Security Maintenance Notes

Security Maintenance

Introduction to Security Maintenance

• Implementing security is the beginning, not the end.
• Static security programs become obsolete.
• Dynamic environments need adaptive measures.

The Illusion of Completion

• Organizations may feel secure after initial implementation.
• They may overlook ongoing maintenance.
• Security threats continuously evolve.

What Changes Over Time?

• External and internal factors drive change, including:
  • Technological advancements
  • Organizational restructuring
  • Personnel turnover

Evolving Threat Landscape

• New attacks emerge continuously.
  • Examples: Zero-day vulnerabilities and Ransomware-as-a-Service (RaaS).
• Existing attacks mutate.
  • Example: Phishing evolving into spear phishing and whaling.

Internal Organizational Changes

• Acquisition of new assets (e.g., cloud infrastructure).
• Divestiture of old systems (e.g., legacy hardware).
• Shifting business priorities (e.g., pivot to remote work).
• Formation/dissolution of partnerships.
• Personnel changes:
  • Departures of trained staff.
  • Onboarding of new, possibly untrained, personnel.

Example – Impact of Remote Work Adoption

• Rapid shift to remote work during a pandemic led to:
  • Increased asset surface (e.g., home devices, VPN access).
  • New vulnerabilities (e.g., unsecured home Wi-Fi).
  • Required realignment of priorities (e.g., endpoint protection).

The Importance of Periodic Reassessment

• The environment changes significantly before a risk management cycle ends.
• Reassessment answers:
  • Are new threats being addressed?
  • Are new assets protected?
  • Are new vulnerabilities identified?

Adaptability is Key

• Organizations must:
  • Periodically review and adapt their information security posture.
  • Decide whether to continue the current improvement program or restart from analysis/design phases.

Continue or Restart?

• Continue if:
  • Minor changes occurred.
  • Current program adapts well.
• Restart if:
  • Major changes occurred.
  • Gaps are identified in threat, asset, or vulnerability management.

Preparing for Security Maintenance

• Before implementing a maintenance model, understand:
  • How organizations manage ongoing change.
  • Monitoring the Security Triple: Threats, Assets, Vulnerabilities.

The Security Triple (Preview)

• These three elements must be:
  • Identified.
  • Monitored.
  • Updated regularly.
• This ensures the relevance and effectiveness of security measures.

Security Management Maintenance Model

What Are Security Management Maintenance Models?

• A maintenance model helps structure and guide the ongoing management of security programs.
• These are frameworks used to:
  • Organize and prioritize ongoing tasks.
  • Maintain effectiveness in a changing environment.
  • Ensure sustainability of security measures.

Purpose of Maintenance Models

• Provide a systematic approach to managing security functions.
• Ensure the security posture remains aligned with evolving organizational and technological environments.
• Help security teams:
  • Detect drift or gaps in protection.
  • Respond quickly to emerging threats.
  • Maintain operational readiness

Characteristics of an Effective Maintenance Model

• Scalable – grows with the organization.
• Flexible – adapts to changes in risk, assets, and business priorities.
• Repeatable – enables consistent application across time and teams.
• Accountable – assigns responsibilities clearly.
• Measurable – uses metrics to assess performance.

NIST SP 800-100 Information Security Handbook: A Guide for Managers

• Provides managerial guidance for establishing and implementing an information security program.
• There are 13 areas of information security management presented.
• Provides for specific monitoring activities for each task.
• Tasks should be done on an ongoing basis.

Key Areas for Security Maintenance

• Information Security Governance
  • Agencies should monitor the status of their programs to ensure:
    • Ongoing information security activities provide appropriate support.
    • Policies and procedures are current.
    • Controls are accomplishing their intended purpose.
• System Development Life Cycle
  • Including configuration and change management (CCM).
• Awareness and Training
  • An automated tracking system should capture key information about program activity.
  • Tracking compliance involves assessing the status of the program as indicated by the database information and mapping it to standards established by the agency.
  • Security policies must evolve and awareness/training updated.
• Capital Planning and Investment Control
  • Departments are required to allocate funding toward highest-priority investments.
  • Designed to facilitate the expenditure of agency funds.
• Interconnecting Systems
  • The direct connection of two or more systems for sharing data.
  • Can expose the participating organizations to risk.
  • If one of the connected systems is compromised, interconnection could be used as a conduit.
• Performance Measures
  • Should be used for monitoring the performance of information security controls and initiating performance improvements.
• Security Planning
  • One of the most crucial ongoing responsibilities in security management.
• Information Technology Contingency Planning
  • Consists of a process for recovery and documentation of procedures.
• Risk Management
  • Ongoing effort.
  • Tasks include performing risk identification, analysis, and management.
• Certification, Accreditation, and Security Assessments
  • The status of security controls is checked regularly.
  • Includes auditing—the review of a system’s use to determine if misuse/malfeasance has occurred.
• Security Services and Products Acquisition
  • Security products and services should be selected and used to support the organization’s overall program.
• Incident Response: Incident Response Life Cycle
  • A well-defined incident response capability helps the organization detect incidents rapidly, minimize loss and destruction, identify weaknesses, and restore operations rapidly.
• Configuration (or Change) Management
  • Manages the effects of changes in configurations.
    • Step 1: Identify Change
    • Step 2: Evaluate Change Request
    • Step 3: Implementation Decision
    • Step 4: Implement Approved Change Request
    • Step 5: Continuous Monitoring

