1 guide to network defense and countermeasures chapter 3

1

Guide to Network Defense and Countermeasures

Chapter 3

2

Chapter 3 - Risk Analysis and Security Policy Design

Get started with basic concepts of risk analysis

Decide how to minimize risk in your own network

Explain what makes an effective security policy

Formulate a network security policy Perform ongoing risk analysis

3

The consensus among security professionals is that there is no zero-risk situation The first task when undertaking the formulation of a

security policy is to assess the risk faced by employees, the network, and corporate databases

The goal is not to reduce risks to zero, but to devise ways to manage that risk in reasonable fashion

Because threats are changing all the time along with technology, the process of determining risks and developing a security policy to manage them is an ongoing process rather than a one-time operation

Getting Started with Risk Analysis

5

Risk analysis is the study of how great the possibility of loss is in a particular situation

The six concepts that go into creating a risk analysis are:1 Assets, which are physical (equipment and

buildings), data-related (employee and customer records), application software, and personal assets

2 Threats, which are events that can happen, such as weather-related disasters, hacker access, power-related issues, and crime-related risks


6

Six concepts of risk analysis (cont.):3 Probabilities are geographic, physical, habitual, or

other factors that affect the possibility that a threat will occur; it is a good idea to rank the biggest threats to your organization, with their probabilities described as: negligible, very low, low, medium, high, very high, and extreme

4 Vulnerabilities are situations or conditions that increase threat and that, in turn, increase risk; a key example is putting computers on the Internet


8

Six concepts of risk analysis (cont.):5 Consequences can result from a virus that forces the

organization to take its Web site offline for a week; or a fire that destroys computer equipment; the probability of threats can now be extended to include a rating of the significance of their impact; other consequences associated with getting a system back online after an attack include cost impact, insurance claims, police reports, shipping or delivery, and the time and effort to restore systems to pre-attack status; ROI calculators can help to quantify these items


11

Six concepts of risk analysis (cont.):6 Safeguards are measures you can take to reduce

threats such as installing firewalls and intrusion detection systems, locking doors, and using passwords and/or encryption; all assets have an inherent amount of risk associated with them; threat and vulnerability seek to make risk larger, whereas countermeasures work to reduce risk; residual risk is what is left over after counter-measures and defenses are implemented; risk never actually equals zero


13


When the six concepts of risk analysis are addressed and codified, the building blocks are in place to prepare the risk analysis Different types of risk analysis are used to create a

security policy, and to evaluate how well the policy is performing (so that it can be improved)

The ultimate goal is not to reduce the risks to zero, but to manage the risk at reasonable levels

The two most common approaches to risk analysis are Survivable Network Analysis (SNA) and Threat and Risk Assessment (TRA)

14


Survivable Network Analysis (SNA) is a security process developed by the CERT Coordination Center security group SNA starts with the assumption that a computer

system will be attacked; it leads you through a four-step process designed to ensure the survivability of a network should an attack occur

Survivability focuses on the essential services/assets and the critical system capabilities of a system; it also depends on resistance, recognition, and recovery

15


The steps involved in SNA are: System definition is a high-level overview of the

requirements of the system organizationally Essential capability definition is the identification of the

essential services and assets of the system Compromise capability definition is determined by

designing scenarios in which intrusions occur, and then tracing the intrusion through the system

Survivability analysis is where points of fault are identified, along with recommendations for correction and resistance improvement

17


Threat and Risk Assessment (TRA): TRA approaches risk analysis from the standpoint of

the threats and risks that confront an organization’s assets and the consequences of those threats and risks should they occur; similar to SNA, TRA leads you through a four-step process of analysis

TRA is carried out in different ways by different security organizations around the world and a variety of ratings systems are offered

18


The steps involved in TRA are: Asset definition, where you identify software,

hardware, and any information you need to defend Threat assessment, where you identify the kinds of

threats that place the asset at risk, including vandalism, fire, natural disasters, Internet attacks

Risk assessment is the evaluation of each asset with respect to: existing safeguards; the severity of the threats and risks; the consequences of the threat or risk actually taking place

Recommendations to reduce risk

21


Risk analysis is a group of related activities that typically take the following sequence: Initial tiger team sessions: hold meetings and conduct

interviews with stakeholders so as to collect pertinent information and review scope

Asset valuation: identify the assets to protect and determine their value; get manager input

Evaluating vulnerability: investigate the level of threat and vulnerability in relation to asset value

Calculate risk: assign a numeric values to low-level through very high security issues

