chapter security management practices - landing

CHAPTER 3Security ManagementPracticesIn this chapter, you will learn about the following items:

• Security management responsibilities• Three main security principles• Difference among administrative, technical, and physical controls• Risk management and risk analysis• Information classification• Security policies• Security awareness training

We hear about viruses causing millions of dollars in damages, hackers from other coun-tries capturing credit card information from financial institutions, large corporationWeb sites being defaced for political reasons, and clever hackers being caught and sentto jail. These are the more exciting aspects of computer security, but realistically these ac-tivities are not what the average corporation or security professional usually has to dealwith when it comes to daily or monthly security tasks. Although viruses and hacking getall the headlines, security management is the core of a company’s computer and infor-mation security structure.

Security ManagementSecurity management includes risk management, information security policies, proce-dures, standards, guidelines, baselines, information classification, security organiza-tion, and security education. These core components serve as the foundation of acorporation’s security program. The crux of security, and a security program, is to protectthe company’s assets. A risk analysis will identify these assets, discover the threats thatput them at risk, and estimate the possible damage and potential loss a company couldendure if any of these threats become real. The results of the risk analysis help manage-ment construct a budget with the necessary funds to protect the recognized assets fromtheir identified threats and develop applicable security policies that provide direction forsecurity activities. Security education takes this information to each and every employee

49

All-In-One / CISSP Certification All-in-One Exam Guide / Harris / 222966-7/ Chapter 3

P:\010Comp\All-in-1\966-7\ch03.vpMonday, May 19, 2003 11:32:39 AM

Color profile: Generic CMYK printer profileComposite Default screen

within the company so that everyone is properly informed and can more easily work to-ward the same security goals.

Security management has changed over the years because networked environments,computers, and the applications that hold information have changed. Information usedto be held in mainframes, which is a more centralized network structure. The main-frame and management consoles used to access and configure the mainframe wereplaced in a centralized area instead of the distributed approach we see today. Only cer-tain people were allowed access and only a small set of people knew how the mainframeworked, which drastically reduced security risks. Users were able to access informationon the mainframe through dumb terminals (they were called this because they had littleor no logic built into them). This also drastically reduced the need for strict security con-trols to be put into place. However, the computing society did not stay in this type of ar-chitecture. Now most networks are filled with personal computers that have advancedlogic and processing power, users know enough about the systems to be dangerous, andthe information is not centralized within one “glass house.” Instead, the informationlives on servers, workstations, and other networks. Information passes over wires andairways at a rate that was not even conceived of 10 to 15 years ago.

The Internet, extranets (business partner networks), and intranets not only make se-curity much more complex, they make security even more critical. The core network ar-chitecture has changed from being a stand-alone computing environment to a distributedcomputing environment that has increased exponentially with complexity. Althoughconnecting a network to the Internet adds more functionality and services for the usersand gives more visibility of the company to the Internet world, it opens the floodgates topotential security risks.

Today, a majority of organizations could not function if they lost their computersand computing capabilities. Computers have been integrated into the business and in-dividual daily fabric and would cause great pain and disruption if they were suddenlyunavailable. As networks and environments have changed, so has the need for security.Security is more than just a firewall and a router with an access list; these systems haveto be managed, and a big part of security is the actions of users and the procedures theyfollow. This brings us to security management practices, which focus on the continualprotection of company assets.

Security Management ResponsibilitiesOkay, who is in charge and why?

In the world of security, management’s functions involve determining objectives,scope, policies, priorities, standards, and strategies. A clear scope needs to be defined,and actual goals that are expected to be accomplished from a security program need tobe determined before 100 people run off in different directions trying to secure the envi-ronment. Business objectives, security risks, user productivity, and functionality re-quirements and objectives need to be evaluated. Steps need to be drawn up to ensurethat all of these issues are accounted for and properly addressed. Many companies onlylook at the business and productivity elements of the equation and figure that information

CISSP Certification All-in-One Exam Guide

50




and computer security fall within the IT administrator’s responsibilities. In these situa-tions, management is not taking computer and information security seriously and it willmost likely remain underdeveloped, unsupported, under-funded, and unsuccessful. Se-curity needs to be addressed at the highest levels of management. The IT administratorcan consult on the subject, but the security of a company should not be laid in her lap.

Security management relies on the proper identification of a company’s assets, as-signing values to these assets, developing, and documenting. Then, implementation ofsecurity policies, procedures, standards, and guidelines provide integrity, confidential-ity, and availability for these assets. Various management tools are used to classify dataand perform risk analysis and assessments. These tools identify threats and exposurerates and rank the severity of identified vulnerabilities so that effective countermeasurescan be implemented to mitigate risk overall. Management’s responsibility is to provideprotection for the resources it is responsible for and the company it relies upon. Theseresources come in human, capital, hardware, and informational forms. Managementmust concern itself with recognizing the risks that can affect these resources and be assuredthat the necessary protective measures are put into effect.

The necessary resources, funding, and strategic representatives need to be availableand ready to participate in the security program. Management must assign responsibil-ity and the roles necessary to get the security program off the ground and keep it thrivingand evolving as the environment changes. Management must also integrate the pro-gram into the current business environment and monitor its accomplishments. Man-agement’s support is one of the most important pieces of a security program. A simplenod and a wink will not provide the amount of support required.

Security Administrationand Supporting ControlsIf there is not a current security administration, one should be established by manage-ment, which is directly responsible for monitoring a majority of the facets of a securityprogram. Depending on the organization, security needs, and size of the environment,the security administration can consist of one person or a group of individuals whowork in a central or decentralized manner. A clear reporting structure, understanding ofresponsibilities, and monitoring are important to make sure that compromises do notslip in because of a lack of communication or comprehension.

Information owners should dictate who can access resources and how much capacityusers can possess pertaining to those resources. The security administration’s job is tomake sure that these objectives are implemented. Administrative, physical, and technicalcontrols should be utilized to achieve the management’s security directives. Administrativecontrols include the development and publication of policies, standards, procedures,and guidelines, the screening of personnel, security awareness training, and change con-trol procedures. Technical controls (also called logical controls) consist of access controlmechanisms, password and resource management, identification and authenticationmethods, security devices, and configuration of the infrastructure. Physical controls entail

Chapter 3: Security Management Practices

51




controlling individual access into the facility and different departments, locking systemsand removing unnecessary floppy or CD-ROM drives, protecting the perimeter of the fa-cility, monitoring for intrusion, and environmental controls. Figure 3-1 illustrates howthe administrative, technical, and physical controls work together to provide the neces-sary level of protection.

The information owner is usually a senior executive within the management group ofthe company. The information owner has the final corporate responsibility for data andresource protection and would be the one held liable for any negligence when it comesto protecting the company’s assets. The person who holds this role is responsible for as-signing classifications to information and dictating how the data should be protected. Ifthe information owner does not lay out the foundation of data protection and ensurethat the directives are being enforced, this would violate the due care concept. (The duecare concept is explained later in the chapter in the section “Implementation.”)

Security administration brings a focal point to security and a hierarchical structure ofresponsibility. The security administration’s job is to ensure that management’s direc-tives are fulfilled when it comes to security, not to construct those directives in the firstplace. There should be a clear communication path between the security administrationand senior management to ensure that the security program receives the proper supportand that management makes the decisions. Too many times senior management is ex-tremely disconnected from security issues and when a serious security breach takes place,they are the ones who have to explain the reasons to their business partners, shareholders,


52


Figure 3-1Administrative,technical, andphysical controlsshould work in asynergistic mannerto protect acompany’s assets.



and the public. After this, they can become too involved. A healthy relationship be-tween the security administration and senior management should be developed fromthe beginning and communication should easily flow in both directions.

Inadequate management can undermine the entire security effort in a company. Thiscan happen because management does not fully understand the necessity of security, se-curity is in competition with other management goals, it is viewed as expensive and un-necessary, or management applies lip service but no real action. Powerful and usefultechnologies, devices, software packages, procedures, and methodologies are availableto provide the exact level of security required, but without proper security managementand management support, it doesn’t really matter.

Fundamental Principles of SecurityNow, what are we trying to accomplish again?

There are several small and large objectives of a security program, but the main threeprinciples in all programs are availability, integrity, and confidentiality. These are re-ferred to as the AIC triad. The level of security required to accomplish these principlesdiffers per company because their security goals and requirements may be different. Allsecurity controls, mechanisms, and safeguards are implemented to provide one ormore of these principles and all risks, threats, and vulnerabilities are measured in theirpotential capability to compromise one or all of the AIC principles. Figure 3-2 illus-trates the AIC triad.



53


Example of Security ManagementAnyone who has been involved with a security initiative understands the conflictsbetween securing an environment and still allowing the necessary level of func-tionality so productivity is not affected. Many security projects start with proactiveindividuals who know the end result they are wanting to achieve and have loftyideas of how quick and efficient their security rollout will be, only to hear all theusers go up in arms when they find out what restrictions will be placed upon them.The users then express how they will not be able to fulfill certain parts of their jobif this actually takes place. This usually causes the project to screech to a halt. Thenthe proper assessments, evaluations, and planning are initialized to see how theenvironment can be slowly secured and how to ease users and tasks delicately intonew restrictions or ways of doing business. This causes a lot of heartache andwastes time and money. Individuals who are responsible for security managementactivities should see that the understanding of the environment and proper planninghappen before trying to kick off an implementation phase of a security program.



AvailabilityThe systems and networks should provide adequate capacity in order to perform in apredictable manner with an acceptable level of performance. It should be able to recoverfrom disruptions in a secure and quick manner so productivity will not be negatively af-fected. Single points of failure should be avoided, backup measures should be taken, re-dundancy mechanisms should be in place when necessary, and the negative effects fromenvironmental components should be prevented. Necessary protection mechanismsneed to be in place to protect against inside and outside threats that could affect theavailability and productivity of the network, systems, and information. Availabilityensures reliability and timely access to data and resources to authorized individuals.

System availability can be affected by device or software failure. Backup devicesshould be used and available to quickly replace critical systems, or employees should beskilled and available to make the necessary adjustments to bring the system back online.Environmental issues like heat, cold, humidity, static electricity, and contaminants canalso affect system availability. These issues are addressed in detail in Chapter 6. Systemsshould be protected from these elements, properly grounded electrically, and closelymonitored.

Denial-of-service (DoS) attacks are popular methods for hackers to disrupt a com-pany’s system availability and productivity. These attacks are mounted to reduce theability of users to access system resources and information. To protect against these at-tacks, only the necessary services and ports should be available on systems, and intru-sion detection should monitor the network traffic and host activities. Certain firewalland router configuration can also reduce the threat of DoS attacks and possibly stopthem from occurring.


54


Figure 3-2The AIC triad




55


IntegrityIntegrity is upheld when the assurance of accuracy and reliability of information and sys-tems is provided, and unauthorized modification of data is prevented. Hardware, soft-ware, and communication mechanisms must work in a concerted manner to maintainand process data correctly and move data to intended destinations without unexpected al-teration. The systems and network should be protected from outside interference andcontamination.

Environments that enforce and provide this attribute of security ensure that attackersor mistakes by users do not compromise the integrity of systems or data. When an attackerinserts a virus, logic bomb, or back door into a system, the system’s integrity is compro-mised. This can, in turn, negatively affect the integrity of information held on the systemby corruption, malicious modification, or replacing the data with incorrect data. Strictaccess controls, intrusion detection, and hashing can combat these attempts.

Users usually affect a system or its data’s integrity by mistake, although internal userscan also be up to malicious deeds. Users may accidentally delete configuration files be-cause their hard drives are full and they don’t remember ever using a boot.ini file. Orthey can insert incorrect values into a data processing application that ends up charginga customer $300 instead of $3,000,000. Incorrectly modifying data kept in databases isanother popular way of corrupting data by users that can have lasting effects.

Security should streamline the users’ abilities and give them only certain choices andfunctionality so errors become less common and less devastating. System-critical filesshould be restricted from the users’ view and access. Applications should provide mech-anisms that check for valid and reasonable input values. Databases should let only au-thorized individuals modify data, and data in transit should be protected by encryptionor other mechanisms.