Information Security Services Life Cycle

Phases: Initiation, Assessment, Solution, Implementation, Operations, and Closeout.

• Designed to focus organizational effort on maintaining systems

The Security Maintenance Model

• Recommended maintenance model based on five subject areas:
  • External monitoring
  • Internal monitoring
  • Planning and risk assessment
  • Vulnerability assessment and remediation
  • Readiness and review

Components of the Maintenance Model

• External Monitoring.
• Internal Monitoring.
• Planning and Risk Assessment.
• Vulnerability Assessment and Remediation.
• Readiness and Review.
• Risk, Threat, and Attack Database.
• Vulnerability Database.

Monitoring the External Environment

• Objective to provide early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks so organization can mount an effective defense.
• Entails collecting intelligence from data sources and giving that intelligence context and meaning for use by organizational decision makers.
• Acquiring threat and vulnerability data is not difficult.
• Turning data into information decision makers can use is the challenge.
• External intelligence comes from vendors, computer emergency response teams (CERTs), public network sources, or membership sites.
• Regardless of where or how external monitoring data are collected, they must be analyzed in the context of the organization’s security environment to be useful.

Data Sources for External Monitoring

• Vendors inform team of product-related threats.
• CERTs supply information on local and international threats.
• Public Internet sites supply information on current attacks.
• Membership sites offer value-added context and filtering capabilities.

Monitoring, Escalation, and Incident Response

• Function of external monitoring process is to monitor activity, report results, and escalate warnings.
• Monitoring process has three primary deliverables:
  • Specific warning bulletins issued when developing threats and specific attacks pose measurable risk to the organization.
  • Periodic summaries of external information.
  • Detailed intelligence on highest risk warnings.

Data Collection and Management

• Over time, external monitoring processes should capture information about the external environment in appropriate formats.
• External monitoring collects raw intelligence, filters for relevance, assigns a relative risk impact, and communicates to decision makers in time to make a difference.

Monitoring the Internal Environment

• Primary goal is informed awareness of the state of organization’s networks, systems, and security defenses.
• Internal monitoring is accomplished by:
  • Inventorying network devices and channels, IT infrastructure and applications, and information security infrastructure elements.
  • Leading the IT governance process.
  • Real-time monitoring of IT activity.
  • Monitoring the internal state of the organization’s networks and systems.

Internal Monitoring Activities

• Inventory network and IT infrastructure.
• Monitor IT activity with an intrusion detection system.
• Participate in IT management, change control process, and architectural review boards.

Network Characterization and Inventory

• Organizations should have/maintain a carefully planned and fully populated inventory of network devices, communication channels, and computing devices.
• Once characteristics are identified, they must be carefully organized and stored using a mechanism (manual or automated) that allows timely retrieval and rapid integration of disparate facts.

Making Intrusion Detection and Prevention Systems Work

• The most important value of raw intelligence provided by the IDS is providing indicators of current or imminent vulnerabilities.
• Log files from IDS engines can be mined for information.
• Another IDS monitoring element is traffic analysis.
• Analyzing attack signatures from unsuccessful system attacks can identify weaknesses in various security efforts.

Detecting Differences

• Difference analysis: procedure that compares current state of network segment against known previous state of same segment.
• Unexpected differences between the current state and the baseline state could indicate trouble

Planning and Risk Assessment

• Primary objective is to keep a lookout over the entire information security program.
• Accomplished by identifying and planning ongoing information security activities that further reduce risk.
• Primary objectives:
  • Establishing a formal information security program review process.
  • Instituting formal project identification, selection, planning, and management processes.
  • Coordinating with project teams to introduce risk assessment and review for all projects.
  • Integrating a mindset of risk assessment throughout the organization.

Information Security Program Planning and Review

• Periodic review of ongoing information security program and planning for enhancements and extensions is recommended.
• Should examine future IT needs of the organization and its impact on information security.
• A recommended approach takes advantage of the fact that most organizations have annual capital budget planning cycles and manage security projects as part of that process.