22


Risk analysis is not a one-time activity that is used solely to create a security policy Risk analysis evolves to take into account the

changing size and activities of an organization, the progression to larger and more complex computer systems, and new threats from both inside and outside the corporate network

The initial risk analysis is used to formulate a security policy which is then enforced and monitored; new threats and intrusion attempts cause a reassessment of the risks faced

24


An important part of risk analysis is preparing estimates of the financial impact of losses There are a number of different models for estimating

the impact; software is often used to help prepare reports that substantiate estimates and provide charts and graphs to support figures

Project Risk Analysis by Katmar Software gives an excellent structure with which to list organizational assets, and it allows cost estimates to be made using a variety of statistical models including likely cost, low cost, and high cost

28

Deciding How to Minimize Risk

Risk management is the process of identifying, choosing, and setting up countermeasures justified by identified risks The countermeasures described in this process are

the statements that go into the security policy The risk management issues that will need to be

considered are: how to secure physical resources (hardware); how to secure network information databases; how to conduct routine analysis; how to respond to security incidents when they occur

29


Deciding how to secure hardware: Consider obvious physical protection, such as

environmental controls and locking up hardware List all servers, routers, cables, workstations, printers,

and all other pieces of hardware; make a topology map to that shows device connections, along with an IP allocation register

Rank resources in order of importance so that security efforts focus first on the most critical resources; rank can be assigned using arbitrary numbers, but a scale of 1 to 10 is suggested

31


Deciding how to secure information: Information needs to be protected; the logical assets

of a company include documents, spreadsheets, Web pages, email, log files, personnel data, customer data, and financial data

One means of protecting customer and employee information is to isolate it from the Internet so that hackers cannot gain access to it

Other protection mechanisms are data encryption, message filtering, data encapsulation, redundancy, and systematic data back ups

32


Deciding how to secure information (cont.): Corporate information, that which is confidential,

proprietary, or private, must also be protected The security policy must cover the corporate

information that employees handle and minimize the associated risks by specifying these measures: never leave laptops or palm devices unattended; always password protect corporate information; encrypt all financial data; password-protect all job-records and customer information; restrict personnel information to HR staff and/or upper management

33


Deciding how to conduct routine analysis: Risk analysis must be done on a routine basis and

starts with the following questions: How often will risk analysis be performed? Who will perform the risk analysis? Do all hardware and software resources need to be reviewed every time?

The calculations and evaluations associated with risk analysis require subjective assessments of how much a resource is worth and how valuable it is; due to these issues and the often complex nature of calculations involved, risk analysis software helps alleviate potential roadblocks

34


Deciding how to handle security incidents: Use the security policy to define how to respond to

security break-ins; if a break-in form is required, consider using one of the published forms on the Federal Agency Security Practices Web site of the National Institute of Standards and Technology

Address the incident response section of the security policy by describing the need for careful and expeditious handling of an intrusion; include types of intrusions such as: IDS alarms; repeated unsuccessful logins; unexplained new user accounts and files; system issues

36


Handling security incidents (cont.): If an incident occurs, the security policy should spell

out exactly which security staff needs to be notified, and where they should assemble

It is common for an organization to designate a Security Incident Response Team (SIRT), which is a group of employees designated to take countermeasures when an incident is reported

Typically, the SIRT contains IT operations and technical support staff, IT application staff, a chief security officer, and other security specialists

37


Describing escalation procedures: Escalation procedures are sets of responsibilities, roles,

and measures taken to respond to incidents To determine how a response may escalate, come up

with a system for ranking the severity of an incident; each ranking can be mapped to an escalation chain, which is a hierarchy of staff members who need to be involved in responding to incidents and making decisions

To help determine the value of a resource at risk, develop worst-case scenarios that describe the worst possible threat consequences

39

What Makes a GoodSecurity Policy?

A good security policy is comprehensive and flexible; it is often a group of documents, each with its own specific emphasis The information gathered during the risk analysis

phase should go into the security policy, along with a list of the policy goals, and the importance of employees reading and following its guidelines

An ongoing security cycle is started which follows the sequence of: policy design; implementation; ongoing monitoring; and reassessment

40

What Makes a GoodSecurity Policy?