ConfidentialityConfidentiality provides the ability to ensure that the necessary level of secrecy is en-forced at each junction of data processing and prevention of unauthorized disclosure.This level of confidentiality should prevail while data resides on systems and deviceswithin the network, as it is transmitted, and once it reaches its destination.

Attackers can thwart confidentiality mechanisms by network monitoring, shouldersurfing, stealing password files, and social engineering. These topics will be addressed inmore depth in later chapters, but briefly, shoulder surfing is when a person looks overanother person’s shoulder and watches keystrokes or views data as it appears on a com-puter screen. Social engineering is tricking another person into sharing confidential in-formation by posing as someone authorized to have that information.

Users can intentionally or accidentally disclose sensitive information by not encrypt-ing it before sending it to another person, falling prey to a social engineering attack,sharing a company’s trade secrets, or not providing the extra care of protection of confi-dential information when processing it.

Confidentiality can be provided by encrypting data as it is stored and transmitted,network traffic padding, strict access control, data classification, and training personnelon the proper procedures.



Availability, integrity, and confidentiality are critical principles of security. Under-standing their meaning, how they are provided by different mechanisms, and how theirabsence can negatively affect an environment should be understood to best identifyproblems and provide proper solutions.

Security DefinitionsMany times the words “threat,” “vulnerability,” “exposure,” and “risk” are used to repre-sent the same thing even though they have different meanings and relationships to eachother. It is important to understand each word’s definition, but more importantly, youshould understand its relationship to the other concepts.

A vulnerability is a software, hardware, or procedural weakness that may provide an at-tacker the open door he is looking for to enter a computer or network and have unautho-rized access to resources within the environment. A vulnerability characterizes the absenceor weakness of a safeguard that could be exploited. This vulnerability can be a service run-ning on a server, unrestricted modem dial-in access, an open port on a firewall, lax physicalsecurity that allows anyone to enter a server room, or non-enforced password manage-ment on servers and workstations.

A threat is any potential danger to information or systems. The threat is that some-one, or something, will identify a specific vulnerability and use it against the companyor individual. The entity that takes advantage of a vulnerability is referred to as a threatagent. A threat agent could be an intruder accessing the network through a port on thefirewall, a process accessing data in a way that violates the security policy, a tornado wip-ing out a facility, or an employee making an unintentional mistake that could exposeconfidential information or destroy a file’s integrity.

A risk is the likelihood of a threat agent taking advantage of a vulnerability. A risk isthe possibility and probability that a threat agent will exploit a vulnerability. If afirewall has several ports open, there is a higher risk that an intruder will use one to ac-cess the network in an unauthorized method. If users are not educated on processesand procedures, there is a higher risk that an employee will make an intentional or un-intentional mistake that may destroy data. If an intrusion detection system is not im-plemented on a network, there is a higher risk that an attack will go unnoticed until it istoo late. Reducing the vulnerabilities or the threat reduces the risk.

An exposure is an instance of being exposed to losses from a threat agent. A vulnera-bility can cause an organization to be exposed to possible damages. If password man-agement is lax and password rules are not enforced, the company can be exposed to the


56


Critical Security ServicesAvailability prevents disruption of service and productivity.Integrity prevents unauthorized modification of systems and information.Confidentiality prevents unauthorized disclosure of sensitive information.



possibility of having users’ passwords captured and used in an unauthorized manner. Ifa company does not have its wiring inspected and does not put proactive fire preventionsteps into place, it can expose itself to potentially devastating fires.

A countermeasure, or safeguard, mitigates the potential risk. A countermeasure is asoftware configuration, hardware, or procedure that eliminates a vulnerability or re-duces the risk of a threat agent from being able to exploit a vulnerability. Countermea-sures can be strong password management, a security guard, access control mechanismswithin an operating system, the implementation of basic input/output system (BIOS)passwords, and security awareness training.

If a company has antivirus software and the virus signatures are not kept up-to-date, thisis a vulnerability. The company is vulnerable to virus attacks. The threat is a virus showingup in the environment and disrupting productivity. The likelihood of a virus showing upin the environment and causing damage is the risk. If a virus infiltrates the company’s envi-ronment, then it has an exposure. The countermeasures in this situation are to update thesignatures and install the antivirus software on all computers. The relationships amongrisks, vulnerabilities, threats, and countermeasures are shown in Figure 3-3.

Applying the right countermeasure can eliminate the vulnerability and exposure andreduce the risk. The company cannot eliminate the threat agent, but it can protect itselfand prevent this threat agent from exploiting vulnerabilities within the environment.


57


Figure 3-3The relationshipsamong thedifferent securitycomponents




58


References

NIST Computer Security Resource Center: csrc.ncsl.nist.gov

SANS Institute: www.sans.org

CISSP and SSCP Open Study Guides: www.cccure.org

CISSP.com: www.cissps.com

The Top-Down ApproachWhen a house is built, the workers start with a blueprint of the structure, the foundation ispoured, and the frame is erected. As the building of the house continues, the workers knowwhat the end result is supposed to be, so they add the right materials, insert doors and win-dows in logical places, erect support beams, provide sturdy ceilings and floors, and add theplaster and carpet and smaller details until the house is complete. Then inspectors come into ensure that the structure of the house and the components that were used to make it areacceptable. If this process did not start with a blueprint and a realized goal, the house couldend up with an unstable foundation or with doors and windows that don’t seem to shutproperly. This house would not pass inspection; thus, a lot of time and money would havebeen wasted. Figure 3-4 illustrates this point.

The building of a house analogy can be applied to the building of a security program.When designing and/or implementing a security program, the functionality and end re-sult expected need to be determined and realized. Many times companies just start lock-ing down computers and installing firewalls without taking the time to understand theoverall security requirements, goals, and assurance levels they expect from security as awhole within their environment. This process should start from the top with very broadideas and terms (blueprint) and work its way down to detailed configuration settings andsystem parameters (windows and carpets). At each step, the overall security goals need tobe kept in mind so that each added piece is sure to add more granularity to the intendedgoal and not splinter the main objectives by running in 15 different directions at once.

The security policy works as a blueprint for a company’s security program and pro-vides the necessary foundation to build upon. This policy needs to be taken seriouslyfrom the beginning and developed with the idea that it will continually be reviewed to

Order of ConceptsThe test looks at these issues in this order: threat, exposure, vulnerability, counter-measures, and finally, risk. It makes sense to talk about them in that order because,logically, that is how they relate to each other. For example, you start with a threat,but unless you are exposed to it, it is not really a vulnerability. If you have a vulner-ability, you then apply countermeasures to mitigate the risk, which you can neverreally reduce to zero; therefore, that leaves you with “residual risk.”




59


ensure that all security components stay in step and work to accomplish the sameobjectives. The next step is to develop and implement procedures, standards, and guide-lines that support the security policy and identify the security countermeasures andmethods that need to be put into place. Once these items are developed, the process in-creases with granularity by developing standards and configurations for the chosen se-curity controls and methods.

If security starts with a solid foundation and develops over time with understood goalsand objectives, a company does not need to make drastic changes midstream. The processcan be methodical, requiring less time, funds, and resources, and provide a proper bal-ance between functionality and protection. This is not the norm, but with your insight,maybe you can help companies approach security in a more controlled manner. Youcould provide the necessary vision and understanding of how security should be thoughtout, properly implemented, and should evolve in an organized manner instead of result-ing in a giant heap of security products that are disjointed and full of flaws.

A security program should use a top-down approach, meaning that the initiation, sup-port, and direction come from top management and work their way through middlemanagement and then to staff members. In contrast, a bottom-up approach would be if theIT department tried to develop a security program without getting proper managementsupport and direction. A bottom-up approach is usually less effective, not broad enough,and doomed to fail. A top-down approach makes sure that the people actually responsi-ble for protecting the company’s assets (senior management) are driving the program.

Organizational Security ModelMy security model is shaped like a pile of oatmeal. Response: Lovely.

An organizational security model is a framework made up of many entities, protectionmechanisms, logical and physical components, procedures, and configurations that allwork together in a synergistic way to provide a security level for an environment. Eachmodel is different, but all models work in layers: one layer providing support for the layerabove it and protection for the layer below it. The goal of a security model is assurance,which is the sum total of all security components within an environment that provide alevel of confidence. Because a security model is a framework, companies are free to plug indifferent types of technologies, methods, and procedures to accomplish the necessary secu-rity assurance level for their environment. Figure 3-5 illustrates the pieces that can make upa security model.

Figure 3-4Without a solidblueprint (policy)and organizedprocedures, asecurity programcould end uplooking likethis house.




60


Effective security requires a balanced approach and application of all security compo-nents and procedures. Some security components are technical (access control lists andencryption) and some are non-technical (physical and administrative, such as developinga security policy and enforcement of compliance), but each has an important place withinthe framework and if one is missing or incomplete, the whole framework can be affected.

A security model has various layers, but it also has different types of goals to accom-plish in different time frames. You might have a goal for yourself today to brush yourteeth, run three miles, finish the project you have been working on, and spend time withyour kids. These are daily goals or operational goals. You might have mid-term goals tocomplete your master’s degree, write a book, and get promoted. These take more timeand effort and are referred to as tactical goals. Your long-term goals may be to retire atage 55, save enough money to live comfortably, and to live on a houseboat. These goalsare strategic goals because they look farther into the future.

The same thing happens in security planning. Daily goals, or operational goals, focuson productivity and task-oriented activities to ensure that the company’s functionalityhappens in a smooth and predictable manner. Mid-term goals, or tactical goals, could beto integrate all workstations and resources into one domain so more central control canbe achieved. A long-term goal, or strategic goal, may involve moving all the branches fromdedicated communication lines to frame relay, implementing IPSec virtual private net-works (VPNs) for all remote users instead of dial-up entry, and integrating wireless tech-nology with the necessary security measures into the environment.

This approach to planning is called the planning horizon. A company cannot usuallyimplement all changes at once, and some changes are larger than others. Many timescertain changes cannot happen until other changes take place. If a company wants toimplement its own certificate authority and wants to implement a full public key infra-structure (PKI) enterprise-wide, this cannot happen in a week if the company currently

Figure 3-5A comprehensiveand effectivesecurity modelhas manyintegrated pieces.



works in decentralized workgroups with no domain structure. So the operational goalsare to keep production running smoothly and make small steps toward readying the en-vironment for a domain structure. The tactical goal would be to put all workstations andresources into a domain structure, and centralize access control and authentication. Thestrategic goal is to have all workstations, servers, and devices within the enterprise usethe PKI to provide authentication, encryption, and more secure communication channels.

Security works best if its operational, tactical, and strategic goals are defined andwork to support each other, which can be much harder than it sounds.

Business Requirements: Private Industryversus Military OrganizationsThe security model an organization chooses depends on its critical missions and busi-ness requirements. The private industry usually has much different missions and re-quirements than that of the military. The private industry thrives by beating thecompetition, which is done through marketing and sales, solid management decisions,understanding the target audience, and understanding the flow and ebb of the market. Aprivate sector business is successful if its data is readily available, so processing order re-quests and fulfilling service orders can happen quickly and painlessly for the customer.The data also needs to be accurate to satisfy the customers’ needs. Out of the three secu-rity services (availability, integrity, and confidentiality), data integrity and availabilityusually rank higher than confidentiality to most private sector businesses.

The military also thrives by beating their competition (other countries or its ene-mies), which requires proper training, readiness, intelligence, and deployment. Al-though the private industry does need a degree of secrecy and ensured confidentiality, itdoes not play as important of a role as it does with a military organization. The militaryhas more critical information that must not fall into the wrong hands; therefore, out ofthe three main security services, confidentiality is the most important to the military sec-tor. In turn, this would cause a military installation to implement a more strict securitymodel that emphasizes confidentiality more than a private sector organization.

Risk ManagementLife is full of risk.

Risk is the possibility of damage happening. Risk management is the process of iden-tifying, assessing, and reducing this risk to an acceptable level and implementing theright mechanisms to maintain that level of risk. There is no such thing as a 100 percentsecure environment. Every environment has vulnerabilities and risks to certain degrees.The skill is in identifying these risks, assessing the probability of them actually occurringand the damage they could cause, and then taking the right steps to reduce the overalllevel of risk in the environment to what the organization identifies as acceptable.

