Computer Security: Principles of Information Security

Principals of Information
Security,
Fourth Edition
Chapter 7
Security Technology: Intrusion
Detection and Prevention Systems,
and Other Security Tools, Cryptography
Do not wait; the time will never be just right. Start where you stand and
work with whatever tools you may have at your command, and better
tools will be found as you go along.
NAPOLEON HILL (1883–1970) FOUNDER OF THE SCIENCE of SUCCESS

Learning Objectives
• Upon completion of this material, you should be able to:
– Identify and describe the categories of intrusion detection
and prevention systems, honeypots, honeynets, padded
cel, the use of biometric access mechanisms and the
basic principles of cryptography
– Describe the operating principles of the most popular
cryptographic tools
– List and explicate the major protocols used for secure
communications
– Discuss the nature of the dominant methods of attack
used against cryptosystems
Principals of Information Security, Fourth Edition 2

Intrusion Detection and Prevention
Systems
• Intrusion: occurs when an attacker attempts to gain
entry into or disrupt the normal operations of an
information system, almost always with the intent to
do harm
• Intrusion prevention: consists of activities that seek
to deter an intrusion from occurring

Intrusion Detection and Prevention
Systems (cont’d.)
• Intrusion detection: consists of procedures and
systems created and operated to detect system
intrusions
• Intrusion reaction: encompasses actions an
organization undertakes when intrusion event is
detected
• Intrusion correction activities: finalize restoration of
operations to a normal state

Why Use an IDPS?
• Prevent problem behaviors by increasing the
perceived risk of discovery and punishment
• Detect attacks and other security violations
• Detect and deal with preambles to attacks
• Document existing threat to an organization
• Act as quality control for security design and
administration, especially of large and complex
enterprises
• Provide useful information about intrusions that
take place

Types of IDPS
• IDSs operate as network-based, host-based, or
application based systems
• Network-based IDPS is focused on protecting
network information assets
– Wireless IDPS: focuses on wireless networks
– Network behavior analysis IDPS: examines traffic
flow on a network in an attempt to recognize
abnormal patterns

Figure 7-1 Intrusion Detection and Prevention Systems

Types of IDPS (cont’d.)
• Network-based IDPS
– Resides on computer or appliance connected to
segment of an organization’s network; looks for signs
of attacks
– When examining packets, a NIDPS looks for attack
patterns
– Installed at specific place in the network where it can
watch traffic going into and out of particular network
segment

• Advantages of NIDPSs
– Can enable organization to use a few devices to
monitor large network
– NIDPSs not usually susceptible to direct attack and
may not be detectable by attackers
• Disadvantages of NIDPSs
– Can become overwhelmed by network volume and fail
to recognize attacks
– Require access to all traffic to be monitored
– Cannot analyze encrypted packets
– Cannot reliably ascertain if attack was successful or not

• Wireless NIDPS
– Monitors and analyzes wireless network traffic
– Issues associated with it include physical security,
sensor range, access point and wireless switch
locations, wired network connections, cost
• Network behavior analysis systems
– Examine network traffic in order to identify problems
related to the flow of traffic
– Types of events commonly detected include DoS
attacks, scanning, worms, unexpected application
services, policy violations

• Host-based IDPS
– Resides on a particular computer or server and
monitors activity only on that system
– Advantage over NIDPS: can usually be installed so
that it can access information encrypted when
traveling over network

• Advantages of HIDPSs
– Can detect local events on host systems and detect
attacks that may elude a network-based IDPS
– Functions where encrypted traffic will have been
decrypted and is available for processing
– Not affected by use of switched network protocols
– Can detect inconsistencies in how applications and
systems programs were used by examining records
stored in audit logs

• Disadvantages of HIDPSs
– Pose more management issues
– Vulnerable both to direct attacks and attacks against
host operating system
– Does not detect multi-host scanning, nor scanning of
non-host network devices
– Susceptible to some denial-of-service attacks
– Can use large amounts of disk space
– Can inflict a performance overhead on its host
systems

