Upload
dhani-ahmad
View
96
Download
0
Embed Size (px)
Citation preview
Transforming Lives. Inventing the Future. www.iit.edu
I ELLINOIS T UINS TI TOF TECHNOLOGY
ITM 478/578 1
Information Security as an Ongoing Effort
Ray TrygstadITM 478/578Spring 2004Master of Information Technology & Management ProgramCenter for Professional Development
Slides based on Whitman, M. and Mattord, H., Principles of Information Security; Thomson Course Technology 2003
ITM 478/578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:Upon completion of this lesson the student should be able to:– Understand the need for the ongoing
maintenance of the information security program.
– Become familiar with recommended security management models.
– Understand a model for a full maintenance program.
– Understand key factors for monitoring the external and internal environment.
ITM 478/578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:Upon completion of this lesson the student should be able to:– Learn how planning and risk assessment
tie into information security maintenance.– Understand how vulnerability assessment
and remediation tie into information security maintenance.
– Learn how to build readiness and review procedures into information security maintenance.
ITM 478/578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
Introduction Avoid overconfidence after implementation
and testing of elements of a security profile Factors that drive change:
– New assets are acquired– New vulnerabilities associated with the new or
existing assets emerge– Business priorities shift– New partnerships are formed and old
partnerships dissolve– Organizational divestiture and acquisition occur– Employee turnover
ITM 478/578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Introduction If the program does not adjust adequately it
may be necessary to begin the cycle again Decision depends on how much change has
occurred and how well the organization and program for IS maintenance can accommodate change
If change is dealt with successfully and has created procedures and systems that can flex with the environment, security program can probably continue to adapt successfully
ITM 478/578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
Introduction CISO determines whether the IS group can
adapt adequately and maintain the information security profile of the organization or whether recycle the SecSDLC process to redevelop a new information security profile
Less expensive and more effective when information security program is designed and implemented to deal with change
More expensive to reengineer the information security profile over & over
ITM 478/578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
FIGURE 12-1 Maintenance and the SecSDLC
Ana lyze
Implement
Ma inta in
Physica l Design
Logica l Design
Maintenance and the SecSDLC
ITM 478/578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Managing For Change Once an organization has improved the
security posture of the organization, the security group must turn its attention to the maintenance of security readiness
Information security must constantly monitor the threats, assets, and vulnerabilities
The team also reviews external information to stay on top of the latest general and specific threats to its information security
ITM 478/578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Management Models An aggressive external and internal
monitoring program must be created to allow the information security team to stay abreast of changes in the environment
A management model must be adopted to facilitate this monitoring
Management models are frameworks that structure the tasks of managing a particular set of activities or business functions
ITM 478/578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
The ISO Model The ISO management model is a five-layer
approach that provides structure to the administration and management of networks and systems
The core ISO model addresses management and operation thorough five topics: – Fault management– Configuration and name management– Accounting management– Performance management – Security management
ITM 478/578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
ISO-based Security Management Model
The five areas of the ISO model are transformed into the five areas of security management as follows:– Fault management– Configuration and change management– Accounting and auditing management– Performance management– Security program management
ITM 478/578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
Fault ManagementIdentifying, tracking, diagnosing, and
resolving faults in the system as applied to people and technology and then addressing them through remediation
In information security, fault management involves identifying faults in the applied information security profile, then addressing them through remediation
ITM 478/578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
Vulnerability Assessment Physical and logical assessment of
vulnerabilities– most often accomplished with penetration testing
Penetration testing: security personnel simulate or perform specific, controlled attacks to compromise or disrupt own systems by exploiting documented vulnerabilities
Best procedures/tools for use in penetration testing and other vulnerability assessments are procedures and tools of the hacker community
ITM 478/578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
Fault Management Tools Many intrusion detection systems detect
signatures of penetration tools & alert information security management of use
Security professionals should incorporate use of these tools to examine systems & test security; example tools might include:– Ethereal– Nessus– NMAP– Sam Spade– Snort
ITM 478/578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Fault Management: UsersUser problems can be created or
influenced by security programsFirewalls modifications, new IDS rules,
new systems policies may impact how users interact with systems
Proper user training and ongoing awareness campaigns can reduce problems but they are never completely eliminated
ITM 478/578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Fault Management: Help DeskHelp desk personnel must be trained