Risks come in different forms to a company, and they are not all computer related.When a company purchases another company, they are taking on a lot of risk with the


61




hope that this move will increase their market base, productivity, and profitability. If acompany increases its product line, this can add overhead, increase the need for personneland storage facilities, require more funding for different materials, and maybe increase in-surance premiums and marketing campaigns. The risk is that this added overhead mightnot be matched in sales; thus, profitability will be reduced or not accomplished.

When we look at information security, there are several types of risk a corporation needsto be aware of and address properly. The following items touch on the major categories:

• Physical damage Fire, water, vandalism, power loss, and natural disasters

• Human error Accidental or intentional action or inaction that can disruptproductivity

• Equipment malfunction Failure of systems and peripheral devices

• Inside and outside attacks Hacking, cracking, and attacking

• Misuse of data Sharing trade secrets, fraud, espionage, and theft

• Loss of data Intentional or unintentional loss of information throughdestructive means

• Application error Computation errors, input errors, and buffer overflows

The threats need to be identified, classified by category, and the actual magnitude ofpotential loss needs to be calculated. Real risk is hard to measure, but making prioritiesof the potential risks is attainable.

Risk AnalysisI have determined that our greatest risk is this paperclip. Response: Nice work.

Risk analysis, which is really a tool for risk management, is a method of identifyingrisks and assessing the possible damage in order to justify security safeguards. It is usedto ensure that security is cost-effective, relevant, timely, and responsive to threats. Secu-rity can be quite complex, even for well-versed security professionals, and it is easy to ap-ply too much security, not enough security, or the wrong security components, andspend too much money in the process without attaining the necessary objectives. Riskanalysis helps companies prioritize their risks and shows them the amount of moneythat could be applied to protecting against those risks in a sensible manner.

A risk analysis has four main goals: identify assets and their threats, quantify the busi-ness impact of these potential threats, calculate the risk, and provide an economic bal-ance between the impact of the risk and the cost of the countermeasure. Risk analysisprovides a cost/benefit comparison where the annualized cost of safeguards to protectagainst threats is compared with the expected cost of loss. A safeguard, in most cases,should not be implemented unless the annualized cost of loss exceeds the annualizedcost of the safeguard itself. This means that if a facility is worth $100,000, it does notmake sense to spend $150,000 trying to protect it.


62




A risk analysis helps integrate the security program objectives with the company’sbusiness objectives and requirements. The more the business and security objectives arein alignment, the more successful the two will be. The analysis also helps the companydraft a proper budget for a security program and the security components that make upthat program. Once a company knows how much their assets are worth and the possiblethreats they are exposed to, they can make intelligent decisions on how much money tospend on protecting those assets.

A risk analysis needs to be supported and directed by senior management if it is goingto be successful. Management needs to define the purpose and scope of the analysis, ateam needs to be appointed to carry out the assessment, and the necessary time andfunds need to be available to conduct the analysis. It is essential for senior managementto review the outcome of the risk assessment and analysis and act on its findings. Whatgood is it to go through all the trouble of a risk assessment and not react to its findings?Surprisingly, this does happen.

Risk Analysis TeamEach organization has different departments. Each department has its own functional-ity, resources, tasks, and quirks. For the most effective risk analysis, a team needs to bebuilt that includes individuals from many or all of the departments to ensure that all ofthe risks are identified and addressed. The team members can be management, applica-tion programmers, IT staff, systems integrators, and operational managers— indeed,any key personnel from key areas of the organization.

This is necessary because if the risk analysis team is only made up of individuals fromthe IT department, they may not understand the types of risks the accounting departmentfaces with data integrity issues, or if their data files were wiped out in an accidental or in-tentional act, what this would mean to the company as a whole. The IT staff may not un-derstand all the risks the employees in the warehouse would face if a natural disaster hit,what it would mean to their productivity and how it would affect the organization overall.Many times the risk analysis team is made up of members from various departments, andif that is not possible, the team should make sure to interview people in each departmentso all risks are fully understood and quantified. The risk analysis teams also need to bemade up of people who understand the processes that are part of their individual depart-ments. It is therefore important to make sure that risk analysis teams are made up of indi-viduals at the right levels of each department. This is a difficult task, since managers willtend to delegate any sort of risk analysis task to lower levels within the department. How-ever, these lower levels may not have the adequate level of knowledge and understandingof the processes that the risk analysis team may need to deal with.

Value of Information and AssetsIf information does not have any value, then who cares about protecting it?

The value placed on information is relative to the parties involved, what work it tookto develop this information, how much it costs to maintain it, what loss it would causeif it was lost or destroyed, and what benefit would be gained if another party obtained


63





64


this information. If a company does not know the value of the information and theother assets they are trying to protect, they do not know how much money and timeshould be spent on protecting them. If you were in charge of making sure Russia doesnot know the encryption algorithms used when transmitting information to and fromU.S. spy satellites, you might use more extreme (and expensive) security measures thanif you were going to protect your peanut butter and banana sandwich recipe from yournext door neighbor. The value of the information supports security measure decisions.

Many of the following examples refer to assessing the value of data and protecting it,but this logic applies toward an organization’s facility, systems, and resources. The valueof the company’s facility needs to be assessed, along with all printers, workstations, servers,peripheral devices, supplies, and employees. You do not know how much is in dangerof being lost if you don’t know what you have and what it is worth in the first place.

Costs that Make Up the ValueAn asset can have a quantitative and qualitative measure assigned to it, but this mea-surement needs to be derived. The actual value of an asset is determined by the cost ittakes to acquire, develop, and maintain it. The value is determined by the importance ithas to the owners, authorized users, and unauthorized users. Some information is im-portant enough to a company to go through the steps of making it a trade secret or thecompany may choose to protect specific logos and trademarks.

The value of an asset should reflect all identifiable costs that would arise if there werean actual impairment of the asset. If a server cost $4,000, this value should not beinputted as the value of the asset in a risk assessment. If the server went down, the cost ofreplacing it or repairing it, the loss of productivity, and the value of any data that may becorrupted or lost need to be accounted for to properly capture the amount the companywould lose if the server were to fail for one reason or another.

The following issues should be considered when assigning values to assets:

• Cost to acquire or develop the asset

• Cost to maintain and protect the asset

• Value of the asset to owners and users

• Value of the asset to adversaries

• Value of intellectual property

• Price others are willing to pay for the asset

• Cost to replace the asset if lost

• Operational and production activities that are affected if the asset is unavailable

• Liability issues if the asset is compromised

• Usefulness of the asset

Understanding the value of an asset is the first step to understanding what securitymechanisms should be put in place and what funds should go toward protecting it. Avery important question is how much it could cost the company to not protect the data.



Determining the value of an asset can fulfill several different types of requirementsa company may be facing, including the following:

• The value of each asset is necessary to perform effective cost/benefit analysis.

• An asset’s value supports the selection of specific countermeasures and helpsin the safeguard selection decision-making process.

• The value of each asset is often required for insurance purposes.

• The value of each asset is necessary to understand what exactly is at risk.

• The value of each asset may be required to prevent negligence, conform todue care, and comply with legal and regulatory standards.

Identifying ThreatsOkay, what should we be afraid of?

Earlier it was stated that the definition of a risk is the probability of a threat agent ex-ploiting a vulnerability to cause harm to a computer, network, or company. There aremany types of threat agents that can take advantage of several types of vulnerabilitiesthat can result in specific threats. Table 3-1 shows the relationship among some of these.The list is in no way meant to be complete, it only shows a sampling of the risks thatmany organizations would have to take care of in their risk management programs.

There are other types of threats that can happen within a computerized environmentthat are much harder to identify than those listed in Table 3-1. These have to do withapplication and user errors. If an application uses several complex equations to produce



65

ThreatAgent Can Exploit this Vulnerability Resulting in this Threat

Virus Lack of antivirus software Virus infection

Hacker Powerful services running on a server Unauthorized access to confidentialinformation

Users Misconfigured parameter in theoperating system

System malfunction

Fire Lack of fire extinguishers Facility and computer damage, andpossibly loss of life

Employee Lax access control mechanisms Damaging mission-critical information

Contractor Lax access control mechanisms Stealing trade secrets

Attacker Poorly written application Conducting a buffer overflow

Intruder Lack of security guard Breaking windows and stealingcomputers and devices

Employee Lack of auditing Altering data inputs and outputs fromdata processing applications

Attacker Lack of stringent firewall settings Conducting a denial-of-service attack

Table 3-1 Relationship of Threats and Vulnerabilities



results, it can be difficult to discover and isolate if these equations are incorrect or if theapplication is using inputted data incorrectly. This can result in illogical processing andcascading errors as invalid results are passed on to another process. These types of prob-lems can lie within applications’ code and are very hard to identify.

User errors, intentional or accidental, are easier to identify through the monitoringand auditing of user activities. Audits and reviews need to be conducted to uncover ifemployees are inputting values incorrectly into programs, misusing technology, ormodifying data in an inappropriate manner.

Risks have loss potential, meaning what the company would lose if a threat agent ac-tually exploits a vulnerability. The loss can be corrupted data, destruction to systemsand/or the facility, unauthorized disclosure of confidential information, and a reduc-tion in employee productivity. When performing a risk analysis, the team also needs tolook at delayed loss when assessing the damages that can occur. Delayed loss has nega-tive effects on a company after a vulnerability is initially exploited. The time period canbe anywhere from 15 minutes after the exploitation to years. Delayed loss issues can bereduced productivity over a period of time, reduced income to the company, accruedlate penalties, extra expense to get the environment back to proper working conditions,and delayed collection of funds from customers.

For example, if a company’s Web servers are attacked and brought offline, the imme-diate damage could be data corruption, the man-hours necessary to bring the serversback online, and the replacement of any code or components that may be required. Thecompany could lose productivity if it usually accepts orders and payments via its Websites. If it takes a full day to get the Web servers fixed and back online, the companycould lose a lot more sales and profits. If it takes a full week to get the Web servers fixedand back online, the company could lose enough sales and profits to not be able to payother bills and expenses. This would be a delayed loss. If the company’s customers lostconfidence in them because of this activity, they could lose business for months oryears. This is a more extreme case of delayed loss.

These types of issues bring complexity to being able to properly quantify losses that spe-cific threats could cause, but they need to be taken into consideration to ensure that realityis represented in this type of analysis.

So up to now, we have management’s support of the risk analysis, we constructed ourteam so that it represents different departments in the company, we placed a value oneach of the company’s assets, and identified all the possible threats that could affect theassets. We have also taken into consideration all potential and delayed losses the com-pany may endure per asset per threat. The next step is to use qualitative or quantitativemethods to calculate the actual risk the company faces.

Quantitative ApproachThere are two types of approaches to risk analysis: quantitative and qualitative. Quanti-tative risk analysis attempts to assign real and meaningful numbers to all elements ofthe risk analysis process. These elements may include safeguard costs, asset value, im-pact, threat frequency, safeguard effectiveness, probabilities, and so on. When all ofthese are quantified, the process is said to be quantitative. Quantitative also provides


66




concrete probability percentages when determining the likelihood of threats and risks.Each element within the analysis (asset value, threat frequency, severity of vulnerability,impact damage, safeguard costs, safeguard effectiveness, uncertainty, and probabilityitems) is quantified and entered into equations to determine total and residual risks.Purely quantitative risk analysis is not possible, because the method is attempting to quantifyqualitative items and there are always uncertainties in quantitative values. If a severity level ishigh and a threat frequency is low, it is hard to assign corresponding numbers to theseratings and come up with a useful outcome.

Quantitative and qualitative approaches have their own pros and cons, and eachapplies more appropriately to some situations than others. The company, risk analysisteam, and the tools they decide to use will determine which approach is best.

Analysis Inputs and Data GatheringSo where do we start?

After identifying the scope, goals, and team of a risk analysis, the next step is to gatherthe necessary data. This is the most time-consuming piece of an analysis and can proveto be the most difficult.

The necessary input for a quantitative analysis differs from a qualitative analysis be-cause it deals with real numbers and percentages. The first step is to identify the follow-ing components that will make up the analysis:

• The assets that are to be protected should have values estimated and assigned.

• Each threat and corresponding risk needs to be identified.

• The loss potential of each threat needs to be estimated.

• An estimation of the possible frequency of the threat needs to be calculated.

• Remedial measures need to be recognized and recommended.

