IS 6323Security Risk Analysis

Lesson 1Course Introduction, Security

Operational Model, Management Responsibilities

IS6323 Security Risk Analysis

7:00 – 8:15 PM, MWRob Kaufman

BackgroundEmail robert.kaufman@utsa.edu

Syllabus and Class ScheduleStudent Background Information

Syllabus

Assumed BackgroundIt is assumed that students in this class have a basic understanding of Operating Systems and Networks and that they have access to the Internet and a UNIX- or Windows- based PC. It is essential for the student to also have a basic understanding of security. The Voice and Data Security course is a prerequisite. Knowledge of UNIX will also be useful.

TextbooksHacking Exposed, 5ed Managing a Network Vulnerability Assessment

Syllabus -- grading

Graded AssignmentsThe grades for this course will be based on a standard 70% = C, 80% = B, 90%=A grading scheme. The final grades will be based on the following assignments:

Paper 1 100 pointsLab 1 100 pointsLab 2 100 pointsExam 1 100 pointsExam 2 150 pointsLab 3 100 pointsPaper 2 100 pointsFinal Project 250 points

TOTAL 1000 points

The “cause” of the problem

“Dependence on the computer is the basic phenomenon that gives rise to the need for protection of this utility.”

What segment of government or industry does not rely on computer systems and networks to conduct their daily activities?

The “root” of the problem

Most security problems can be grouped into one of the

following categories:Network and host misconfigurations

- Lack of qualified people in the fieldOperating system and application flaws

- Deficiencies in vendor quality assurance efforts - Lack of qualified people in the field - Lack of understanding of/concern for security

Computer Security Objectives

The CIA of securityConfidentiality – the system should ensure that information is only viewed by authorized individuals. The collective system must be able to maintain and process data correctly and move traffic from its origins to the intended destinations without unauthorized disclosure. Integrity – the ability of a system to ensure accuracy and reliability…The collective system must be able to maintain and process data correctly and move traffic from its origins to the intended destinations without unauthorized modification.Availability – the system must provide efficient response and adequate capacity in order to support acceptable performance. It should be able to recover quickly from either short-term or long-term disruptions. Data and equipment should be accessible when the user wants it.

Additional ObjectivesAuthentication – is the user who they claim to be.Nonrepudiation – need to be able to prove messages sent and received.

The Security Operational Model

Protection = Prevention + (Detection + Response)

Prevention: we want to keep unauthorized individuals out of our systems/networks. The CIA of Security.Detection: 100% security not possible, folks will find a way around our prevention technology so we must have other technology and processes in place to detect when our attempts at prevention fail.Response: We need to have the technology and processes in place to respond to detected security events.

What are some of the technologies used in each of these?

What security technologies do we have

on our networks?

TheInternet

ThePSTN

Management Responsibility

Management must concern itself with safeguarding the resources under its jurisdiction. Just as an investor seeks both a high rate of return and reasonable safety for an investment, so must the manager seek a high rate of return through the effective use of the resources under his or her command and must take adequate steps to protect the value of the resources.In the past, these two have been considered separate, today we are seeing more discussions on obtaining an ROI from security itself.Security Managers focus on minimizing liability by implementing a process known as risk management.

Risk Management

The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources.It includes risk analysis, cost-benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review.

Management’s function

Protection of resourcesHuman resources

The skills needed to operate and control both hardware and software facilities

Capital resourcesThe investment in equipment and operating programs

Information resourcesNewly recognized resource created as a product of data processing.

It is in Information Resources that we see the largest need for Network Security

Types of Risk

An underlying principle for the types of risks is Management Failure to do something about security. Many contributing reasons for this:

Self-insurance: if we haven’t had it before, we don’t need it now.Add-on burden: competition with other areas for scarce dollars and resources.ROI: needs to contribute to bottom line or it is a target to be cut or reduced.Lip-service: management reluctant to commit resources so does just enough to show auditors.

Types of RiskClassification of specific categories:

Physical Hazard: e.g. fire, water, power loss, theft, civil disorders.Equipment Malfunction: computers and supporting equipment (including HVAC).Software Malfunction: computer programs, including operating systems.Human Error: accidental, or intentional, action or inaction by employees.Misuse of Data: misuse to perpetrate a crime such as fraud, espionage, or theft of data or IP.Loss of Data: intentional or unintentional loss of information through corruption or destruction.

Magnitude of risksIn addition to classifying risks by category of threat, it is useful to analyze risks by the magnitude of potential loss, the probability of loss, and the frequency and permanence of occurrence.