to recognize security problems as distinct from other system problems
One key advantage to commonly used help desk software is the ability to develop a knowledge base of common problems and solutions
Tracking of trouble tickets includes tracking problem resolution
ITM 478/578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Configuration and Change Management Configuration management is
administration of the configuration of the components
Change management is administration of changes in the strategy, operation, or components
Each involve nontechnical as well as technical changes:– Nontechnical changes impact procedures and
people– Technical changes impact the technology
implemented to support security efforts in the hardware, software, and data components
ITM 478/578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Nontechnical Change Management
Changes to information security may require implementing new policies and procedures
The document manager should– maintain a master copy of each document– record and archive revisions made – keep copies of the revisions, along with
editorial comments on what was added, removed, or modified
ITM 478/578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Nontechnical Change Management
Policy revisions are not implemented and enforceable, until they have been disseminated, read, understood, and agreed to
Software is available to make the creation, modification, dissemination, and agreement documentation processes more manageable
ITM 478/578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Configuration & Change Management
Technical components have version numbers, revision dates, and requirements to monitor and administer change, just a documents do
Configuration item: Hardware or software item that will be modified/revised throughout life cycle
ITM 478/578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Configuration & Change Management
Version: Recorded state of a particular revision of a software or hardware configuration item; often noted as the version number in the form M.N.b.– Major release: A significant revision of the
version from its previous state – (M)– Minor release (update or patch): A minor revision
of the version from its previous state – (N.b) Build: Snapshot of a particular version of
software assembled from its various component modules
Build list: A list of the versions of components that comprise a build
ITM 478/578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Configuration & Change Management
Configuration: A collection of components that make up a configuration item
Revision date: Date associated with a particular version or build
Software library: Collection of configuration items; usually controlled – Developers use it to construct revisions
and issue new configuration items
ITM 478/578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Procedures associated with configuration management:– Configuration identification: The identification
and documentation of the various components, implementation, and states of configuration items
– Configuration control: The administration of changes to the configuration items and the issuance of versions (usually only performed by an entity that actually develops its own versions of configuration items)
– Configuration status accounting: The tracking and recording of the implementation of changes to configuration items
– Configuration audit: Auditing and controlling the overall configuration management program
Technical Configuration & Change Management
ITM 478/578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Accounting & Auditing Management Chargeback accounting enables
organizations to internally charge for system use– Some resource usage is commonly tracked
Accounting management involves monitoring use of a particular component of a system
Auditing is the process of reviewing the use of a system, not to check performance, but to determine misuse or malfeasance– Automated tools can consolidate various systems
logs, perform comparative analysis, and detect common occurrences or behavior that is of interest
ITM 478/578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Performance Management It is important to monitor the performance
of security systems and their underlying IT infrastructure to assure they are working effectively
Common metrics are applicable in security, especially when the components being managed are associated with network traffic
To evaluate ongoing performance of a security system, establish performance baselines
Monitor all possible variables, collecting and archiving performance baseline data, and then analyze it
ITM 478/578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Program Management The ISO five-area framework supports a
structured management model by ensuring that various areas are addressed
British Standard BS 7799 contains two standards designed to assist this effort
Part 2 of the BS 7799 introduces a process model:– Plan: via a risk analysis – Do: apply internal controls to manage risk – Check: undertake periodic and frequent review to
verify effectiveness– Act: use planned incident response plans as necessary
ITM 478/578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
The Maintenance Model A maintenance model is intended to
complement the chosen management model and focus organizational effort on maintenance
Figure 12-2 diagrams a full maintenance program and forms a framework for the discussion of maintenance that follows– External monitoring– Internal monitoring– Planning and risk assessment– Vulnerability assessment and remediation– Readiness and review
ITM 478/578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
The Maintenance Model
FIGURE 12-2 The Maintenance Model
ITM 478/578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Monitoring the External Environment Objective is to provide the early awareness
of new and emerging threats, threat agents, vulnerabilities, and attacks that is needed to mount an effective and timely defense
External monitoring entails collecting intelligence from data sources, and then giving that intelligence context and meaning for use by decision makers within the organization