Once the data is gathered, it can be used in manual or automated methods to calcu-late the identified risks, their potential damages, and the amount of money that can bereasonably designated for the necessary countermeasures.

Automated Risk Analysis MethodsCollecting all the necessary data that needs to be plugged into risk analysis equationsand properly interpreting the results can be overwhelming if done manually. There areseveral automated risk analysis tools on the market that can make this task much lesspainful and hopefully more accurate. The gathered data can be reused, greatly reducingthe time required to perform subsequent analysis. They can also print out reports andcomprehensive graphs to be presented to the management.

The objective of these tools is to reduce the manual effort of these tasks, perform cal-culations quickly, estimate future expected losses, and determine the effectiveness andbenefits of the security countermeasures chosen. Most automatic risk analysis productsport information into a database and are run several times with different parameters


67




used to give a panoramic view of what the outcome will be if different risks come tobear. For example, after the tool has all the necessary information inputted, it can com-pute the potential outcome if a large fire took place, then rerun with different parame-ters to find out the potential losses if a virus damaged 40 percent of the data on the mainfile server, then rerun to find out how much the company would lose if an attacker stoleall the customer credit card information held in three databases, and so on. Runningthrough the different risk possibilities will give companies a more detailed understand-ing of which risks are more critical than others, and thus which ones to address first. Fig-ure 3-6 shows a simple example of this process.

Steps of a Risk AnalysisThere are many methods and equations that could be used when performing a quantita-tive risk analysis and many different variables that can be inserted into the process. Weare going to go over the some of the main steps that should take place in every risk analysisand assessment.

1. Assign value to information and assets.

a. What is the value of this asset to the company?

b. How much does it cost to maintain it?

c. How much does it make in profits for the company?

d. How much would it be worth to the competition?

e. How much would it cost to recreate or recover?

f. How much did it cost to acquire or develop?

2. Estimate potential loss per risk.

a. What physical damage can take place and how much would that cost?

b. How much productivity can be lost and how much would that cost?

c. What is the value lost if confidential information is disclosed?


68


Figure 3-6A simplisticexample showingthe severity ofcurrent threatsversus theprobability ofthem occurring




69


d. What is the cost of recovering from a virus attack?

e. What is the cost of recovering from a hacker attack?

f. How much would it cost if critical devices failed?

g. Calculate the single loss expectancy (SLE) for each risk.

3. Perform a threat analysis.

a. Gather information about the likelihood of each risk taking place frompeople in each department, past records, and official security resourcesthat provide this type of data.

b. Calculate the probability of occurrence for each threat identified.

c. Calculate the annualized rate of occurrence (ARO), which is how manytimes each threat could happen in a year.

4. Derive the overall loss potential per threat.

a. Combine potential loss and probability.

b. Calculate the annualized loss expectancy (ALE) per threat by using theinformation calculated in the first three steps.

c. Choose remedial measures to counteract each threat.

5. Reduce, assign, or accept the risk.

a. Risk reduction methods.

i. Install security controls and components.

ii. Improve procedures.

iii. Alter environment.

iv. Provide early detection methods to catch the threat as it’s happening andreduce the possible damage it can cause.

v. Produce a contingency plan of how business can continue if a specificthreat takes place, reducing extending damages of the threat.

vi. Erect barriers to the threat.

b. Risk assignment.

i. Buy insurance to transfer some or all of the risk.

c. Risk acceptance.

i. Live with the risks and spend no money toward protection.

Because we are stepping through a quantitative risk analysis, real numbers are usedand calculations are necessary. Single loss expectancy (SLE) and annualized loss expec-tancy (ALE) were mentioned in the previous analysis steps. The SLE is a dollar amountthat is assigned to a single event that represents the company’s potential loss amount ifa specific threat took place.

asset value × exposure factor (EF) = SLE



The exposure factor represents the percentage of loss a realized threat could have on acertain asset. So if a data warehouse has the asset value of $150,000 and if a fire tookplace, it is estimated that 25 percent of the warehouse would be damaged and the SLEwould be $37,500. This figure is derived to be inserted into the ALE equation.

SLE × annualized rate of occurrence (ARO) = ALE

The annualized rate of occurrence (ARO) is the value that represents the estimated fre-quency of a specific threat taking place within a one-year time frame. The range can befrom 0.0 (never) to 1.0 (always) and anywhere in between. For example, if the probabilityof a flood taking place in Mesa, Arizona is once in 1,000 years, the ARO value is 0.001.

So if a fire taking place within a company’s data warehouse facility can cause $37,500in damages and the frequency, or ARO, of a fire taking place has an ARO value of 0.1 (in-dicating once in ten years), then the ALE value is $3,750 ($37,500 × 0.1 = $3,750).

The ALE value tells the company that if they want to put in controls or safeguards toprotect the asset from this threat, they can sensibly spend $3,750 or less per year to pro-vide the necessary level of protection. It is important to know the real possibility of a riskand how much damage, in monetary terms, that the threat can cause to know howmuch can be spent to try and protect from that threat in the first place. It would notmake good business sense for the company to spend more than $3,750 per year to protectitself from this threat.

Now that we have all these numbers, what do we do with them? Let’s look at the ex-ample shown in Table 3-2.

Table 3-2 shows the outcome of a risk analysis. With this data, the company canmake intelligent decisions on what risks need to be addressed first because of the sever-ity of the risk, the likelihood of it happening, and how much could be lost if the risk didbecome real. The company now also knows how much money can be spent to protectagainst each threat, which will result in good business decisions instead of just buyingprotection here and there without a clear understanding of the big picture. Because thecompany has a risk of losing up to $5,200 if data is corrupted by virus infiltration, up tothis amount of funds can be earmarked to go toward providing antivirus software andmethods to ensure that a virus attack will not happen.



70


Risk Analysis DefinitionsExposure factor (EF) Percentage of asset loss caused by identified threatSingle loss expectancy (SLE) Asset value × exposure factorAnnualized rate of occurrence (ARO) Estimated frequency a threat will occurwithin a yearAnnualized loss expectancy (ALE) Single loss expectancy × annualized rate ofoccurrence



We have just explored the ways of performing risk analysis through quantitativemeans. This method tries to measure the loss in monetary values and assign numericsums of each component within the analysis. A pure quantitative analysis is not achiev-able because it is impossible to assign the exact figures to each component and loss val-ues. Although we can look at past events, do our best to assess the value of the assets,and contact agencies that provide frequency estimates of disasters happening in ourarea, we still cannot say for a fact that we have a 25 percent chance of a fire happening ina year and that it will cause exactly $57,500 in damage. In quantitative risk analysis, wedo our best to provide all the correct information to the best of our knowledge and we willcome close to the risk values, but we cannot predict the future and how much the futurewill cost us or the company.

Results of a Risk AnalysisThe risk analysis team should have clearly defined goals and results that they are seeking.The following is a short list of what generally is expected from the results of a risk analysis.

• Assigned monetary values assigned to assets

• Comprehensive list of all possible and significant threats

• Probability of the occurrence rate of each threat

• Loss potential the company can endure per threat in a 12-month time span

• Recommended safeguards, countermeasures, and actions

Although this list looks small, there is usually an incredible amount of detail undereach bullet item. This report will be presented and given to the senior management.They will be concerned with possible monetary losses and the necessary costs to miti-gate these risks. Although the reports should be as detailed as possible, there should beexecutive abstracts for the senior management to quickly understand the overall find-ings of the analysis.


71


Asset Threat Asset Value

Single LossExpectancy(SLE)

AnnualizedFrequency

Annual LossExpectancy(ALE)

Facility Fire $560,000 $230,000 .25 $57,500

Trade secret Stolen $43,500 $40,000 .75 $30,000

File server Failed $11,500 $11,500 .5 $5,750

Data Virus $8,900 $6,500 .8 $5,200

Customercredit card info

Stolen $323,500 $300,000 .65 $195,000

Table 3-2 Breaking Down How SLE and ALE Values Are Used



Qualitative Risk AnalysisAnother method of risk analysis is qualitative, which does not assign numbers andmonetary values to components and losses. Instead, qualitative methods walk throughdifferent scenarios of risk possibilities and rank the seriousness of the threats and the va-lidity of the different possible countermeasures. Qualitative analysis techniques includejudgment, intuition, and experience. Examples of qualitative techniques are Delphi,brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, one-on-one meetings, and interviews. The risk analysis team will determine the best tech-nique for the threats that need to be assessed and the culture of the company and indi-viduals involved with the analysis.

The team that is performing the risk analysis gathers personnel who have experienceand education on the threats being evaluated. When this group is presented with a sce-nario that describes threats and loss potential, they will respond with their gut feelingon the likelihood of the threat and the extent of damage that may result.

A scenario approximately one page in length is written for each major threat. Thefunctional manager who is most familiar with this type of threat should review the sce-nario to ensure that it reflects how an actual threat would be carried out. Safeguardsthat would diminish the damage of this threat are then evaluated, and the scenario isplayed out for each safeguard. The exposure possibility and loss possibility can beranked as high, medium, or low on a scale of 1 to 5 or 1 to 10. Once the selected person-nel rank the possibility of a threat happening, the loss potential, and the advantages ofeach safeguard, this information is compiled into a report and presented to manage-ment to help them make better decisions on how best to implement safeguards into theenvironment. The benefits of this type of analysis are the communication that has tohappen among the team members to rank the risks, the identification of safeguardstrengths and weaknesses, and the people who know these subjects the best providingtheir opinions to management.

Let’s look at a simple example of a qualitative risk analysis.The risk analysis team writes a one-page scenario explaining the threat of a hacker ac-

cessing confidential information held on the five file servers within the company. Theydistribute it to a team of five people (the IT manager, database administrator, applicationprogrammer, system operator, and operational manager). The team is given the sheet torank the threat’s severity, loss potential, and each safeguard’s effectiveness with a rating of1 to 5, 1 being the least severe, effective, or probable. Table 3-3 shows the results.

This data is complied and inserted into a report and presented to management. Whenmanagement is presented with this information, they will see that their staff feels thatpurchasing a firewall will protect the company from this threat more than purchasingan intrusion detection system, or setting up a honeypot system.

This is the result of looking at only one threat, and the management will view the se-verity, probability, and loss potential of each threat so that they know which threatscause the greatest risk and should be addressed first.


72





Delphi TechniqueThe Delphi technique is a group decision method used to ensure that each membergives an honest opinion of what he or she thinks the result to a particular threat will be.This avoids a group of individuals feeling pressured to go along with others’ thoughtprocesses and enables them to participate in an independent and anonymous way. Eachmember of the group writes down his or her opinion of a certain risk on a piece of paperand turns it into the team that is performing the analysis. The results are compiled anddistributed to the group members who then write down their comments anonymouslyand return them back to the analysis group. The comments are compiled and redistrib-uted for more comments until a consensus is formed. This method is used to obtain anagreement on cost, loss values, and probabilities of occurrence without individuals hav-ing to agree verbally.

Quantitative versus QualitativeSo which method should we use?

Each method has its advantages and disadvantages, and Table 3-4 is a list of some ofthe differences between the two methods.

The risk analysis team, management, risk analysis tools, and culture of the companywill dictate which approach, quantitative or qualitative, will be used. Management mayfeel very comfortable with their staff’s opinion and just want the data gathered and pre-sented. Another company with a different management might demand real numbers tobe able to use with other business profit gain and loss numbers, expense forecasts, andmarket trends.

The goal of either method is to estimate a company’s real risk and rank the severity ofthe risks so the correct countermeasures can be put into place using a practical budget.


73


Threat =HackerAccessingConfidentialInformation

SeverityofThreat

Probabilityof ThreatTakingPlace

PotentialLoss totheCompany

Effective-ness ofFirewall

Effective-ness ofIntrusionDetectionSystem

Effective-ness ofHoneypot

IT manager 4 2 4 4 3 2

Databaseadministrator

4 4 4 3 4 1

Applicationprogrammer

2 3 3 4 2 1

System operator 3 4 3 4 2 1

Operationalmanager

5 4 4 4 4 2

Results 3.6 3.4 3.6 3.8 3 1.4

Table 3-3 Example of a Qualitative Analysis



Protection MechanismsOkay, so we know we are at risk, we know the probability of it happening, now what do we do?

