1

Figure 1-17: Security Management

Security is a Primarily a Management Issue, not a Technology Issue

Top-to-Bottom Commitment Top-management commitment

Operational execution

Enforcement

2

Figure 1-17: Security Management

Comprehensive Security Closing all avenues of attack

Asymmetrical warfare Attacker only has to find one opening

Defense in depth Attacker must get past several defenses to

succeed

Security audits Run attacks against your own network

3

Figure 1-17: Security Management

General Security Goals (CIA) Confidentiality

Attackers cannot read messages if they intercept them

Integrity If attackers change messages, this will be

detected

Availability System is able to server users

4

Figure 1-18: The Plan—Protect—Respond Cycle

Planning Need for comprehensive security (no gaps)

Risk analysis (see Figure 1-19)

Enumerating threats

Threat severity = estimated cost of attack X probability of attack

Value of protection = threat severity – cost of countermeasure

Prioritize countermeasures by value of prioritization

5

Figure 1-19: Threat Severity Analysis

Step Threat

1

2

3

4

5

Cost if attack succeeds

Probability of occurrence

Threat severity

Countermeasure cost

Value of protection

Apply countermeasure?

Priority

6

7

A

$500,000

80%

$400,000

$100,000

$300,000

Yes

1

B

$10,000

20%

$2,000

$3,000

($1,000)

No

NA

C

$100,000

5%

$5,000

$2,000

$3,000

Yes

2

D

$10,000

70%

$7,000

$20,000

($13,000)

No

NA

6

Figure 1-18: The Plan—Protect—Respond Cycle

Planning Security policies drive subsequent specific

actions (see Figure 1-20)

Selecting technology

Procedures to make technology effective

The testing of technology and procedures

7

Figure 1-20: Policy-Driven Technology, Procedures, and Testing

Policy

Technology(Firewall,Hardened

Webserver)

Procedures(Configuration,

Passwords,Etc.)

Protection Testing(Test Security)Attempt to Connect to

Unauthorized Webserver

Only allow authorized personnel to use accounting webserver

8

Figure 1-18: The Plan—Protect—Respond Cycle

Protecting

Installing protections: firewalls, IDSs, host hardening, etc.

Updating protections as the threat environment changes

Testing protections: security audits

9

Figure 1-18: The Plan—Protect—Respond Cycle

Responding

Planning for response (Computer Emergency Response Team)

Incident detection and determination

Procedures for reporting suspicious situations

Determination that an attack really is occurring

Description of the attack to guide subsequent actions

10

Figure 1-18: The Plan—Protect—Respond Cycle

Responding

Containment Recovery Containment: stop the attack Repair the damage

Punishment Forensics Prosecution Employee Punishment

Fixing the vulnerability that allowed the attack