliminated

No matter how secure you make a system, it can always be broken into given sufficient resources, time, motivation and money

People are usually cheaper & easier to compromise than advance technological safeguards

Qualitative and quantitative There are two different risk management metrics: q ualitative and quantitative Quantitative, or a quasi-subjective, risk management attempts to establish and maintain an independent set of risk metrics & statistics Q ualitative

There are two different risk management metrics: q ualitative and quantitative

Quantitative, or a quasi-subjective, risk management attempts to establish and maintain an independent set of risk metrics & statistics

Q ualitative

Qualitative vs. quantitative Qualitative - Pros Calculations are simple and readily understood and execute Not necessary to determine quantitative threat frequency & impact data Not necessary to estimate the cost of recommended risk mitigation measures & calculate cost/benefit A general indication of significant areas of risk that should be addressed is provided Qualitative - Cons Risk assessment & results are essentially subjective in both process & metrics. Use of independently objective metrics is eschewed. No effort is made to develop an objective monetary basis for the value of targeted information assets No basis is provided for cost/benefit analysis of risk mitigation measures. Only subjective indication of a problem It is not possible to track risk management performance objectively when all measures are subjective Copied from 1999 Handbook of Information Security Management, pages 441-442

Qualitative - Pros

Calculations are simple and readily understood and execute

Not necessary to determine quantitative threat frequency & impact data

Not necessary to estimate the cost of recommended risk mitigation measures & calculate cost/benefit

A general indication of significant areas of risk that should be addressed is provided

Qualitative - Cons

Risk assessment & results are essentially subjective in both process & metrics. Use of independently objective metrics is eschewed.

No effort is made to develop an objective monetary basis for the value of targeted information assets

No basis is provided for cost/benefit analysis of risk mitigation measures. Only subjective indication of a problem

It is not possible to track risk management performance objectively when all measures are subjective

Qualitative vs. quantitative Quantitative - Pros Assessment & results are based substantially on independently objective processes & metrics. Thus, meaningful statistical analysis is supported The value of information (availability, confidentiality & integrity) as expressed in monetary terms with supporting rationale, is better understood. Thus, the basis for expected loss is better understood. A credible basis for cost/benefit assessment of risk mitigation measures is provided. Thus, information security budget decision-making is supported Quantitative - Cons Calculations are complex. If they are not understood or effectively explained, management may mistrust the results of black-box testing A substantial amount of information about the target information & its IT environment must be gathered There is not yet a standard, independently developed & maintained threat population & frequency knowledge base. Thus, users must rely on the credibility of the vendors who develop & support the automated tools or do perform the research. Copied from 1999 Handbook of Information Security Management, pages 441-442

Quantitative - Pros

Assessment & results are based substantially on independently objective processes & metrics. Thus, meaningful statistical analysis is supported

The value of information (availability, confidentiality & integrity) as expressed in monetary terms with supporting rationale, is better understood. Thus, the basis for expected loss is better understood.

A credible basis for cost/benefit assessment of risk mitigation measures is provided. Thus, information security budget decision-making is supported

Quantitative - Cons

Calculations are complex. If they are not understood or effectively explained, management may mistrust the results of black-box testing

A substantial amount of information about the target information & its IT environment must be gathered

There is not yet a standard, independently developed & maintained threat population & frequency knowledge base. Thus, users must rely on the credibility of the vendors who develop & support the automated tools or do perform the research.

Risk management nomenclature Annualized loss expectancy (ALE) Single loss expectance x annualized rate of occurrence = ALE Annualized rate of occurrence (ARO) On an annualized basis, the frequency with which a threat is expected to occur Exposure factor A measure of the magnitude of loss or impact on the value of an asset Probability Chance or likelihood, in a finite sample, that an event will occur or that a specific loss value may be attained should the event occur Threat An event, the occurrence of which cold have an undesired impart Safeguard Risk reducing measure that acts to detect, prevent or minimize loss associated with the occurrence of a specified threat or category of threats Vulnerability The absence or weakness of a risk-reducing safeguard

Annualized loss expectancy (ALE)

Single loss expectance x annualized rate of occurrence = ALE

Annualized rate of occurrence (ARO)

On an annualized basis, the frequency with which a threat is expected to occur

Exposure factor

A measure of the magnitude of loss or impact on the value of an asset

Probability

Chance or likelihood, in a finite sample, that an event will occur or that a specific loss value may be attained should the event occur

Threat

An event, the occurrence of which cold have an undesired impart

Safeguard

Risk reducing measure that acts to detect, prevent or minimize loss associated with the occurrence of a specified threat or category of threats

Vulnerability

The absence or weakness of a risk-reducing safeguard

Risk assessment Since you can’t protect yourself if you do not know what you are protecting against, a risk assessment must be performed A risk assessment answers 3 fundamental questions: Identify assets - What I am trying to protect? Identify threats - What do I need to protect against? Calculating risks - How much time, effort & money am I willing to expend to obtain adequate protection? After risks are determined, you can then develop the policies & procedures needed to reduce the risks

Since you can’t protect yourself if you do not know what you are protecting against, a risk assessment must be performed

A risk assessment answers 3 fundamental questions:

Identify assets - What I am trying to protect?