The next step is to identify the current security mechanisms and evaluate their effec-tiveness.

Because a company has such a wide range of threats and not just computer virusesand attackers, each threat type needs to be addressed and planned for individually. Sitelocation, fire protection, site construction, power loss, and equipment malfunctions areexamined in detail in Chapter 6. Software malfunctions and applications consider-ations are covered in Chapter 5. Telecommunication and networking issues are ana-lyzed and presented in Chapter 7. Disaster recovery and business continuity are addressedin Chapter 9. All of these subjects have their own associated risks and planning require-ments. The following section addresses identifying and choosing the right countermea-sures for computer systems and gives the best attributes to look for and all the differentcost scenarios that must be investigated when comparing different types of softwarecountermeasures. The end product of the analysis of alternatives is to demonstrate whythe selected alternative is the most advantageous to the company.

Countermeasure SelectionA security countermeasure, sometimes called a safeguard, must make good businesssense. Good business sense means that it is cost-effective and that its benefit outweighsits cost. This requires another type of analysis: a cost/benefit analysis.

A commonly used cost/benefit calculation for a given safeguard is:

(ALE before implementing safeguard) – (ALE after implementing safeguard) –(annual cost of safeguard) = value of safeguard to the company

For example, if the ALE of the threat of a hacker bringing down a Web server is$12,000 and after the suggested safeguard is implemented the ALE is now $3,000 andthe annual cost of maintenance and operation of the safeguard is $650, then the valueof this safeguard to the company is $8,350 each year.


74


Attribute Quantitative Qualitative

Requires more complex calculations x

Degree of guesswork that is involved x

Is easily automated x

Provides a cost/benefit analysis x

Uses independent and objective metrics x

Provides the opinions of the staff that knows the processes best x

Shows clear-cut losses that can be accrued within one year’s time x

Table 3-4 Quantitative versus Qualitative Characteristics




75


The cost of a countermeasure is more than just the amount that is filled out on thepurchase order. The following items need to be considered and evaluated when derivingthe full cost of a countermeasure:

• Product costs

• Design/planning costs

• Implementation costs

• Environment modifications

• Compatibility with other countermeasures

• Maintenance requirements

• Testing requirements

• Repair, replace, or update costs

• Operating/support costs

• Effects on productivity

A company can decide that to protect many of their resources, an intrusion detectionsystem (IDS) is warranted. So the company pays $5,500 for the software. Is that the totalcost? Nope. This software should be tested in an environment that is segmented fromproduction to uncover any unexpected activity. After this testing is complete and the ITgroup feels it is safe to insert into their production environment, they must install themonitor management software, the sensors, and properly direct the communicationpaths from the sensors to the manager console. Routers may need to be reconfigured toredirect traffic flow, and it needs to be ensured that users cannot access the IDS managerconsole. A database needs to be configured to hold all attack signatures, and simula-tions need to be run.

Anyone who has worked in an IT group knows that some adverse reaction almost al-ways takes place in this type of scenario. The network performance can take an unaccept-able hit after installing this product. Users may no longer be able to access the Unix serverfor some mysterious reason. The IDS vendor may not have explained that two more ser-vice patches are necessary for the whole thing to work correctly. Staff time will need to beallocated to respond to all of the correct and incorrect alerts the new IDS sends out.

So the cost of this countermeasure is $5,500 for the product, $3,400 for the lab andtesting time, $2,600 for the loss in user productivity once the product was introducedinto production, $4,000 in labor for router reconfiguration, product installation, trou-bleshooting, and installation of the two service patches. The real cost of this counter-measure is $15,500. If our total potential loss was calculated at $9,000, we went overbudget when applying this countermeasure for the identified risk. Some of these costsmay be hard or impossible to identify before they are acquired, but an experienced riskanalyst would account for these possibilities.



Functionality and Effectiveness of CountermeasuresThe countermeasure doesn’t work, but it’s pretty. Response: Good enough.

Once you have a handle on the cost of the safeguard, you will then need to evaluateits functionality and effectiveness. When selecting a safeguard, some attributes are morefavorable than others. Table 3-5 provides a list of attributes that should be consideredbefore purchasing and committing to a security protection mechanism.

Safeguards provide deterrence attributes if they are highly visible. This tells potentialevildoers that adequate protection is in place and that they should move on to an easier


76


Characteristic Description

Modular in nature It can be installed or removed from an environmentwithout adversely affecting other mechanisms.

Provides uniform protection A security level is applied to all mechanisms it isdesigned to protect in a standardized method.

Provides override functionality An administrator can override the restriction ifnecessary.

Defaults to least privilege When installed, it defaults to a lack of permissionsand rights instead of installing with everyone havingfull control.

Independence of safeguard andthe asset it is protecting

The safeguard can be used to protect different assetsand different assets can be protected by differentsafeguards.

Flexibility and functionality The more functionality the safeguard provides, thebetter. This functionality should come with flexibility,which enables you to choose different functionsinstead of all or none.

Clear distinction between userand administrator

A user should have fewer permissions when it comesto configuring or disabling the protection mechanism.

Minimum human intervention When humans have to configure or modify controls,this opens the door to errors. The safeguard shouldbe able to set itself up, pull the necessary informationfrom the environment, and require the least amountof input from humans as possible.

Easily upgraded Software continues to evolve, and updates should beable to happen painlessly.

Auditing functionality There should be a mechanism that is part of thesafeguard that provides minimum or verbose auditing.

Minimizes dependence on othercomponents

The safeguard should be flexible and not have strictrequirements about the environment into which itwill be installed.

Easily useable, acceptable, and toleratedby personnel

If the safeguards provide barriers to productivity or addextra steps to simple tasks, users will not tolerate it.

Must produce output in usable andunderstandable format

Important information should be presented in aformat easy for humans to understand and use forother tasks.

Table 3-5 Characteristics to Look for When Obtaining Safeguards




77


target. Although the safeguard should be highly visible, the way that it works should notbe attainable so the evildoers cannot attempt to modify the safeguard or know how toget around the reaches of the protection mechanism.

Putting It TogetherTo perform a risk analysis, a company first decides what assets need to be protected and towhat extent. It also indicates the amount of money that should go toward protecting spe-cific assets. Next, the functionality of the available safeguards needs to be evaluated andwhich ones would be most beneficial for the environment needs to be determined.Finally, the costs of the safeguards are appraised and compared. These steps and the re-sulting information enable management to make the most intelligent and informed deci-sions about selecting and purchasing countermeasures. Figure 3-7 illustrates these steps.

Total Risk versus Residual RiskThe reason that a company implements countermeasures is to reduce their overall riskto an acceptable level. As stated earlier, no system or environment is 100 percent secure,which means there is always some risk left over to deal with. This is called residual risk.

Residual risk is different than total risk, which is when a company chooses not to im-plement any type of safeguard. The reason that this type of scenario takes place is be-cause of the cost/benefit analysis results. If there is a small likelihood that a company’sWeb servers can be compromised and the necessary safeguards to provide a higher levelof protection cost more than the potential loss in the first place, the company willchoose not to implement the safeguard and is left with the total risk.

Characteristic Description

Must be able to reset safeguard The mechanism should be able to be reset and returnto original configurations and settings without affectingthe system or asset it is protecting.

Testable The safeguard should be able to be tested in differentenvironments under different situations.

Does not introduce other compromises The safeguard should not provide any covert channelsor back doors.

System and user performance System and user performance should not be greatlyaffected.

Proper alerting A threshold should be able to be set as to whento alert personnel of a security breach, and thistype of alert should be acceptable.

Does not affect asset The assets in the environment should not be adverselyaffected by safeguard.

Table 3-5 Characteristics to Look for When Obtaining Safeguards (continued)

P:\010Comp\All-in-1\966-7\ch03.vpMonday, May 19, 2003 2:17:08 PM



78


There is an important difference between total risk and residual risk and which typeof risk a company is willing to accept.

threats × vulnerability × asset value = total risk

(threats × vulnerability × asset value) × controls gap = residual risk

During a risk assessment, the threats and vulnerabilities are identified. The possibil-ity of these taking place is multiplied by the value of the assets that are at risk, which re-sults in the total risk. Once the controls gap (protection the control cannot provide) isfactored in, the result is the residual risk. Implementing countermeasures is a way ofmitigating risks. Because no company can remove all threats, there will always be sometype of risk left over. The question is what level of risk the company is willing to accept.

Handling RiskNow that we know about the risk, what do we do with it?

Once a company knows the amount of total and residual risk they are faced with,they must decide how to handle it. There are four basic ways of dealing with risk: trans-ferring, rejecting, reducing, or accepting the risk.

There are many types of insurance available to companies when it comes to protectingits assets. If a company decides that the total or residual risk is too high to gamble with,they can purchase insurance, and this would transfer the risk to the insurance company.

If the company implements countermeasures, this will reduce the risk. If a companyis in denial about its risk or ignores it, this is rejecting the risk, which can be very danger-ous and is unadvisable. The last approach is to accept the risk, which means the com-pany understands the level of risk they are faced with and the cost of damage that ispossible and they decide to just live with it. Many companies will accept risk when thecost/benefit ratio indicates that the cost of the countermeasure outweighs the potentialloss value. So the company will not implement the countermeasure and accept the risk.

References

Risk Associates: www.securityauditor.net

Strategic Security and Intelligence resources: www.all.net/journal/netsec/9703.html

Figure 3-7The main threesteps in riskanalysis




79


Policies, Procedures, Standards,Baselines, and GuidelinesThe risk assessment is done. Let’s call it a day. Response: Nope, there’s more.

Computers and the information that is processed on them usually have a direct rela-tionship with a company’s critical missions and objectives. Because of this level of im-portance, senior management should make protecting these items a high priority andprovide the necessary support, funds, time, and resources to ensure that systems, net-works, and information are protected in the most logical and cost-effective manner pos-sible. A comprehensive management approach needs to be developed to accomplishthese goals successfully.

For security to be ultimately successful in a business, it needs to start at the top leveland be useful and functional at every single level within the organization. The seniormanagement needs to define the scope of security, what needs to be protected, and towhat extent. Management must understand the regulations, laws, and liability issuesthat they are responsible for complying with when it comes to security and ensuring thatthe company as a whole fulfills the obligations of each of these. Senior managementalso needs to determine what is to be expected from employees and what the conse-quences of noncompliance will be. These decisions should be made by the individualswho will be held ultimately responsible if something goes wrong.

A security program contains all the pieces necessary to provide overall protection to acorporation and a long-term security strategy. A security program should have securitypolicies, procedures, standards, guidelines, baselines, security awareness training, inci-dent handling, and a compliance program. Human resources and the legal departmentneed to be involved in the development and enforcement of some of these issues.

The language, level of detail, formality of the policy, and supporting mechanismsshould be examined. Security policies, standards, guidelines, and procedures must bedeveloped in a realistic view to be most effective. Highly structured organizations willusually follow guidelines in a more uniform way. Less structured organizations mayneed more explanation and emphasis to promote compliance. The more detailed therules are, the easier it is to know when one has been violated. However, overly detaileddocumentation and rules can prove to be more of a burden than helpful. On the otherhand, many times the more formal the rules, the easier they are to enforce. The businesstype, its culture, and goals need to be evaluated to make sure the right type of language isused when writing security documentation.

Security PolicyA security policy is a general statement produced by senior management (or a selectedpolicy board or committee) to dictate what type of role security plays within the organi-zation. A security policy can be an organizational policy, issue-specific policy, or system-specific policy. In an organizational security policy, management establishes how a secu-rity program will be set up, lays out the program’s goals, assigns responsibilities, showsthe strategic and tactical value of security, and outlines how enforcement should be carriedout. This policy must address relative laws, regulations, and liability issues and how they



are to be satisfied. The organizational security policy provides scope and direction for allfuture security activities within the organization. It also describes the amount of risk se-nior management is willing to accept.

