12: Information Security Maintenance

overconfidence

Organization should avoid -- after implementation of improved information security profile

Reengineering information security profile

More expensive to do again and again

Management model

must be adopted to manage and operate ongoing security program

Models

frameworks that structure tasks of managing particular set of activities or business functions

The ISO Network Management Model

Five-layer approach that provides structure to administration and management of networks and systems

The ISO Network Management Model

Addresses management and operation thorough five areas: fault management, configuration and name management, accounting management, performance management, and security management

Five areas of security management

Fault management, Configuration and change management, Accounting and auditing management, Performance management, Security program management

Fault Management

Identifying, tracking, diagnosing, and resolving faults in system

Vulnerability assessment

most often accomplished with penetration testing (simulated attacks exploiting documented vulnerabilities)

Help desk personnel

must be trained to recognize security problem as distinct from other system problems

Configuration management

administration of the configuration of security program components

Change management

administration of changes in strategy, operation, or components

Technical changes

impact the technology implemented to support security efforts in the hardware, software, and data components

Nontechnical Change Management

Changes to information security may require implementing new policies and procedures

Document manager

should maintain master copy of each document; record and archive revisions made; and keep copies of revisions

Policy revisions

not implemented and enforceable until they have been disseminated, read, understood, and agreed to

Nontechnical Change Management

Software available to make creation, modification, dissemination, and agreement documentation processes more manageable

configuration item, version, build

Technical configuration and change terms

Four steps of configuration management

Configuration identification, Configuration control, Configuration status accounting, Configuration audit

Chargeback accounting

enables organizations to internally charge for system use

Accounting management

involves monitoring use of particular component of a system

Auditing

process of reviewing use of a system, not to check performance, but to determine misuse or malfeasance

Performance Management

Important to monitor performance of security systems and underlying IT infrastructure to determine if they are working effectively

Performance management

Common metrics are applicable in security, especially when components being managed are associated with network traffic

performance baselines

To evaluate ongoing performance of security system, -- are established

Security Program Management

ISO five-area-based framework supports a structured management model by ensuring various areas are addressed

Security Program Management

Two standards are designed to assist in this effort; Part 2 of the British Standard (BS) 7799 introduces process model: plan, do, check, act

plan, do, check, act

Part 2 of the British Standard (BS) 7799 introduces process model: (4)

The Maintenance Model

Designed to focus organizational effort on maintaining systems

Monitoring the External Environment

Objective to provide early awareness of new threats, threat agents, vulnerabilities, and attacks that is needed to mount an effective defense

Monitoring the External Environment

Entails collecting intelligence from data sources and giving that intelligence context and meaning for use by organizational decision makers

Data Sources

Acquiring threat and vulnerability data is not difficult; Turning data into information decision makers can use is the challenge

Data Sources

Regardless of where or how external monitoring data is collected, must be analyzed in context of organization's security environment to be useful

external monitoring

Function of -- process is to monitor activity, report results, and escalate warnings

Data Collection and Management over time

external monitoring processes should capture knowledge about external environment in appropriate formats

External monitoring

collects raw intelligence, filters for relevance, assigns a relative risk impact, and communicates to decision makers in time to make a difference

Monitoring the Internal Environment

Maintain informed awareness of state of organization's networks, systems, and defenses by maintaining inventory of IT infrastructure and applications

Network Characterization and Inventory

Organizations should have carefully planned and fully populated inventory for network devices, communication channels, and computing devices; Once characteristics identified, they must be carefully organized and stored using a mechanism (manual or automated) that allows timely retrieval and rapid integration of disparate facts

The Role of IT Governance

Primary value is increased awareness of the impact of change

The Role of IT Governance

Awareness must be translated into description of risk that is caused by change through operational risk assessment

Awareness

-- must be translated into description of risk that is caused by change through operational risk assessment

intrusion detection systems (IDS)

The most important value of raw intelligence provided by -- is providing indicators of current or imminent vulnerabilities

Log files

-- from IDS engines can be mined for information

IDS traffic analysis

Another IDS monitoring element is --

attack signatures

Analyzing -- for unsuccessful system attacks can identify weaknesses in various security efforts

Difference analysis

procedure that compares current state of network segment against known previous state of same segment

Planning and Risk Assessment

primary objective is to keep lookout over entire information security program

Planning and Risk Assessment

Accomplished by identifying and planning ongoing information security activities that further reduce risk