ITM 478/578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Data Sources Acquiring data is not difficult
– there are many inexpensive or free sources Turning data into information that
decision makers can use is the challenge External intelligence comes from three
classes of sources:– Vendors– CERT organizations– Public network sources
ITM 478/578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
Data SourcesA viable external monitoring program:
– Creates documented and repeatable procedures
– Provides proper training– Equips staff with proper access and tools– Designs criteria and cultivating expertise– Develops suitable communications
methods– Integrates the Incident Response Plan
with the results of the external monitoring process
ITM 478/578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Monitoring, Escalation, & Incident Response
Function is to monitor activity, report results, and escalate warnings
Integrate into the IRP The monitoring process has three primary
deliverables:– Specific warning bulletins issued when
developing threats and specific attacks pose a measurable risk to the organization
– Periodic summaries of external information– Detailed intelligence on the highest risk
warnings
ITM 478/578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Data Collection & Management Over time, the external monitoring
processes should capture knowledge about the external environment in a format that can be referenced both across the organization as threats emerge and for historical use
External monitoring collects raw intelligence, filters it for relevance to the organization, assigns it a relative risk impact, and communicates these findings to the decision makers in time to make a difference
ITM 478/578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Monitoring the Internal Environment Maintain informed awareness of the state of
the organization’s networks, systems, and defenses by maintaining an inventory of IT infrastructure and applications
Active participation in, or leadership of, the IT governance process
Real-time monitoring of IT activity using intrusion detection systems
Automated difference detection methods that identify variances introduced to the network or system hardware and software
ITM 478/578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Network Characterization & Inventory
Have a carefully planned and fully populated inventory for all network devices, communication channels, and computing devices
Once characteristics have been identified, they must be carefully organized and stored using a mechanism, manual or automated, that allows timely retrieval and rapid integration of disparate facts
ITM 478/578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
The Role of IT Governance The primary value of active engagement in
an organization-wide IT governance process is the increased awareness of the impact of change
This awareness must be translated into a description of the risk that is caused by the change through operational risk assessment
Awareness of change comes from two parts of the IT governance process:– Architecture review boards– IT change control process
ITM 478/578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Making Intrusion Detection Systems Work
Most important value of the raw intelligence provided by IDS is to prevent risk in the future
Log files from the IDS engines can be mined to add information to the internal monitoring knowledge base
Analyzing attack signatures for unsuccessful system attacks can identify weaknesses in various security efforts
ITM 478/578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Planning and Risk Assessment
Keep an eye on the entire information security program
Done by:– Identify and plan ongoing information
security activities that further reduce risk– Assess risk to identify and document risks
from projects that may be latent
ITM 478/578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Planning and Risk Assessment Primary outcomes:
– Establish a formal information security program review
– Institute formal project identification, selection, planning, and management processes
– Coordinate with IT project teams to introduce risk assessment and review for all IT projects
– Integrate a mindset of risk assessment across the organization
ITM 478/578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
FIGURE 12-5 Planning & Risk Assessment
Planning & Risk Assessment
ITM 478/578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Security Program Planning & Review
Periodic review of an ongoing information security program coupled with planning for enhancements and extensions
The strategic planning process should examine the IT needs of the future organization and the impact those needs have on information security
A recommended approach takes advantage of the fact that most organizations have annual capital budget planning cycles, and manage security projects as part of that process
ITM 478/578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
InfoSec Improvement through Ongoing Projects
Projects follow the SecSDLC model Large projects should be broken into smaller
projects for several reasons:– Smaller projects tend to have more manageable
impacts to the networks and users– Larger projects tend to complicate the change
control process in the implementation phase– Short planning, development, & implementation
schedules reduce uncertainty – Most large projects can easily be assembled from
smaller projects, giving more opportunities to change direction and gain flexibility
ITM 478/578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Risk Assessments A key component to success is the information
security operational risk assessment (RA) The RA is a method to identify and document
the risk that a project, process, or action introduces to the organization and offer suggestions for controls
RA documents can include:– Network connectivity– Dialed modem– Business partner connectivity– Application– Vulnerability– Privacy– Acquisition or divesture
ITM 478/578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Vulnerability Assessment & Remediation Identification of specific, documented
vulnerabilities and their timely remediation How?