Issue-specific policies, also called functional implementing policies, address specificsecurity issues that management feels need more detailed explanation and attention tomake sure a comprehensive structure is built and all employees understand how theyare to comply to these security issues. Organizations may choose to have an e-mail secu-rity policy that outlines what management can and cannot do with employees’ e-mailmessages for monitoring purposes and how employees can or cannot use differente-mail functionality and address specific privacy issues. As an example, an e-mail policymight state that management can read any employee’s e-mail messages that reside onthe mail server, but not when they reside on the user’s workstation. It might also statethat employees cannot use e-mail to share confidential information or use it to pass in-appropriate material, and may be subject to monitoring of these actions. The employeesshould be made aware of these issues by signing a document, clicking Yes in a dialogbox that explains these issues before they use their e-mail clients, or it can be presentedas a banner when the users sign on to their computers. The policy provides direction andstructure for the staff indicating what they can and cannot do. It informs the users of theexpectations of their actions, and it provides liability protection in case an employeecries “foul” for any reason dealing with e-mail use.

A system-specific policy presents the management’s decisions that are closer to the actualcomputers, networks, applications, and data. This type of policy can provide an ap-proved software list, which contains a list of applications that can be installed on indi-vidual workstations. This policy can describe how databases are to be protected, howcomputers are to be locked down, and how firewalls, intrusion detection systems, andscanners are to be employed.

Policies are written in broad overview terms to cover many subjects in a general fash-ion. Much more granularity is needed to actually support the policy, and this happenswith the use of procedures, standards, and guidelines. The policy provides the founda-tion. The procedures, standards, and guidelines provide the security framework. And thenecessary security components, implementations, and mechanisms are used to fill inthe framework to provide a full security program and secure infrastructure.

Further information and sample policies are in the appendices.

StandardsSome things you just gotta do.

Organizational security standards specify how hardware and software products are tobe used. They can also be used to indicate expected user behavior. They provide a meansto ensure that specific technologies, applications, parameters, and procedures are car-ried out in a uniform way across the organization. It may be an organizational standardthat requires all employees to have their company identification badges on their personat all times, or that unknown individuals are to be challenged about their identity andpurpose for being in a specific area, or that confidential information has to be encrypted.


80




These rules are usually compulsory within a company, and if they are going to be suc-cessful, they need to be enforced.

As stated in an earlier section, there is a difference between tactical and strategic goals.A strategic goal can be viewed as the ultimate end point; the tactical goals are the steps toachieve it. As shown in Figure 3-8, standards, guidelines, and procedures are the tacticalgoals used to achieve and support the directives in the security policy, which is consid-ered the strategic goal.

BaselinesBaselines provide the minimum level of security necessary throughout the organization.A consistent baseline needs to be established before the security architecture can beproperly developed. When standards are implemented and followed properly, they pro-vide a baseline of security. In this sense baselines can be considered the abstraction ofstandards.

Most of the time, baselines are platform-unique security implementations that arenecessary to provide the required level of protection. For example, a company may re-quire all workstations in the company to have at least a C2 assurance rating. The base-line security level would be C2 and supporting procedures would provide step-by-stepinstructions on how the operating system and components have to be installed toachieve this specific security level.


81


Types of PoliciesPolicies can fall into one of the following categories:

• Regulatory This policy is written to ensure that the organization isfollowing standards set by a specific industry and is regulated by law. Thepolicy type is detailed in nature and specific to a type of industry. This isused in financial institutions, health care facilities, and public utilities.

• Advisory This policy is written to strongly suggest certain types ofbehaviors and activities that should take place within the organization.It also outlines possible ramifications if employees do not comply withthe established behaviors and activities. This can be used for handlingmedical information, financial transactions, and processing confidentialinformation.

• Informative This policy is written to inform employees of certain topics.It is not an enforceable policy, but one to teach individuals about specificissues relevant to the company. It could explain how the company interactswith partners, the company’s goals and mission, and a general reportingstructure in different situations.




82


The baseline is a minimum level of security and other business requirements may requirespecific systems to contain mechanisms that provide an even higher level of protection.

GuidelinesGuidelines are recommended actions and operational guides to users, IT staff, opera-tions staff, and others when a specific standard does not apply. They can deal with themethodologies of securing computers and their software. There are always gray areas inlife, and guidelines can be used as a reference during those times. Whereas standards arespecific mandatory rules, guidelines are general approaches that provide the necessaryflexibility for unforeseen circumstances.

A policy might state that access to confidential data must be audited. A supportingguideline could further explain that audits should contain sufficient information to allowfor reconciliation with prior reviews. Supporting procedures would outline the neces-sary steps to configure, implement, and maintain this type of auditing.

ProceduresProcedures are detailed step-by-step tasks that should be performed to achieve a certaingoal. The steps can apply to users, IT staff, operations staff, security members, and otherswho may need to carry out specific tasks. Many organizations have written procedureson how operating systems are to be installed, how security mechanisms are to be config-ured, implementing access control lists, setting up new user accounts, assigning computerprivileges, audit activities, material destruction, incident reporting, and much more.

Procedures are looked at as the lowest level in the policy chain because they are clos-est to the computers and users and provide detailed steps for configuration and installa-tion issues.

Procedures spell out how the policy, standards, and guidelines will actually be imple-mented in an operating environment. If a policy states that all individuals who accessconfidential information must be properly authenticated, the supporting procedureswill explain the steps for this to happen by defining the access criteria for authorization,

Figure 3-8Policy establishesthe strategicplans, and thelower elementsprovide thetactical support.



how access control mechanisms are implemented and configured, and how access activ-ities are audited. If a standard states that backups should be performed, then the proce-dures will define the detailed steps necessary to perform the backup, timelines ofbackups, storage of backup media, and so on. Procedures should be detailed enough tobe able to be understood and used by a diverse group of individuals.

Security procedures, standards, measures, practices, and policies cover a number ofdifferent subject areas. Table 3-6 describes some of the subject areas affected.

To tie these items together, let’s walk through an example.A corporation’s security policy indicates that confidential information should be

properly protected. It states the issue in very broad and vague terms. A supporting standard


83


Modular ElementsStandards, guidelines, and baselines should not be in one large document. Eachhas a specific purpose and a different audience. A document describing how to bein compliance with a specific regulation may go to the management staff, whereasa detailed procedure on how to properly secure a specific operating system is di-rected toward an IT member.

Being separate and modular in nature helps for proper distribution and updat-ing when it is necessary.

Subject Area Examples

Accountability controls Audit trails, reviewing audit logs, automation of auditing andnecessary configurations, and storage of audit information

Physical and environmentalcontrols

Intrusion detection system installation, configuration, andmonitoring; cooling system maintenance, and monitoring

Administration controls Separation of duties, performing background checks, supervision,and rotation of duties

Access controls Identification and authentication mechanisms; biometric installation,configuration, and calibration; smart card creation, use, anddestruction

Cryptography When to use it, which encryption technology to use, installation,and configurations

Business continuity planning(BCP) controls

Who is on the BCP team, when drills take place, what is to bedocumented, and what off-site facility is to be used

Computer operations How operating systems are to be installed and configured, howapplications are to be installed, how to secure workstations, andhow to replace hard drives

Incident handling What defines a security incident, who the report should go to,what should be in the report, and what is done with a reportonce it is turned in

Table 3-6 Areas Covered by Policies, Standards, Guidelines, and Procedures



mandates that all customer information held in databases must be encrypted with theData Encryption System (DES) algorithm while it is stored and only transmitted overthe Internet using IPSec encryption technologies. The standard indicates what type ofprotection is required and another level of granularity and explanation is provided. Thesupporting procedures explain exactly how to implement the DES and IPSec technolo-gies, and guidelines could cover how to handle cases when data is accidentally de-crypted, corrupted, or compromised during transmission. As shown in Figure 3-9, all ofthese work together to provide a company with a security structure.

ImplementationUnfortunately, many times security policies, standards, procedures, baselines, andguidelines are written because an auditor instructed a company to document theseitems, but they live at the bottom of a file cabinet and are not shared, explained, or used.To be useful, they need to be put to use. No one is going to follow the rules if peopledon’t know that the rules exist. Security policies and the items that support them notonly have to be developed, they also have to be implemented.

To be effective, employees need to know about security issues within these docu-ments; therefore, the policies and their supporting counterparts need visibility. Aware-ness training, manuals, presentations, newsletters, and legal banners can achieve thisvisibility. It needs to be clear that the directives came from senior management and thefull management staff supports these policies. Employees need to understand what isexpected of them in their actions, behavior, accountability, and performance.

Implementing security policies and the items that support them shows due care bythe company and its management staff. Informing employees of what is expected ofthem and the consequences of noncompliance can come down to a liability issue. If acompany fires an employee because he was downloading pornographic material to thecompany’s computer, the employee can take the company to court and win if the employee


84


Figure 3-9Security policies,procedures,standards, andguidelines worktogether.




can prove that he was not properly informed of what was considered acceptable and un-acceptable use of company property and what the consequences were. Security aware-ness and training are covered in later sections, but understand that companies that donot supply these to their employees are not practicing due care and can be held negli-gent and liable in the eyes of the law.

References

NCSA Security Policies and Procedures: www.ncsa.uiuc.edu/People/ncsairst/Policy.html

Security Policies and Baseline Standards: www.security.kirion.net/securitypolicy

SANS Institute Security Policy Project: www.sans.org/resources/policies

Information Security Policy World: www.information-security-policies-and-standards.com

Information ClassificationMy love letter to my dog is top secret. Response: As it should be.

Earlier in this chapter, the importance of recognizing what information is critical to acompany and assigning a value to it was touched upon. The rationale behind assigninga value to data is to be able to gauge the amount of funds and resources that should gotoward protecting it because not all data has the same value to a company. After the ex-ercise of identifying important information, it should then be properly classified. Acompany has a lot of information that is created and maintained. The reason to classifydata is to organize it according to its sensitivity to loss or disclosure. Once data is seg-mented according to its sensitivity level, the company can decide what security controlsare necessary to protect different types of data. This ensures that information assets re-ceive the appropriate level of protection and classifications indicate the priority of thatsecurity protection. The primary purpose of data classification is to indicate the level ofconfidentiality, integrity, and availability that is required for each type of information.


85


Due Care and Due DiligenceDue care and due diligence are terms that are used throughout this book. Due dili-gence is the act of investigating and understanding the risks the company faces. Acompany practices due care by developing security policies, procedures, and stan-dards. Due care shows that a company has taken responsibility for the activities thattake place within the corporation and has taken the necessary steps to help protect thecompany, its resources, and employees from possible risks. So due diligence is under-standing the current threats and risks and due care is implementing countermeasuresto provide protection from those threats. If a company does not practice due care anddue diligence pertaining to the security of its assets, it can be legally charged with neg-ligence and held accountable for any ramifications of that negligence.



Data classification helps ensure that the data is protected in the most cost-effectivemanner. There are costs in protecting and maintaining data, and it is important to en-dure these costs for the information that actually requires this type of protection. Goingback to our very sophisticated example of spies and the peanut butter and banana sand-wich recipe, if a company was in charge of protecting spy files, it would classify this dataas top secret and apply complex and highly technical security controls and proceduresto ensure that it is not accessed in an unauthorized method and disclosed. On the otherhand, the sandwich recipe would have a lower classification, and you might protect it bynot talking about it.

Each sensitivity classification should have separate handling requirements and pro-cedures pertaining to how that data is accessed, used, and destroyed. For example, in acorporation, confidential information may be only accessed by senior management anda select few throughout the company. To access the information, it may require two ormore people to enter their access codes. Auditing could be very detailed and monitoreddaily, and paper copies of the information may be kept in a vault. To properly erase thisdata from the media, degaussing or zeroization may be required. Other information inthis company may be classified as sensitive and a slightly larger group of people canview it. Access control on the information classified as sensitive may require only oneset of credentials. Auditing happens but is only reviewed weekly, paper copies are keptin locked file cabinets, and the data can be deleted using regular measures when it istime to do so. Then the rest of the information is marked public. All employees can accessit, and no special auditing or destruction methods are required.

Private Business versus Military ClassificationsEarlier we touched on how organizations choose different security models. It dependsupon the type of organization, its goals, and objectives. Military organizations are moreconcerned about not disclosing confidential information when compared to most privatesector businesses. Private sector businesses are usually more concerned with the integrityand availability of data. These different perspectives affect data classification also.

To properly implement data classifications, a company must first decide upon thesensitivity scheme they are going to use. One company may choose to use only confidential and public, while another company may choose to use top secret, secret, confiden-tial, sensitive, and unclassified. Table 3-7 explains the types of classifications available.Note that some classifications are used for commercial businesses, whereas others aremilitary classifications.