Good security policies (cont.): The cornerstone of a good policy is the Acceptable

Use Policy, which spells out how employees may use organizational resources

Security policies identify the most important corporate security priorities for managers

Security policies help administrators by specifying employee security tasks; the Privileged Access Policy covers administrator network access/use

Once a policy is in effect, it must be determined how often additional risk analysis should be done

41

Formulating a Security Policy

The steps involved in creating a policy:1 Call for the assembly of a group that will meet to

formulate the security policy2 Determine approach: restrictive or permissive3 Identify the assets to be protected4 Determine which network communications to audit

and the frequency of review5 List the security risks that need to be addressed6 Define acceptable uses of resources / passwords7 Create the security policy

42


Categories of security policies: Acceptable Use defines acceptable, as well as

unacceptable, use of organizational resources; is usually listed first in a security policy because it affects the largest number of employees

User Account specifically spells out use of user (employee, contractor, supplier) accounts

Remote Access spells out exactly what security measures need to be present on remote desktops before users can connect to the corporate network

43


Categories of security policies (cont.): Password Protection states password particulars such

as character length and type, number of incorrect login attempts, and administrator password checking capability

Internet Use covers how employees can access and use the Internet, including e-mail use, software downloads, Web site access, and privacy

Local Area Network defines and establishes responsibilities for the protection of data that is processed, stored, and transmitted on the LAN

44

Performing Ongoing Risk Analysis

When performing the routine reassessment of the company and asset risks, consider: How frequently risk analysis should be performed in

terms of a routine timeframe, and the conditions that warrant a new analysis

Working with management in regards their approach in determining the costs associated with security and how these costs affect company ROI

Dealing with the security policy approval process that can take several weeks to several months

45


Performing routine reassessment (cont.): The process of amending the security policy; in

particular, informing those affected (security policy team, management, employees) by changes to the organization’s security configuration

Responding to security incidents as indicated in the policy’s Incident Handling and Escalation Procedures; incident handling defines what to look out for and to what level of escalation; escalation describes how to increase corporate state of readiness (who responds and in what timeframe) when a threat arises

46


Performing routine reassessment (cont.): Updating the security policy based on security

incidents that are reported as a result of ongoing security monitoring, and based on any new risks the company faces

The ultimate goal of changing the security policy is to change employee habits so that they behave more responsibly; better protection will result in fewer intrusions and disputes and ultimately enables a company to focus on its primary mission

47

Chapter Summary

Risk analysis is key in the formulation of one of the most essential elements in corporate network defense configuration: a security policy. Risks need to be calculated and security policies amended on an ongoing basis as a network configuration evolves

48

Chapter Summary

Risk analysis covers hardware, software, and informational assets; it covers their threats and the likelihood of threat occurrence. Vulnerabilities are described, as well as related consequences. The first task is to assess network and user levels of risk. Risk analysis should be performed before and after the creation of a security policy, and its goal is to manage risk at reasonable levels on an ongoing basis

49

Chapter Summary

After assessing the level of asset risk, determine countermeasures that will minimize risk. Decide how to secure the physical assets, the logical assets, databases, applications, and employee personal assets. Then come up with a plan for conducting risk analysis on a routine basis and plan for handling security incidents. As well, assess network threats, such as hackers, power outages, and environmental disasters. Next, determine threat probabilities, and implement the safeguards and countermeasures that reduce their likelihood. First, though, use assembled data to perform a risk analysis using an approach such as SNA or TRA. A risk analysis describes the level of risk faced by each organizational asset, as well as the economic impact if lost/damaged

50

Chapter Summary

Once the risk level of network assets has been determined, develop safeguards that can manage that risk. Determine ways to secure hardware assets, such as environmental controls, locks, or alarms. Laptop data can be protected through passwords and through file encryption. Logical assets such as word processing, or other documents can be protected by backups and by isolation from the Internet. Corporate data can be protected by effective use of passwords. The countermeasures described will form the basis of the security policy. In addition, risk analysis includes some provision for regular updates. It also includes recommendations of measures to be taken in case security incidents occur

51

Chapter Summary

An effective network security policy should provide management with a way to express to all employees the overall security stance of the organization, and protects management in case of legal disputes. A good security policy is based on risk assessment, covers acceptable use of system resources, sets priorities for the most critical resources that need to be protected, and specifies the use of network resources by administrators and security staff as well

52

Chapter Summary

The actual formulation of a security policy may not be a single long document, but is often comprised of multiple specific policies. There are six steps to follow to create a policy: the formulation of a security policy group; the determination of the overall security approach; the identification of assets to protect; the specification of auditing procedures; the listing of security risks and acceptable use; and the writing of specific policies themselves, such as User Account, Password Protection, and Internet Use policies. Finally, security policies should be regularly updated as intrusions or attempts occur, and to account for personnel changes and equipment acquisition

1 guide to network defense and countermeasures chapter 3

Documents

risk residual risk

risk analysiswhen

risk situationthe

risk larger

risk analysisrisk analysis

risk analysisthe consensus

security professionals

security policy designget