Magnitude can be expressed in terms of time or dollars, though more practical to use dollar cost as an estimate of loss.Threats can be evaluated in terms of probability of occurrence. True risk is difficult to measure.

“An aggregation of consequential costs for each threat, over a common time period, and based on the likelihood of occurrence for each threat, can serve to prioritize seemingly diverse risks.”

Groupings for permanency of damage includeDisasters – serious and lengthy disruptions; costlySolid failures – require cessation of the use of part or all of a system while corrective action takes place; costs vary widelyTransient failures – temporary disruptions that do not recur regularly and therefore may be difficult to trace or correct; costs vary widely

Sample Risk Analysis (Computer Security

Handbook 3ed)

Maximum and Weighted Annual Loss

Dangers of Overreaction

“No threat, however improbable, is completely impossible, for human ingenuity knows no bounds.”It is essential, however, to differentiate between probable and improbable threats.

If you concentrate on high-loss but improbable threats you run the risk of diverting resources from more probable threats which could still have a drastic effect on the organization.

Consider one New York Times article which discussed:

Radical conspiracies to sabotage computersSpecial receiving equipment to sense radio waves emitted by computers and printers

Protective measures – Location

Computer security ideally starts with site selection and site preparation. The location should be chosen to avoid, or at least to minimize, the physical hazards.

Avoid buildingsClose to explosive hazards (e.g. fuel tanks)Exposed to windstorm damage

Avoid lower floors and rooms with windowsMaintain a low profile (e.g. “DoD Interview Facility”)Subdivide large areas to minimize damage should a disaster occur in one portion of the facility

Protective Measures – Fire

Warning devices should be installedHand extinguishers (of the correct type) should be conveniently positioned.Automatic extinguishing systems should be used where possibleCombustible material should be isolatedPersonnel evacuation procedures should be established, followed, and practiced.

Protective Measures – Power

Full protection from loss of power for a large computer installation can be very costly. Lesser measures, however, can be implemented for much more reasonable costs.

Orderly shutdown in case of loss of power. Work in progress should have time to be saved.

Uninterruptible power supply (UPS) – battery powered.Generator that will automatically kick in upon power loss.Separate feeder lines for computer and supporting equipment.

Protective Measures – Civil

In addition to maintaining a low profile (avoid overt signs that disclose high-value nature of computing facility), physical access security is important.

Locked doors, locked and alarmed windowsIntrusion detection systemsMonitoring equipmentGuards

Protective Measures – Equipment

Critical computer equipment should be duplicated where the cost of a lengthy breakdown is high.

Costly, includes updating HW and SW for both sets of equipment.

HVAC prone to failures. Redundant systems should be considered for critical areas.Peripheral equipment (especially those with mechanical parts) prone to breakdown. Vital peripherals should be duplicated.Consider alternate processing facilities.Conduct preventative maintenance.Backup!

Protective Measures – Software

Comprehensive testing and quality controlStandard procedures for updating SW. Should include complete documentation.Integrity check on data.Backup!

Protective Measures – Human Errors

Procedures should be designed to minimize the risk of deliberate or inadvertent alteration, manipulation, or destruction of programs, hardware, or data.Personnel selection – stress stability, integrity, and conscientiousness.

Consider background checks.

Separation of duties – one person should not have “all the keys to the kingdom”.Review exception reports and audit trails to detect abnormalities. Backup!

Protective Measures -- Misuse

Protective measures to protect against dishonesty and fraud are the same whether a computer is involved or not:

Separation of responsibilityAdequate independent control

Protective Measures – Loss of Data

“Information loss or corruption represents the most probable and most common threat that every data processing installation faces.”Backup files

Three-generation principleThe oldest file is not destroyed until after the current and previous files have been backed up and validated.

Off-site storageUp-to-date emergency reconstruction planPeriodically test plans, procedures, and equipment

Network Security Vulnerabilities and Defenses (Computer Security Handbook 3ed)

Management of Computer Security

The job of the manager is to provide leadership. As such, management security activities would include:

Planning for computer and network securityOrganizing (gathering resources, grouping activities, establish relationships, …)Integrating (instilling in employees: “security as an everyday fact of life”)Controlling (requires measurement and comparison then adjustments as necessary)

Management Checklist (Computer Security

Handbook 3ed)

Management Checklist

Summary

Basic Security and the ThreatRisksProtective MeasurementsManagement Responsibilities