The following shows the levels of sensitivity from the highest to the lowest for com-mercial business:

• Confidential

• Private

• Sensitive

• Public


86





87


Classification Definition ExamplesOrganization thatWould Use This

Sensitive –Requires specialprecautions to ensurethe integrity of the databy protecting it fromunauthorized modificationor deletion.–Requires higher thannormal assurance ofaccuracy and completeness.

–Financial information–Details of projects–Profit earningsand forecasts

Commercial business

Confidential –For use within thecompany only.–Data that is exemptfrom disclosure under theFreedom of InformationAct or other laws andregulations.–Unauthorized disclosurecould seriously affecta company.

–Trade secrets–Health careinformation–Programming code–Information thatkeeps a companycompetitive

Commercial businessand military

Private –Personal information foruse within a company.–Unauthorized disclosurecould adversely affectpersonnel.

–Work history–Human resourceinformation–Medical information

Commercial business

Proprietary –If disclosed, it couldreduce competitive edge.

–Recipe to soft drinkor other trade secret–Technicalspecificationsof a product

Commercial business

Public –All data that does notfit into previous classes.–Disclosure is notwelcome, but it would notcause an adverse impact tocompany or personnel.

–How many peopleare working on aspecific project–Upcoming projects

Commercial business

Secret –If disclosed, it could causeserious damage to nationalsecurity.

–Deployment plansfor troops–Nuclear bombplacement

Military

Top secret –If disclosed, it could causegrave damage to nationalsecurity.

–Blueprints of newwartime weapons–Spy satelliteinformation–Espionage data

Military

Table 3-7 Commercial Business and Military Data Classifications



The following shows the levels of sensitivity from the highest to the lowest for themilitary:

• Top secret

• Secret

• Confidential

• Sensitive but unclassified

• Unclassified

Once the scheme is decided upon, the company needs to develop the criteria they aregoing to use to decide what information goes into which classification. The followinglist shows some criteria parameters that an organization may use to determine the sensi-tivity of data:

• Usefulness of data

• Value of data

• Age of data

• The level of damage that could be caused if the data was disclosed

• The level of damage that could be caused if the data was modified or corrupted

• Laws, regulations, or liability responsibility about protecting the data

• Effects the data has on national security

• Who should be accessing this data

• Who should be maintaining this data

• Where this data should be kept

• Who should be able to reproduce this data

• What data would require labels and special marking


88


Classification Definition ExamplesOrganization thatWould Use This

Sensitive butunclassified (SBU)

–Minor secret.–If disclosed, it couldcause serious damage.

–Medical data–Answers to testscores

Military

Unclassified –Data is not sensitiveor classified.

–Computer manualand warrantyinformation–Recruitinginformation

Military

Table 3-7 Commercial Business and Military Data Classifications (continued)



Now that we have the sensitivity scheme chosen and all data is classified, which wasdetermined by the criteria it met, the next step is to specify how each classification shouldbe dealt with. Provisions for access control, identification, and labeling need to be speci-fied along with how data in specific classifications is stored, maintained, transmitted,and destroyed. Auditing, monitoring, and compliance issues need to be ironed out also.Each classification requires a different degree of security and therefore different require-ments from each of the mentioned items.

Reference

Data Classification: www.sans.org/infosecFAQ/securitybasics/class.htm

Layers of ResponsibilitySenior management and other levels of management understand the vision of the com-pany, the business goals, and objectives. The next layer down is the functional manage-ment, who understand how their individual departments work, what roles individualsplay within the company, and how security affects their department directly. The next lay-ers are operational managers and staff. These layers are closer to the actual operations ofthe company. They know detailed information about the technical and procedural re-quirements, the systems, and how they are used. These layers understand how securitymechanisms integrate into systems, how to configure them, and how they affect daily


89


Data Classification ProceduresThe following outlines the necessary steps for a proper classification program:

1. Identify data custodian who will be responsible for maintaining data andits security level.

2. Specify the criteria that will determine how data is classified.

3. The data owner must indicate the classification of the data she isresponsible for.

4. Indicate the security controls that are required for each classification level.

5. Document any exceptions to the previous classification issues.

6. Indicate the methods that can be used to transfer custody of theinformation to a different data owner.

7. Indicate termination procedures for declassifying the data.

8. Integrate these issues into the security awareness program so that allemployees understand how to handle data at different classification levels.



productivity. Each layer has a different insight into what type of role security plays withinan organization. Each layer should have input into the best security practices, procedures,and chosen controls to ensure that the security level that is agreed upon provides the nec-essary level of protection without negatively affecting the company’s productivity.

Although each layer is important to the overall security of an organization, there arespecific roles that must be clearly defined. These roles are the data owner, data custo-dian, and user.

Data Owner The data owner is usually a member of senior management and is ulti-mately responsible for the protection and use of a specific subset of information. The dataowner falls within the bounds of due care responsibilities and will be held responsible forany negligent acts that result in the corruption or disclosure of the data. He decides uponthe classification of the data he is responsible for and alters these classifications if the busi-ness needs arise. The data owner will delegate the responsibility of the day-to-day mainte-nance of the data, which is the responsibility of the data custodian.

Data Custodian The data custodian is given the responsibility of the maintenanceand protection of the data. This role is usually filled by the system administrator, and theduties include performing regular backups of the data, implementing security mecha-nisms, periodically validating the integrity of the data, restoring data from backup media,and fulfilling the requirements specified in the company’s security policy, standards, andguidelines that pertain to information security and data protection.

NOTE A system administrator has the responsibility of individual computersand devices while a network administrator is more concerned with how thecomputers and devices are connected and work together within a network.In smaller environments, they are usually one in the same.

User The user is considered any individual who routinely uses the data for work-relatedtasks. The user must have the necessary level of access to the data to perform the dutieswithin her position and is responsible for following operational security procedures toensure the data’s confidentiality, integrity, and availability to others.

Poor security management causes a majority of security problems. Different levels ofmanagement have different layers of security responsibility. A senior-level committeeshould be established to ensure that security issues receive appropriate and proper at-tention by senior officials. A chief information officer (CIO) or security officer shouldwork with senior management to define strategic security procedures and support busi-ness managers in defining their information and security needs. Business managershave the primary responsibility for determining the level of protection needed for infor-mation system resources, therefore, they should be intimately involved with the selec-tion of security safeguards. A security administrator’s tasks are many, and includecreating new system user accounts, implementing new security software, testing securitypatches and components, and issuing new passwords. They should not have to actuallyapprove of new system user accounts; this is a responsibility of the business managers.



90





91


A decision maker is not the proper role for the information security specialists or sys-tem administrator in protecting system resources. They may have the technical knowl-edge of how security mechanisms should be implemented and configured, but theyshould not be put into a position of deciding how the company approaches securityand what security measures should be implemented. Too many times companies han-dle security at the security administrator level. In these situations, security is not viewedin broad enough terms. Proper risk analysis is usually not performed. Senior manage-ment is not fully aware of the risks the company faces. Not enough funds are availablefor security, and when a security breach takes place, there is not an efficient way of deal-ing with it. As stated previously, security should work in a top-down fashion to be ulti-mately successful.

A company’s security is not only tied to the type of firewall installed and the timeli-ness of security patches being applied. A company is an environment filled with vari-ous resources, activities, people, and practices. The security of the environment needsto be approached in a holistic way with each part of security addressed in a serious andresponsible manner. The following sections describe compartments of security notusually considered when one thinks about securing a company’s environment.

PersonnelThere are many facets of personnel responsibilities that fall under management’s umbrella,and several of these have a direct correlation to the overall security of the environment.

Although society has evolved to be extremely dependent upon technology in thework area, people are still the key ingredient to a successful company. Within security,people are often the weakest link. Either accidentally through mistakes or lack of training

Security Roles Within an OrganizationThe following are security roles found in an organization:

• Senior manager Ultimately responsible for security of the organizationand the protection of its assets

• Security professional Functionally responsible for security and carryingout senior manager’s directives

• Data owner Determines data classification of information within theorganization

• Data custodian Maintains data in ways to preserve and protect itsconfidentiality, integrity, and availability

• User Uses data for data-processing tasks

• Auditor Examines security practices and mechanisms within theorganization




92


or intentionally through fraud and malicious intent, personnel cause more security issuesthan hacker attacks, outside espionage, or equipment failure. Although the future actionsof individuals cannot be predicted, it is possible to minimize the risks by providing pre-ventive measures. These include hiring the most qualified individuals, performing back-ground checks, employing detailed job descriptions, providing necessary training,enforcing strict access control, and terminating individuals in a way that protects all partiesinvolved.

StructureIf a company wants to have effective employee safety, a certain structure needs to be putinto place by management and actually followed. This structure includes job descrip-tions, clear definitions of responsibilities, lines of authority, and acceptable reprimandsfor specific activities. A clear-cut structure takes the mystery out of who does what andhow things are handled in different situations.

There are several items that can be put into place to reduce the possibilities of fraud,sabotage, misuse of information, theft, and other security compromises. Separation ofduties makes sure that one individual cannot complete a critical task by herself. In themovies when a submarine captain launches a nuclear torpedo, which is necessary toblow up the enemy and save civilization as we know it, it usually requires three codes to beentered into the launching mechanism by three different senior crewmembers. This isan example of separation of duties, and it makes sure that the captain cannot completesuch an important and terrifying task all by himself.

In an organization that practices separation of duties, collusion is required to takeplace for different types of security compromises. Collusion means that at least two peoplewould need to work together to cause some type of destruction or fraud, and this drasti-cally reduces its probability.

In a software development environment, there should be clear distinctions betweenprogrammers, test beds, libraries, operations, and production. Programmers should beable to work on their code and test it as needed. Once the programmer is finished with hertasks, she turns the code over to quality assurance who run their own tests in another envi-ronment that mirrors the production environment. Once the code passes all the necessarytests, it should be stored in a software library. When it is necessary for the code to go intoproduction, it moves from the library to the production environment. Code should notgo from the programmer directly to production without testing and checking it into the li-brary. The test environment should be clearly differentiated from the production environ-ment to ensure that untested code does not accidentally go into production. And theprogrammer should not tinker with the software once it is in production. These clear-cutmethods make sure that no steps are skipped in the phases of software development andthat changes are not made in unstructured and dangerous ways.

Hiring PracticesI like your hat. You’re hired!

Depending on the position that needs to be filled, a level of screening should be prac-ticed to ensure that the company hires the right individual for the right job. Skills should be



tested and evaluated, and the caliber and character of the individual should be examined.Joe might be the best programmer in the state, but if someone looked into his past andfound out that he hacked up his wife with a knife, the hiring manager might not be so eagerto bring Joe into the organization.

Nondisclosure agreements need to be developed and signed by new employees to pro-tect the company and its sensitive information. Any conflicts of interests need to be ad-dressed, and there should be different agreements and precautions taken with temporaryand contract employees.

References should be checked, military records reviewed, education verified, and ifnecessary, a drug test should be administered. Many times, important personal behav-iors can be concealed, and that is why hiring practices now include scenario questions,personality tests, and observations of the individual versus just looking at a person’swork history. When a person is hired, he is bringing in his business skills and whateverother baggage he carries. A company can reduce its heartache pertaining to personnel byfirst conducting useful and carefully carried out hiring practices.

OperationsA management structure must be in place to make sure everyone has someone to reportto and the responsibility for another person’s actions is spread equally and intelligently.Consequences for noncompliance or unacceptable behavior must be communicatedbefore an event takes place. Proper supervisory skills need to be acquired and used to en-sure that operations go smoothly and any out-of-the-ordinary activities can be takencare of before they get out of control.

Job rotation is an important part of keeping operations a healthy and productive part ofthe company. No one person should stay in one position for a long period of time becauseit can end up giving too much control of a segment of the business to this individual. Suchtotal control could result in fraud, data modification, and misuse of information. Em-ployees in sensitive areas should be forced to take their vacations. This would require otherindividuals to fulfill their positions and any fraudulent errors or activities can be detected.

Job rotation can be used to teach others specific tasks of a particular role within thecompany. Once these other individuals understand the necessary tasks of the role, theymay be able to detect when someone fulfilling that role is carrying out fraudulent activity.