Figure 7-4 Centralized IDPS Control13

Figure 7-7 Network IDPS Sensor Locations17

Honeypots, Honeynets, and Padded
Cell Systems
• Honeypots: decoy systems designed to lure
potential attackers away from critical systems and
encourage attacks against the themselves
• Honeynets: collection of honeypots connecting
several honey pot systems on a subnet
• Honeypots designed to:
– Divert attacker from accessing critical systems
– Collect information about attacker’s activity
– Encourage attacker to stay on system long enough
for administrators to document event and, perhaps,
respond

Cell Systems (cont’d.)
• Padded cell: honeypot that has been protected so it
cannot be easily compromised
• In addition to attracting attackers with tempting
data, a padded cell operates in tandem with a
traditional IDS
• When the IDS detects attackers, it seamlessly
transfers them to a special simulated environment
where they can cause no harm—the nature of this
host environment is what gives approach the name
padded cell

• Advantages
– Attackers can be diverted to targets they cannot
damage
– Administrators have time to decide how to respond
to attacker
– Attackers’ actions can be easily and more
extensively monitored, and records can be used to
refine threat models and improve system protections
– Honey pots may be effective at catching insiders
who are snooping around a network

• Disadvantages
– Legal implications of using such devices are not well
defined
– Honeypots and padded cells have not yet been
shown to be generally useful security technologies
– Expert attacker, once diverted into a decoy system,
may become angry and launch a more hostile attack
against an organization’s systems
– Administrators and security managers will need a
high level of expertise to use these systems

Biometric Access Control
• Based on the use of some measurable human
characteristic or trait to authenticate the identity of a
proposed systems user (a supplicant)
• Relies upon recognition
• Includes fingerprint comparison, palm print
comparison, hand geometry, facial recognition
using a photographic id card or digital camera,
retinal print, iris pattern
• Characteristics considered truly unique:
fingerprints, retina of the eye, iris of the eye

Figure 7-20 Biometric Recognition Characteristics

Effectiveness of Biometrics
• Biometric technologies evaluated on three basic
criteria:
– False reject rate: the rejection of legitimate users
– False accept rate: the acceptance of unknown users
– Crossover error rate (CER): the point where false
reject and false accept rates cross when graphed

Acceptability of Biometrics
• Balance must be struck between how acceptable
security system is to users and its effectiveness in
maintaining security
• Many biometric systems that are highly reliable and
effective are considered intrusive
• As a result, many information security
professionals, in an effort to avoid confrontation
and possible user boycott of biometric controls,
don’t implement them

Table 7-3 Ranking of Biometric Effectiveness and Acceptance
H=High, M=Medium, L=Low
Reproduced from The ‘123’ of Biometric Technology, 2003, by Yun,
Yau Wei22

Cryptography
• Cryptology: science of encryption; combines
cryptography and cryptanalysis
• Cryptography: process of making and using codes
to secure transmission of information
• Cryptanalysis: process of obtaining original
message from encrypted message without knowing
algorithms
• Encryption: converting original message into a form
unreadable by unauthorized individuals
• Decryption: the process of converting the ciphertext
message back into plaintext(original message)

Cipher Methods
• Substitution Cipher
• Transposition Cipher
• Book or Running Key Cipher
• Hash Functions

Cryptographic Algorithms
• Often grouped into two broad categories,
symmetric and asymmetric
– Today’s popular cryptosystems use hybrid
combination of symmetric and asymmetric
algorithms
• Symmetric and asymmetric algorithms
distinguished by types of keys used for encryption
and decryption operations

Symmetric Encryption
• Uses same “secret key” to encipher and decipher
message
– Encryption methods can be extremely efficient,
requiring minimal processing
– Both sender and receiver must possess encryption
key
– If either copy of key is compromised, an intermediate
can decrypt and read messages
– Data Encryption Standard (DES), Triple DES
(3DES), Advanced Encryption Standard (AES)