Identify threats - What do I need to protect against?

Calculating risks - How much time, effort & money am I willing to expend to obtain adequate protection?

After risks are determined, you can then develop the policies & procedures needed to reduce the risks

Identifying assets Tangibles Computers, communications equipment, wiring Data Software Audit records, books, documents Intangibles Privacy Employe safety & health Passwords Image & reputation Availability Employee morale

Tangibles

Computers, communications equipment, wiring

Data

Software

Audit records, books, documents

Intangibles

Privacy

Employe safety & health

Passwords

Image & reputation

Availability

Employee morale

Identifying threats Earthquake, flood, hurricane, lightening Structural failure, asbestos Utility loss, i.e., water, power, telecommunications Theft of hardware, software, data Terrorists, both political and information Software bugs, virii, malicious code, SPAM, mail bombs Strikes, labor & union problems Hackers, internal/external Inflammatory usenet, Internet & web postings Employee illness, death Outbreak, epidemic, pandemic

Earthquake, flood, hurricane, lightening

Structural failure, asbestos

Utility loss, i.e., water, power, telecommunications

Theft of hardware, software, data

Terrorists, both political and information

Software bugs, virii, malicious code, SPAM, mail bombs

Strikes, labor & union problems

Hackers, internal/external

Inflammatory usenet, Internet & web postings

Employee illness, death

Outbreak, epidemic, pandemic

Calculating (quantifying) risks This is the hard part. Insurance & historical records may help, but your actuary is your best friend. How much damage did Kevin Mitnick do? Estimates range from $500,000 to $120,000,000 Review the risks Lists should be regularly updated Small changes in operations or corporate structure can have significant risk implications Changes such as location, vendor, M&A, etc., must be included into the risk factor

This is the hard part. Insurance & historical records may help, but your actuary is your best friend.

How much damage did Kevin Mitnick do? Estimates range from $500,000 to $120,000,000

Review the risks

Lists should be regularly updated

Small changes in operations or corporate structure can have significant risk implications

Changes such as location, vendor, M&A, etc., must be included into the risk factor

Cost/benefit analysis Cost of a loss Often hard to determine accurately Cost of prevention Long term/short term Adding up the numbers Output of an Excel spreadsheet listing assets, risks & possible losses For each loss, know its probability, predicted loss & amount of money needed to defend against the loss

Cost of a loss

Often hard to determine accurately

Cost of prevention

Long term/short term

Adding up the numbers

Output of an Excel spreadsheet listing assets, risks & possible losses

For each loss, know its probability, predicted loss & amount of money needed to defend against the loss

Security awareness Must be driven from the top-down Must be comprehensive, all the way down to the floppy & hard copies Education Hard copies Web-based Training & education

Must be driven from the top-down

Must be comprehensive, all the way down to the floppy & hard copies

Education

Hard copies

Web-based

Training & education

Security management planning But most importantly, to be successful in selling security you must know your company’s or client’s business Know what is important Each industry has differing priorities

But most importantly, to be successful in selling security you must know your company’s or client’s business

Know what is important

Each industry has differing priorities

Identify costs Initial investment ongoing costs Identify benefits Help Desk reduction Common data locations Reduced Remote Access costs Improve Business Partner access Enhanced public perception Ernst & Young Cyberprocess Certification Security management planning

Identify costs

Initial investment

ongoing costs

Identify benefits

Help Desk reduction

Common data locations

Reduced Remote Access costs

Improve Business Partner access

Enhanced public perception

Ernst & Young Cyberprocess Certification

Identify potential losses if security is not properly implemented Trade secrets confidential information personal e-mail adverse publicity viruses, worms, malicious Java and ActiveX applications denial of service hard drive reformats, router reconfigurations M&A financials hacked web pages breach of Human Resources information Security management planning

Identify potential losses if security is not properly implemented

Trade secrets

confidential information

personal e-mail

adverse publicity

viruses, worms, malicious Java and ActiveX applications

denial of service

hard drive reformats, router reconfigurations

M&A

financials

hacked web pages

breach of Human Resources information

Management Procrastination Four primary reasons why the decision maker typically procrastinates in deciding whether to allocate funds or commence the initiative: Unable to understand or quantify security threats and technical vulnerabilities. This results in buying decision paralysis. Unable to measure (through quantitative or qualitative analysis) the severity and probability of risk. Begins the analysis with a preconceived notion that the cost of controls will be excessive or the security technology does not exist. Believes that the security solution will interfere with the performance or appearance of the business product Security management planning

Management Procrastination

Four primary reasons why the decision maker typically procrastinates in deciding whether to allocate funds or commence the initiative:

Unable to understand or quantify security threats and technical vulnerabilities. This results in buying decision paralysis.

Unable to measure (through quantitative or qualitative analysis) the severity and probability of risk.

Begins the analysis with a preconceived notion that the cost of controls will be excessive or the security technology does not exist.

Believes that the security solution will interfere with the performance or appearance of the business product

Any questions?