Information Security Program Planning and Review

Periodic review of ongoing information security program coupled with planning for enhancements and extensions is recommended; Should examine IT needs of future organization and impact those needs have on information security

Information Security Program Planning and Review

takes advantage of the fact most organizations have annual capital budget planning cycles and manage security projects as part of that process

Security Operational Risk Assessment (RA)

A key component for driving security program change;

Security Operational Risk Assessment (RA)

identifies and documents risk that project, process, or action introduces to organization and offers suggestions for controls

Information security group

-- coordinates preparation of many types of RA documents

Vulnerability Assessment and Remediation

primary goal is to identification of specific, documented vulnerabilities and their timely remediation

Vulnerability Assessment

Process of identifying and documenting specific and provable flaws in organization's information asset environment

Vulnerability Assessment

Five vulnerability assessment processes that follow can serve many organizations as they attempt to balance intrusiveness of vulnerability assessment with need for stable and productive production environment

Internet Vulnerability Assessment

Designed to find and document vulnerabilities present in organization's public-facing network

Intranet Vulnerability Assessment

Designed to find and document selected vulnerabilities present on the internal network

Intranet Vulnerability Assessment

Attackers are often internal members of organization, affiliates of business partners, or automated attack vectors (such as viruses and worms)

Intranet Vulnerability Assessment

This assessment is usually performed against selected critical internal devices with a known, high value by using selective penetration testing;

Intranet Vulnerability Assessment

Steps in process almost identical to steps in Internet vulnerability assessment

Platform Security Validation

Designed to find and document vulnerabilities that may be present because of misconfigured systems in use within organization

Automated measurement systems

available to help with the intensive process of validating compliance of platform configuration with policy

Wireless Vulnerability Assessment

Designed to find and document vulnerabilities that may be present in wireless local area networks of organization

Wireless Vulnerability Assessment

Since attackers from this direction are likely to take advantage of any loophole or flaw, assessment is usually performed against all publicly accessible areas using every possible wireless penetration testing approach

Modem Vulnerability Assessment

Designed to find and document any vulnerability present on dial-up modems connected to organization's networks

Modem Vulnerability Assessment

Since attackers from this direction take advantage of any loophole or flaw, assessment is usually performed against all telephone numbers owned by the organization

Modem Vulnerability Assessment

One element of this process, often called war dialing, uses scripted dialing attacks against pool of phone numbers

War dialing

uses scripted dialing attacks against pool of phone numbers

Vulnerability tracking database

should provide details as well as a link to the information assets

Vulnerability tracking database

Low-cost and ease of use makes relational databases a realistic choice

Vulnerability database

-- is an essential part of effective remediation

Remediating Vulnerabilities

objective is to repair flaw causing a vulnerability instance or remove risk associated with vulnerability

Remediating Vulnerabilities

As last resort, informed decision makers with proper authority can accept risk

Remediating Vulnerabilities

Important to recognize that building relationships with those who control information assets is key to success

Remediating Vulnerabilities

Success depends on organization adopting team approach to remediation, in place of cross-organizational push and pull

Acceptance or Transference of Risk justification

In some instances, risk must simply be acknowledged as part of organization's business process; Management must be assured that decisions made to assume risk the organization are made by properly informed decision makers

Information security

must make sure the right people make risk assumption decisions with complete knowledge of the impact of the decision

Threat Removal

In some circumstances, threats can be removed without repairing vulnerability

Threat removal outcome

Vulnerability can no longer be exploited, and risk has been removed; Other vulnerabilities may be amenable to other controls that do not allow an expensive repair and still remove risk from situation

Vulnerability Repair

optimum solution is to repair vulnerability; Applying patch software or implementing a workaround often accomplishes this

Vulnerability Repair

In some cases, simply disabling the service removes vulnerability; in other cases, simple remedies are possible

Vulnerability Repair

Most common repair is application of a software patch

software patch

in Vulnerability Repair, the most common repair is application of a --

Readiness and Review

primary goal is to keep information security program functioning as designed and continuously improving

Digital Forensics

used to investigate what happened during attack on assets and how attack occurred; Based on the field of traditional forensics; I

Digital Forensics

involves preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis

Evidentiary material (EM)

any information that could potentially support organizations legal or policy-based case against suspect

Protect and forget (patch and proceed)

focuses on defense of data and systems that house, use, and transmit it

Apprehend and prosecute (pursue and prosecute)

focuses on identification and apprehension of responsible individuals, with additional attention on collection and preservation of potential EM that might support administrative or criminal prosecution