Figure 8-5 Example of Symmetric Encryption

Asymmetric Encryption
• Also known as public-key encryption
• Uses two different but related keys
– Either key can encrypt or decrypt message
– If Key A encrypts message, only Key B can decrypt
– Highest value when one key serves as private key
and the other serves as public key
• RSA algorithm

Figure 8-6 Example of Asymmetric Encryption

Encryption Key Size
• When using ciphers, size of cryptovariable or key is
very important
• Strength of many encryption applications and
cryptosystems measured by key size
• For cryptosystems, security of encrypted data is not
dependent on keeping encrypting algorithm secret
• Cryptosystem security depends on keeping some
or all of elements of cryptovariable(s) or key(s)
secret

Table 8-7 Encryption Key Power

Cryptographic Tools
• Potential areas of use include:
– Ability to conceal the contents of sensitive messages
– Verify the contents of messages and the identities of
their senders
• Tool:
– Public-Key Infrastructure (PKI)
– Digital Signatures
– Digital Certificates

Public-Key Infrastructure (PKI)
• Integrated system of software, encryption
methodologies, protocols, legal agreements, and
third-party services enabling users to communicate
securely
• PKI systems based on public-key cryptosystems
• PKI protects information assets in several ways:
– Authentication
– Integrity
– Privacy
– Authorization
– Nonrepudiation

Digital Signatures
• Verify information transferred using electronic
systems
• Asymmetric encryption processes used to create
digital signatures
• Nonrepudiation: the process that verifies the
message was sent by the sender and thus cannot
be refuted

Digital Certificates
• Electronic document containing key value and
identifying information about entity that controls key
• Digital signature attached to certificate’s container
file to certify file is from entity it claims to be from

Figure 8-8 Digital Certificate

Steganography
• Process of hiding information
• Has been in use for a long time
• Most popular modern version hides information
within files appearing to contain digital pictures or
other images
• Some applications hide messages in .bmp, .wav,
.mp3, and .au files, as well as in unused space on
CDs and DVDs

Securing Internet Communication with
Protocol S-HTTP and SSL
• Secure Socket Layer (SSL) protocol: uses public
key encryption to secure channel over public
Internet
• Secure Hypertext Transfer Protocol (S-HTTP):
extended version of Hypertext Transfer Protocol;
provides for encryption of individual messages
between client and server across Internet
• S-HTTP is the application of SSL over HTTP

Securing e-mail with S/MIME, PEM,
and PGP Protocols
• Secure Multipurpose Internet Mail Extensions
(S/MIME): builds on Multipurpose Internet Mail
Extensions (MIME) encoding format by adding
encryption and authentication
• Privacy Enhanced Mail (PEM): proposed as
standard to function with public-key cryptosystems;
uses 3DES symmetric key encryption
• Pretty Good Privacy (PGP): uses IDEA Cipher for
message encoding

Securing Web transactions with SET,
SSL, and S-HTTP
• Secure Electronic Transactions (SET): developed
by MasterCard and VISA in 1997 to provide
protection from electronic payment fraud
• Uses DES to encrypt credit card information
transfers
• Provides security for both Internet-based credit
card transactions and credit card swipe systems in
retail stores

Securing Wireless Networks with WEP
and WPA
• Wired Equivalent Privacy (WEP): early attempt to
provide security with the 8002.11 network protocol
• Wi-Fi Protected Access (WPA and WPA2): created
to resolve issues with WEP
• Next Generation Wireless Protocols: Robust
Secure Networks (RSN), AES – Counter Mode
Encapsulation, AES – Offset Codebook
Encapsulation

Protocols for Secure Communications
(continued)
• Securing TCP/IP with IPSec
– Internet Protocol Security (IPSec): open source
protocol to secure communications across any
IP-based network

Attacks on Cryptosystems
• Attempts to gain unauthorized access to secure
communications have used brute force attacks
(ciphertext attacks)
• Attacker may alternatively conduct known-plaintext
attack or selected-plaintext attach schemes