Integrating Security into Project Planning

• Security team assesses its own program.
• Evaluates risks introduced by new IT projects.
• Assesses operational risks.

Benefits of Smaller Projects

• Large projects should be broken into smaller projects for several reasons:
  • Smaller projects tend to have more manageable impacts on networks and users.
  • Larger projects tend to complicate the change control process in the implementation phase.
  • Shorter planning, development, and implementation schedules reduce uncertainty.
  • Most large projects can easily be broken down into smaller projects, giving more opportunities to change direction and gain flexibility.

Security Risk Assessments

• A key component for driving security program change is risk assessment (RA).
• RA identifies and documents the risk that a project, process, or action introduces to the organization and offers suggestions for controls.
• The information security group coordinates the preparation of many types of RA documents.

Vulnerability Assessment and Remediation

• Primary goal: identification of specific, documented vulnerabilities and their timely remediation.
• Accomplished by:
  • Using vulnerability assessment procedures.
  • Documenting background information and providing tested remediation procedures for vulnerabilities.
  • Tracking vulnerabilities from the time they are identified.
  • Communicating vulnerability information to owners of vulnerable systems.
  • Reporting on the status of vulnerabilities.
  • Ensuring the proper level of management is involved.

Core Elements

• Extract vulnerabilities from the Internet vulnerability assessment.
• Intranet vulnerability assessment.
• Platform security validation.
• Wireless vulnerability assessment.
• Vulnerability Database.
• Develop a remediation plan.

Vulnerability Assessment Processes

• Process of identifying and documenting specific and provable flaws in the organization’s information asset environment.
• Five following vulnerability assessment processes can help many organizations balance intrusiveness of vulnerability assessment with the need for a stable and effective production environment.

Penetration Testing

• A level beyond vulnerability testing
• Is a set of security tests and evaluations that simulate attacks by a malicious external source (hacker)
• Penetration test (pen test): usually performed periodically as part of a full security audit
• Can be conducted in one of two ways: black box or white box

Internet Vulnerability Assessment

• Designed to find and document vulnerabilities present in an organization’s public network.
• Steps in the process include:
  • Planning, scheduling, and notification.
  • Target selection.
  • Test selection.
  • Scanning.
  • Analysis.
  • Record keeping.

Intranet Vulnerability Assessment

• Designed to find and document the selected vulnerabilities likely present on the internal network
• Attackers are often internal members of the organization, affiliates of business partners, or automated attack vectors (such as viruses and worms)
• This assessment is usually performed against critical internal devices with a known, high value by using selective penetration testing
• Steps in the process are almost identical to the steps in the Internet vulnerability assessment

Platform Security Validation

• Designed to find and document vulnerabilities that may be present because misconfigured systems are in use within the organization
• These misconfigured systems fail to comply with company policy or standards
• Fortunately, automated measurement systems are available to help with the intensive process of validating the compliance of platform configuration with policy

Wireless Vulnerability Assessment

• Designed to find and document vulnerabilities that may be present in wireless local area networks of the organization
• Since attackers from this direction are likely to take advantage of any flaw, assessment is usually performed against all publicly accessible areas using every possible wireless penetration testing approach

Documenting Vulnerabilities

• Vulnerability database should provide details about reported vulnerability as well as a link to the information assets
• Low cost/ease of use makes relational databases a realistic choice
• Vulnerability database is an essential part of effective remediation

Remediating Vulnerabilities

• Objective is to repair flaw causing a vulnerability instance or remove risk associated with vulnerability
• As a last resort, informed decision makers with proper authority can accept risk
• Important to recognize that building relationships with those who control information assets is key to success
• Success depends on the organization adopting a team approach to remediation, in place of cross-organizational push and pull

Acceptance or Transference of Risk

• In some instances, risk must be either simply acknowledged as part of the organization’s business process or transferred to another organization via insurance
• Management must be assured that decisions made to accept risk or buy insurance were made by properly informed decision makers
• Information security must make sure the right people make risk assumption decisions with complete knowledge of the impact of the decision

Threat Removal

• In some circumstances, threats can be removed without repairing vulnerability
• Other vulnerabilities may be mitigated by inexpensive controls

Vulnerability Repair

• The best solution in most cases is to repair vulnerability
• Applying patch software or implementing a workaround often accomplishes this
• The most common repair is the application of a software patch

Readiness and Review

• Primary goal is to keep the information security program functioning as designed and continuously improving
• Accomplished by:
  • Policy review
  • Program review
  • Rehearsals

Key Activities:

• Policy Review
• Plan review for IRP,DRP and BCP
• Simulations and War Games to test readiness.