– Use vulnerability assessment procedures which are documented to safely collect intelligence about network, platforms, dial-in modems, and wireless network systems
– Document background information and provide tested remediation procedures for reported vulnerabilities
– Track, communicate, report, and escalate to management itemized facts about discovered vulnerabilities and success or failure organizational attempts as remediation
ITM 478/578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
FIGURE 12-6 Vulnerability Assessment and Remediation
Vulnerability Assessment & Remediation
ITM 478/578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
Vulnerability Assessment The process of identifying & documenting
specific & provable flaws in an organization’s information asset environment
While the exact procedures can vary, the five vulnerability assessment processes that follow can serve many organizations as they attempt to balance the intrusiveness of vulnerability assessment with the need for a stable and productive production environment
ITM 478/578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
Internet Vulnerability Assessment Designed to find and document vulnerabilities
present in the public-facing network Since attackers use all means this assessment is
performed against all public-facing systems using every possible penetration testing approach
The steps in the process are:– Plan, schedule, and notify – Select target– Select test– Scan– Analyze– Keep records
ITM 478/578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
Intranet Vulnerability Assessment Designed to find and document selected
vulnerabilities present on an internal network
Attackers are often internal members of the organization, affiliates of business partners, or automated attack vectors (such as viruses and worms)
Usually performed against selected critical internal devices with a known, high value by using selective penetration testing
Steps in the process are almost identical to the steps in the Internet vulnerability assessment, except as noted
ITM 478/578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
Platform Security Validation Designed to find and document
vulnerabilities present due to misconfigured systems in use within the organization
These misconfigured systems fail to comply with company policy or standards as adopted by the IT governance groups and communicated in the information security and awareness program
Fortunately automated measurement systems are available to help with the intensive process of validating the compliance of platform configuration with policy
ITM 478/578 52
ILLINOIS INSTITUTE OF TECHNOLOGY
Wireless Vulnerability AssessmentDesigned to find and document the
vulnerabilities that may be present in the wireless local area networks of the organization
Since attackers from this direction are likely to take advantage of any loophole or flaw, this assessment is usually performed against all publicly accessible areas using every possible wireless penetration testing approach
ITM 478/578 53
ILLINOIS INSTITUTE OF TECHNOLOGY
Modem Vulnerability Assessment Designed to find and document any
vulnerability that is present on dialup modems connected to the organization’s networks
Since attackers from this direction take advantage of any loophole or flaw, this assessment is usually performed against all telephone numbers owned by the organization, using every possible penetration testing approach
One of the elements of this process, using scripted dialing attacks against a pool of phone numbers, is often called war-dialing
ITM 478/578 54
ILLINOIS INSTITUTE OF TECHNOLOGY
Documenting Vulnerabilities
Vulnerability tracking database should provide details as well as linkage to the information assets
Low-cost and ease of use makes relational databases a realistic choice
The vulnerability database is an essential part of effective remediation
ITM 478/578 55
ILLINOIS INSTITUTE OF TECHNOLOGY
Documenting Vulnerabilities
The data stored in the vulnerability database should include:– A unique ID number for reporting and tracking– Linkage to information assets – Vulnerability details– Dates/times of notification and remediation– Current status– Comments– Other fields as required
ITM 478/578 56
ILLINOIS INSTITUTE OF TECHNOLOGY
Remediating Vulnerabilities Repair the flaw causing a vulnerability
instance or remove the risk from the vulnerability
As a last resort, informed decision makers with the proper authority can accept the risk
When approaching the remediation process, it is important to recognize that building relationships with those who control the information assets is the key to success
Success depends on the organization adopting a team approach to remediation, in place of cross-organizational push and pull
ITM 478/578 57
ILLINOIS INSTITUTE OF TECHNOLOGY
Acceptance of Risk In some instances risk must simply be
acknowledged as part of an organization’s business process
Information security professionals must assure the general management community that decisions made to assume risk for the organization are made by properly informed decision makers with proper level of authority to assume the risk
Information security must make sure the right people make risk assumption decisions with complete knowledge of the impact of the decision balanced against the cost of the possible security controls
ITM 478/578 58
ILLINOIS INSTITUTE OF TECHNOLOGY
Threat Removal In some circumstances, threats can be
removed without repairing the vulnerability
The vulnerability can no longer be exploited, and the risk has been removed
Other vulnerabilities may be amenable to other controls that allow an inexpensive repair and still remove the risk from the situation
ITM 478/578 59
ILLINOIS INSTITUTE OF TECHNOLOGY
Vulnerability Repair Optimal solution in most cases is to repair
the vulnerability Applying patch software or implementing a
work-around to the vulnerability often accomplishes this
In some cases, simply disabling the service removes the vulnerability; in other cases simple remedies are possible
Of course, a common remedy remains the application of a software patch to make the system function in the expected fashion and to remove the vulnerability
ITM 478/578 60
ILLINOIS INSTITUTE OF TECHNOLOGY
Readiness and Review Keep the program functioning as designed and
continuously improving Accomplished by:
– Policy review: Sound policy needs to be reviewed and refreshed from time to time to provide a current foundation for the information security program
• Policy review is the primary initiator of the readiness and review domain
– Readiness review: Major planning components should be reviewed on a periodic basis to ensure they are current, accurate, and appropriate
– Rehearsals: When possible, major plan elements should be rehearsed to make sure all participants are capable of responding as needed
ITM 478/578 61
ILLINOIS INSTITUTE OF TECHNOLOGY
Readiness and Review
FIGURE 12-6 Vulnerability Assessment and Remediation
ITM 478/578 62
ILLINOIS INSTITUTE OF TECHNOLOGY
Epilogue
When CISOs can’t sleep, what is keeping them awake?
A solid maintenance program can complement every information security program, and over time can even strengthen a weak program