Man-in-the-Middle Attack
• Designed to intercept transmission of public key or
insert known key structure in place of requested
public key
• From victim’s perspective, encrypted
communication appears to be occurring normally,
but in fact, attacker receives each encrypted
message, decodes, encrypts, and sends to
originally intended recipient
• Establishment of public keys with digital signatures
can prevent traditional man-in-the-middle attack

Correlation Attacks
• Collection of brute-force methods that attempt to
deduce statistical relationships between structure of
unknown key and ciphertext
• Differential and linear cryptanalysis have been used
to mount successful attacks
• Only defense is selection of strong cryptosystems,
thorough key management, and strict adherence to
best practices of cryptography in frequency of
changing keys

Dictionary Attacks
• Attacker encrypts every word in a dictionary using
same cryptosystem used by target
• Dictionary attacks can be successful when the
ciphertext consists of relatively few characters (e.g.,
usernames, passwords)

Timing Attacks
• Attacker eavesdrops during victim’s session
– Uses statistical analysis of user’s typing patterns and
inter-keystroke timings to discern sensitive session
information
• Can be used to gain information about encryption
key and possibly cryptosystem in use
• Once encryption successfully broken, attacker may
launch a replay attack (an attempt to resubmit
recording of deciphered authentication to gain entry
into secure source)

Defending Against Attacks
• No matter how sophisticated encryption and
cryptosystems have become, if key is discovered,
message can be determined
• Key management is not so much management of
technology but rather management of people

Principles of Information Security, 3rd Edition 52
Introduction
▪ Physical security addresses design, implementation, and
maintenance of countermeasures that protect physical
resources of an organization
▪ Most controls can be circumvented if an attacker gains
physical access
▪ Physical security is as important as logical security

Introduction (continued)
▪ Seven major sources of physical loss:
▪ Extreme temperature
▪ Gases
▪ Liquids
▪ Living organisms
▪ Projectiles
▪ Movement
▪ Energy anomalies

Introduction (continued)
▪ Community roles
▪ General management: responsible for facility security
▪ IT management and professionals: responsible for
environmental and access security
▪ Information security management and professionals:
perform risk assessments and implementation reviews

Physical Access Controls
▪ Secure facility: physical location engineered with controls
designed to minimize risk of attacks from physical threats
▪ Secure facility can take advantage of natural terrain, traffic
flow, and degree of urban development; can complement
these with protection mechanisms (fences, gates, walls,
guards, alarms)

Physical Security Controls
▪ Walls, fencing, and gates
▪ Lighting (not in ch.)
▪ Guards
▪ Dogs
▪ ID cards and badges
▪ Locks and keys

Physical Security Controls (continued)
▪ Mantraps (or womantraps, persontraps, etc.)
▪ Electronic monitoring
▪ Alarms and alarm systems
▪ Computer rooms and wiring closets
▪ Interior walls and doors

ID Cards and Badges
▪ Ties physical security with information access control
▪ ID card is typically concealed
▪ Name badge is visible
▪ Serve as simple form of biometrics (facial recognition)
▪ Should not be only means of control as cards can be easily
duplicated, stolen, and modified
▪ Tailgating occurs when unauthorized individual follows
authorized user through the control

Locks and Keys
▪ Two types of locks: mechanical and electromechanical
▪ Locks can also be divided into four categories: manual,
programmable, electronic, biometric
▪ Locks fail and alternative procedures for controlling access
must be put in place
▪ Locks fail in one of two ways:
▪ Fail-safe lock
▪ Fail-secure lock

Figure 9-1

Mantrap
▪ Small enclosure that has entry point and different exit point
▪ Individual enters mantrap, requests access, and if verified,
is allowed to exit mantrap into facility
▪ Individual denied entry is not allowed to exit until security
official overrides automatic locks of the enclosure

Figure 9-2 Mantraps

Electronic Monitoring
▪ Records events where other types of physical controls are
impractical or incomplete
▪ May use cameras with video recorders; includes
closed-circuit television (CCT) systems
▪ Drawbacks
▪ Reactive; does not prevent access or prohibited activity
▪ Recordings often are not monitored in real time; must be
reviewed to have any value

Alarms and Alarm Systems
▪ Alarm systems notify when an event occurs
▪ Detect fire, intrusion, environmental disturbance, or an
interruption in services
▪ Rely on sensors that detect event; e.g., motion detectors,
smoke detectors, thermal detectors, glass breakage
detectors, weight sensors, contact sensors, vibration
sensors

Computer Rooms and Wiring Closets
▪ Require special attention to ensure confidentiality, integrity,
and availability of information
▪ Logical controls easily defeated if attacker gains physical
access to computing equipment
▪ Custodial staff often the least scrutinized persons who
have access to offices; are given greatest degree of
unsupervised access

Interior Walls and Doors
▪ Information asset security sometimes compromised by
construction of facility walls and doors
▪ Facility walls typically either standard interior or firewall
▪ High-security areas must have firewall-grade walls to
provide physical security from potential intruders and
improve resistance to fires
▪ Doors allowing access to high security rooms should be
evaluated
▪ Recommended that push or crash bars be installed on
computer rooms and closets

Fire Security and Safety
▪ Most serious threat to safety of people who work in an
organization is possibility of fire
▪ Fires account for more property damage, personal injury,
and death than any other threat
▪ Imperative that physical security plans examine and
implement strong measures to detect and respond to fires

Fire Detection and Response
▪ Fire suppression systems: devices installed and
maintained to detect and respond to a fire
▪ Deny an environment of heat, fuel, or oxygen
▪ Water and water mist systems
▪ Carbon dioxide systems
▪ Soda acid systems
▪ Gas-based systems

Fire Detection
▪ Fire detection systems fall into two general categories:
manual and automatic
▪ Part of a complete fire safety program includes individuals
that monitor chaos of fire evacuation to prevent an attacker
accessing offices
▪ There are three basic types of fire detection systems:
thermal detection, smoke detection, flame detection

Fire Suppression
▪ Systems consist of portable, manual, or automatic
apparatus
▪ Portable extinguishers are rated by the type of fire: Class
A, Class B, Class C, Class D
▪ Installed systems apply suppressive agents; usually either
sprinkler or gaseous systems

Figure 9-3 Water Sprinkler System

Gaseous Emission Systems
▪ Until recently, two types of systems: carbon dioxide
and Halon
▪ Carbon dioxide robs a fire of oxygen supply
▪ Halon is clean but has been classified as an
ozone-depleting substance; new installations are
prohibited
▪ Alternative clean agents include FM-200, Inergen, carbon
dioxide, FE-13 (trifluromethane)

Figure 9-4 Fire Suppression System

Failure of Supporting Utilities and
Structural Collapse
▪ Supporting utilities (heating, ventilation, and air
conditioning; power; water; and others) have significant
impact on continued safe operation of a facility
▪ Each utility must be properly managed to prevent potential
damage to information and information systems

Heating, Ventilation, and Air Conditioning
▪ Areas within heating, ventilation, and air conditioning
(HVAC) systems that can cause damage to information
systems include:
▪ Temperature
▪ Filtration
▪ Humidity
▪ Static electricity

Ventilation Shafts
▪ While ductwork is small in residential buildings, in large
commercial buildings it can be large enough for an
individual to climb though
▪ If vents are large, security can install wire mesh grids at
various points to compartmentalize the runs

Power Management and Conditioning
▪ Electrical quantity (voltage level, amperage rating) is a
concern, as is quality of power (cleanliness, proper
installation)
▪ Noise that interferes with the normal 60 Hertz cycle can
result in inaccurate time clocks or unreliable internal clocks
inside CPU
▪ Grounding ensures that returning flow of current is properly
discharged to ground
▪ Overloading a circuit causes problems with circuit tripping
and can overload electrical cable, increasing risk of fire

Uninterruptible Power Supply (UPS)
▪ In case of power outage, UPS is backup power source for
major computer systems
▪ Four basic UPS configurations:
▪ Standby
▪ Ferroresonant standby
▪ Line-interactive
▪ True online (double conversion online)

Emergency Shutoff
▪ Important aspect of power management is the need to be
able to stop power immediately should a current represent
a risk to human or machine safety
▪ Most computer rooms and wiring closets are equipped with
an emergency power shutoff

Water Problems
▪ Lack of water poses problem to systems, including
functionality of fire suppression systems and ability of
water chillers to provide air-conditioning
▪ Surplus of water, or water pressure, poses a real threat
(flooding, leaks)
▪ Very important to integrate water detection systems into
alarm systems that regulate overall facilities operations

Structural Collapse
▪ Unavoidable forces can cause failures of structures that
house organization
▪ Structures designed and constructed with specific load
limits; overloading these limits results in structural failure
and potential injury or loss of life
▪ Periodic inspections by qualified civil engineers assist in
identifying potentially dangerous structural conditions

Maintenance of Facility Systems
▪ Physical security must be constantly documented,
evaluated, and tested
▪ Documentation of facility’s configuration, operation, and
function should be integrated into disaster recovery plans
and operating procedures
▪ Testing helps improve the facility’s physical security and
identify weak points

Interception of Data
▪ Three methods of data interception:
▪ Direct observation
▪ Interception of data transmission
▪ Electromagnetic interception
▪ U.S. government developed TEMPEST program to reduce
risk of electromagnetic radiation (EMR) monitoring

Mobile and Portable Systems
▪ With the increased threat to information security for
laptops, handhelds, and PDAs, mobile computing requires
more security than average in-house system
▪ Many mobile computing systems have corporate
information stored within them; some are configured to
facilitate user’s access into organization’s secure
computing facilities

Mobile and Portable Systems (continued)
▪ Controls support security and retrieval of lost or stolen
laptops
▪ CompuTrace software, stored on laptop; reports to a central
monitoring center
▪ Burglar alarms made up of a PC card that contains a motion
detector

Figure 9-6 Laptop Theft Deterrence

Remote Computing Security
▪ Remote site computing: away from organizational facility
▪ Telecommuting: computing using telecommunications
including Internet, dial-up, or leased point-to-point links
▪ Employees may need to access networks on business
trips; telecommuters need access from home systems or
satellite offices
▪ To provide secure extension of organization’s internal
networks, all external connections and systems must be
secured

Special Considerations for Physical
Security Threats
▪ Develop physical security in-house or outsource?
▪ Many qualified and professional agencies
▪ Benefit of outsourcing includes gaining experience and
knowledge of agencies
▪ Downside includes high expense, loss of control over
individual components, and level of trust that must be
placed in another company
▪ Social engineering: use of people skills to obtain
information from employees that should not be released

Inventory Management
▪ Computing equipment should be inventoried and inspected
on a regular basis
▪ Classified information should also be inventoried and
managed
▪ Physical security of computing equipment, data storage
media, and classified documents varies for each
organization

Summary
▪ Threats to information security that are unique to
physical security
▪ Key physical security considerations in a facility site
▪ Physical security monitoring components
▪ Essential elements of access control
▪ Fire safety, fire detection, and response
▪ Importance of supporting utilities, especially use of
uninterruptible power supplies
▪ Countermeasures to physical theft of computing devices

What is the problem?
▪ Computer facility with servers in a facility where:
▪ Humidity varies between 25-40 percent
▪ Temperature varies between 75-80 degrees F.
▪ Dust is a problem
▪ Carpeting is nylon
▪ The ceiling is dropped with no firewalls
▪ Lock on the door was purchased at Lowe’s for $80
▪ Fire sprinklers were installed in the 60’s
▪ Janitors have a key to the door

Questions
▪ What role(s) can accountants/auditors play in the
physical security of information resources?
▪ What are the factors that lead to compromise and
failure of the physical securities?
▪ How can these be remedied?
▪ Should guards be required to watch Oceans 11?

Introduction
▪ SecSDLC implementation phase is accomplished through
changing configuration and operation of organization’s
information systems
▪ Implementation includes changes to procedures, people,
hardware, software, and data
▪ Organization translates blueprint for information security
into a concrete project plan

Information Security Project Management
▪ Once organization’s vision and objectives are understood,
process for creating project plan can be defined
▪ Major steps in executing project plan are:
▪ Planning the project
▪ Supervising tasks and action steps
▪ Wrapping up
▪ Each organization must determine its own project
management methodology for IT and information security
projects

Developing the Project Plan
▪ Creation of project plan can be done using work
breakdown structure (WBS)
▪ Major project tasks in WBS are work to be accomplished;
individuals assigned; start and end dates; amount of effort
required; estimated capital and noncapital expenses; and
identification of dependencies between/among tasks
▪ Each major WBS task is further divided into smaller tasks
or specific action steps

Project Planning Considerations
▪ As project plan is developed, adding detail is not always
straightforward
▪ Special considerations include financial, priority, time and
schedule, staff, procurement, organizational feasibility, and
training

Financial Considerations
▪ No matter what information security needs exist, the
amount of effort that can be expended depends on funds
available
▪ Cost benefit analysis must be verified prior to
development of project plan
▪ Both public and private organizations have budgetary
constraints, though of a different nature
▪ To justify an amount budgeted for a security project at
either public or for-profit organizations, it may be useful to
benchmark expenses of similar organizations

Priority Considerations
▪ In general, the most important information security
controls should be scheduled first
▪ Implementation of controls is guided by prioritization of
threats and value of threatened information assets

Time and Scheduling Considerations
▪ Time impacts dozens of points in the development of a
project plan, including:
▪ Time to order, receive, install, and configure security control
▪ Time to train the users
▪ Time to realize return on investment of control

Staffing Considerations
▪ Lack of enough qualified, trained, and available personnel
constrains project plan
▪ Experienced staff is often needed to implement available
technologies and develop and implement policies and
training programs

Procurement Considerations
▪ IT and information security planners must consider
acquisition of goods and services
▪ Many constraints on selection process for equipment and
services in most organizations, specifically in selection of
service vendors or products from manufacturers/suppliers
▪ These constraints may eliminate a technology from realm
of possibilities

Organizational Feasibility Considerations
▪ Policies require time to develop; new technologies require
time to be installed, configured, and tested
▪ Employees need training on new policies and technology,
and how new information security program affects their
working lives
▪ Changes should be transparent to system users unless
the new technology is intended to change procedures
(e.g., requiring additional authentication or verification)

Training and Indoctrination Considerations
▪ Size of organization and normal conduct of business may
preclude a single large training program on new security
procedures/technologies
▪ Thus, organization should conduct phased-in or pilot
approach to implementation

Scope Considerations
▪ Project scope: concerns boundaries of time and
effort-hours needed to deliver planned features and quality
level of project deliverables
▪ Project scope: the functionality that will be delivered by the
new system. (It also includes resources that must be
acquired and disposal of resources no longer needed.)
Projects that are poorly planned may incur “scope creep.”
▪ In the case of information security, project plans should
not attempt to implement the entire security system at one
time

The Need for Project Management
▪ Project management requires a unique set of skills and
thorough understanding of a broad body of specialized
knowledge
▪ Most information security projects require a trained project
manager (a CISO) or skilled IT manager versed in project
management techniques

Supervised Implementation
▪ Some organizations may designate champion from
general management community of interest to supervise
implementation of information security project plan
▪ An alternative is to designate senior IT manager or CIO to
lead implementation
▪ Optimal solution is to designate a suitable person from
information security community of interest
▪ It is up to each organization to find the most suitable
leadership for a successful project implementation

Executing the Plan
▪ Negative feedback ensures project progress is measured
periodically
▪ Measured results compared against expected results
▪ When significant deviation occurs, corrective action taken
▪ Often, project manager can adjust one of three
parameters for task being corrected: effort and money
allocated; scheduling impact; quality or quantity of
deliverable

Project Wrap-up (Post-Audit)
▪ Project wrap-up is usually handled as procedural task and
assigned to mid-level IT or information security manager
▪ Collect documentation, finalize status reports, and deliver
final report and presentation at wrap-up meeting
▪ Goal of wrap-up is to resolve any pending issues, critique
overall project effort, and draw conclusions about how to
improve process

Technical Topics of Implementation
▪ Some parts of implementation process are technical in
nature, dealing with application of technology
▪ Others are not, dealing instead with human interface to
technical systems

Conversion Strategies
▪ As components of new security system are planned,
provisions must be made for changeover from previous
method of performing task to new method
▪ Four basic approaches:
▪ Direct changeover
▪ Phased implementation
▪ Pilot implementation
▪ Parallel operations

The Bull’s-Eye Model
▪ Proven method for prioritizing program of complex change
▪ Issues addressed from general to specific; focus is on
systematic solutions and not individual problems
▪ Relies on process of evaluating project plans in
progression through four layers: policies, networks,
systems, applications

Figure 10-2

To Outsource or Not
▪ Just as some organizations outsource IT operations,
organizations can outsource part or all of information
security programs
▪ Due to complex nature of outsourcing, it’s advisable to
hire best outsourcing specialists and retain best attorneys
possible to negotiate and verify legal and technical
intricacies

Technology Governance and Change Control
▪ Technology governance: complex process an organization
uses to manage impact and costs from technology
implementation, innovation, and obsolescence
▪ By managing the process of change, organization can
improve communication; enhance coordination; reduce
unintended consequences; improve quality of service; and
ensure groups are complying with policies
▪ (Note that there is also a separate Change Mgmt Process
for changes to existing information systems.)

Nontechnical Aspects of Implementation
▪ Other parts of implementation process are not technical in
nature, dealing with the human interface to technical
systems
▪ Include creating a culture of change management as well
as considerations for organizations facing change

The Culture of Change Management
▪ Prospect of change can cause employees to build up
resistance to change
▪ The stress of change can increase the probability of
mistakes or create vulnerabilities
▪ Resistance to change can be lowered by building
resilience for change
▪ Lewin change model: unfreezing, moving, refreezing

Considerations for Organizational Change
▪ Steps can be taken to make organization more amenable
to change:
▪ Reducing resistance to change from beginning of planning
process
▪ Develop culture that supports change

Reducing Resistance to Change from the Start
▪ The more ingrained the previous methods and behaviors,
the more difficult the change
▪ Best to improve interaction between affected members of
organization and project planners in early project phases
▪ Three-step process for project managers: communicate,
educate, and involve

Developing a Culture that Supports Change
▪ Ideal organization fosters resilience to change
▪ Resilience: organization has come to expect change as a
necessary part of organizational culture, and embracing
change is more productive than fighting it
▪ To develop such a culture, organization must successfully
accomplish many projects that require change

Information Systems Security Certification and
Accreditation
▪ Certification versus Accreditation
▪ Accreditation: authorizes IT system to process, store, or
transmit information; assures systems of adequate quality
▪ Certification: evaluation of technical and nontechnical
security controls of IT system establishing extent to which
design and implementation meet security requirements
▪ SP 800-37: Guidelines for the Security Certification and
Accreditation of Federal Information Technology Systems
▪ NSTISS Instruction-1000: National Information Assurance
Certification and Accreditation Process (NIACAP)
▪ ISO 17799/27001 Systems Certification and Accreditation

End Ch. 10

Computer Security: Principles of Information Security

More Related Content

What's hot

Similar to Computer Security: Principles of Information Security

Recently uploaded

Computer Security: Principles of Information Security