TerminationBecause terminations can happen for a variety of different reasons and people will havedifferent reactions, companies should have a specific set of procedures that happen witheach and every termination. The employee must leave the facility immediately underthe supervision of a manager or security guard. The employee must surrender any iden-tification badges or keys, complete an exit interview, and return company supplies. Thatuser’s accounts and passwords should be disabled or changed immediately. It seemsharsh and cold when this actually takes place, but too many companies have been hurtby vengeful employees who have lashed out at the company when their positions wererevoked for one reason or another. If an employee is disgruntled in any way or the



93





94


termination is unfriendly, that employee’s accounts should be disabled right away andall passwords on specific systems changed.

Security AwarenessThe management’s directives pertaining to security is captured in the security policy,and the standards, procedures, and guidelines are developed to support these directives.However, this will not be effective if no one knows about these items and how the com-pany expects them to be implemented. For security to be successful and effective, seniormanagement on down to the rest of the staff need to be fully aware of the importance ofcomputer and information security. All employees should understand the underlyingsignificance of security and the specific security-related requirements expected of them.

The controls and procedures of a security program should reflect the nature of thedata being processed. A company that sells baseball cards would not need the level ofstructured controls and security procedures that may be required of a company that de-velops heat-seeking missiles. These different types of companies would also have verydifferent cultures. For a security awareness program to be effective these considerationsmust be understood. The program should be developed in a fashion that makes sensefor that environment.

For an organization to achieve the desired results of their security program, they mustcommunicate the what, how, and why of security to their employees. It should be com-prehensive, tailored for specific groups, and organization-wide. The goal is that eachemployee understands the importance of security to the company as a whole and toeach individual. Expected responsibilities and acceptable behaviors need to be clarified,and noncompliance repercussions that could range from a warning to dismissal need tobe explained before being invoked.

Different Types of Security TrainingI want my training to have a lot of pictures and pop-up books.

There are usually at least three audiences for a security awareness program: manage-ment, staff, and technical employees. Each type of awareness training needs to be gearedtoward the individual audience to ensure that each group understands its particular re-sponsibilities, liabilities, and expectations. If a technical security training were given tosenior management, their eyes would glaze over as soon as protocols and firewalls werementioned. On the flip side, if legal ramifications, company liability issues pertainingto protecting data, and shareholder’s expectations were discussed with the IT group,they would quickly start a game of hangman or tic-tac-toe with their neighbor.

Management would benefit the most from a short, focused security awareness orien-tation that discusses corporate assets and financial gains and losses pertaining to secu-rity. They need to know how stock prices can be negatively affected by compromises,possible threats and their outcomes, and an explanation of how it needs to be integratedinto the environment in the same way as other business policies. The managementgroup must lead the rest of the company in support for security; thus, they must gain theright mind-set about its importance.




95


Mid-management would benefit from more detailed explanations of the policies, pro-cedures, standards, and guidelines and how they map to individual departments that thislevel of management is responsible for. They should be shown how critical their supportis for their specific departments and their level of responsibility for ensuring that employ-ees practice safe computing activities. They should also be shown how the consequencesof noncompliance by individuals who report to them can affect the company as a wholeand how they, as managers, may have to answer for such indiscretions.

The technical departments must receive a different presentation that aligns more totheir daily tasks. They should receive a more in-depth training to discuss technical con-figurations, incident handling, and indications of different types of security compro-mises so they can be properly recognized.

Each group needs to know whom it should report suspicious activity to and how theyare expected to handle these situations. Employees should not try to combat an attackeror address fraudulent activities by themselves. Each employee should be told to reportthese issues to upper management, and upper management should determine how thesituation is to be handled.

Staff members need to understand why security is important to the company and im-portant to them individually. The more that it can be shown how individuals can benegatively affected by insecure activities, the more they will be willing to participate.This presentation should have many examples of acceptable and unacceptable activi-ties. Examples of these activities can include questioning an unknown individual in a re-stricted portion of the facility, proper Internet use, expected use of e-mail capabilities,not removing company-owned material, and intellectual property issues. The employ-ees should fully understand what is expected of them and what could happen if they donot follow these guidelines. It is usually best to have each employee sign a document in-dicating that he has heard and understands all the security topics discussed and he un-derstands the ramifications of noncompliance. This reinforces the importance to theemployee and also provides evidence down the road if the employee claims that he wasnever told about these expectations.

Security training should happen periodically and continually. We learn mostly byrepetition, and this training should take place at least once a year. The goal is to not onlyget individuals to understand how security works in their environment, but to also getindividuals to understand why. The main reason to perform security awareness trainingis to modify employees’ behavior and attitude toward security.

References

CISSP.com: www.cissps.com

CISSP and SSCP Open Study Guides: www.cccure.org

SummarySecurity management embodies the administrative and procedural activities necessary tosupport and protect information and company assets throughout the enterprise. It includes




96


development and enforcement of security policies and their supporting mechanisms:procedures, standards, baselines, and guidelines. It encompasses risk management, se-curity awareness training, and proper countermeasure selection and implementation.Personnel (hiring, terminating, training, and management structure) and operational(job rotation and separation of duties) activities must also be conducted properly to en-sure a secure environment. The management must understand the legal and ethical re-sponsibilities it is required to respect and uphold. Figure 3-10 illustrates some of thenecessary pieces for an effective and efficient security program.

Security is a business issue and should be treated as such. It needs to be properly inte-grated into the company’s overall business goals and objectives because security issuescan negatively affect the resources the company depends upon. More and more corpo-rations are finding out the price that has to be paid when security is not given the properattention, support, and funds. This is a wonderful world to live in, but bad things canhappen. The ones who realize this notion not only survive, but they also thrive.

Quick Tips• A vulnerability is the absence of a safeguard or a weakness that could be exploited.

• A threat is the possibility that someone would exploit a vulnerability.

• A risk is the probability of a threat agent exploiting a vulnerability and the losspotential from that action.

• Reducing vulnerabilities and/or threats reduces the risk.

• An exposure is an instance of being exposed to losses from a threat.

Figure 3-10Necessary piecesthat fit togetherto form effectiveand efficientsecurity




97


• A countermeasure, also called a safeguard, mitigates the risk.

• A countermeasure can be an application, software configuration, hardware,or procedure.

• Security management has become more important over the years becausenetworks have evolved from centralized environments to distributedenvironments.

• The objectives of security are to provide availability, integrity, andconfidentiality of data and resources.

• Strategic planning is long term, tactical planning is mid-term, and operationalplanning is day to day. They make up a planning horizon.

• Security components can be technical (firewalls, encryption, and accesscontrol lists) or non-technical (security policy, procedures, and complianceenforcement).

• Assurance is a degree of confidence that a certain security level is being provided.

• Security management should work from the top down, from seniormanagement down to the staff.

• The security model a company chooses depends on the type of business, itscritical missions, and objectives.

• Risk management is the process of reducing risk to an acceptable level andmaintaining that level.

• Risk can be transferred, rejected, reduced, or accepted.

• An example of risk transference is when a company buys insurance.

• A way of reducing risk is to improve security procedures and/orimplementing safeguards.

• If a company is rejecting risk, it is choosing to ignore it, which can be dangerous.

• Threats × vulnerability × asset value = total risk

• (Threats × vulnerability × asset value) × controls gap = residual risk

• The main goals of risk analysis are the following: identify risks, quantify theimpact of potential threats, and provide an economic balance between the impactof the risk and the cost of the safeguards.

• A risk analysis is a tool used to identify the degree of risk a company isunder and estimate the proper budget that should be formed to reduceand mitigate this risk.

• A quantitative risk analysis attempts to assign monetary values to componentswithin the analysis.

• A purely quantitative risk analysis is not possible because it is trying to quantifyqualitative items.

• When determining the value of information, the following issues need to beconsidered: the cost to acquire and develop data; the cost to maintain and




98


protect data; the value of the data to owners, users, and adversaries; the costof replacement if lost; the price others are willing to pay for the data; and theusefulness of the data.

• There are automated risk analysis tools that reduce the amount of manual workinvolved. They estimate future expected losses and calculate the benefits ofdifferent security measures.

• Single loss expectancy is the amount that could be lost if a specific threat agentexploited a vulnerability.

• Single loss expectancy × frequency per year = annualized loss expectancy(SLE × ARO = ALE)

• Qualitative risk analysis uses judgment and intuition instead of numbers.

• Qualitative risk analysis uses scenarios that walk through risks and have thepeople with the experience and education on such matters rate the probability,potential loss, and severity of each risk.

• The Delphi technique is a group decision method where each member can voteanonymously.

• When choosing the right safeguard to reduce a specific risk, the cost, functionality,and effectiveness need to be evaluated and a cost/benefit analysis needs to beperformed.

• Safeguards should be highly visible, but their mechanisms should be hidden.

• A security policy is a statement by management dictating the role security playsin the organization.

• Procedures are detailed, step-by-step actions that should be followed to achievea certain task.

• A standard specifies how hardware and software are to be used. Standards arecompulsory.

• Baselines provide a minimum level of security acceptable for an environment.

• Guidelines are recommendations and general approaches that provide adviceand flexibility.

• Data is classified to assign priorities to data and ensure that the appropriatelevel of protection is provided.

• The military is more concerned about confidentiality of data, whereascommercial businesses are usually more concerned with data integrityand availability.

• Data owners specify the classification of data.

• The objective of every loss prevention program is to reduce losses toa predefined level of tolerance.

• Security has functional requirements, which define the expected behaviorfrom a product or system, and assurance requirements, which establishconfidence in the implemented products or systems overall.




99


• Risk management mitigates risks by defining and controlling threats andvulnerabilities.

• The security program should be integrated with current business objectivesand goals.

• Management needs to define the scope and purpose of security management,provide support, appoint a security team, delegate responsibility, and reviewthe team’s findings.

• The security team should be individuals from different departments within theorganization and not just technical personnel.

• A risk analysis can take a lot of time from different people within the company.The process of a risk analysis needs to be understood prior to starting the analysis.

• A risk can have delayed loss and/or delayed damages, meaning that losses can beexperienced over a period of time or damages can be experienced at a later date.

• A qualitative rating would be expressed in high, medium, or low, or on a scaleof 1 to 5 or 1 to 10. A quantitative result would be expressed in dollar amountsand percentages.

• Safeguards should default to least privilege, have fail-safe defaults, and overridecapabilities.

• Safeguards should be imposed uniformly so everyone has the same restrictionsand functionality.

• For security purposes, information should be categorized on the basis ofavailability, integrity, and confidentiality.

• A key element during the initial security planning process is to define reportingrelationships.

QuestionsPlease remember that these questions are formatted and asked in a certain way for a reason.You must remember that the CISSP exam is asking questions at a conceptual level. Ques-tions may not always have the perfect answer, and the candidate is advised against alwayslooking for the perfect answer. The candidate should look for the best answer in the list.

1. Who has the primary responsibility of determining the classification level forinformation?

A. Functional manager

B. Senior management

C. Owner

D. User

2. Which group causes the most risk of fraud and computer compromises?

A. Employees

B. Hackers




100


C. Attackers

D. Contractors

3. If different user groups with different security access levels need to access thesame information, which of the following actions should management take?

A. Decrease the security level on the information to ensure accessibility andusability of the information.

B. Require specific written approval each time an individual needs to accessthe information.

C. Increase the security controls on the information.

D. Increase the classification label on the information.

4. What does management need to consider the most when classifying data?

A. Type of employees, contractors, and customers who will be accessing the data.

B. Availability, integrity, and confidentiality.

C. First assess the risk level and disable countermeasures.

D. The access controls that will be protecting the data.

5. Who is ultimately responsible for making sure data is classified and protected?

A. Data owners

B. Users

C. Administrators

D. Management

6. What is a procedure?

A. Rules on how software and hardware must be used within the environment

B. Step-by-step directions on how to accomplish a task

C. Guidelines on how to approach security situations that are not covered bystandards

D. Compulsory actions

7. Which factor is the most important item when it comes to ensuring thatsecurity is successful in an organization?

A. Senior management support

B. Effective controls and implementation methods

C. Updated and relevant security policies and procedures

D. Security awareness by all employees

8. When is it acceptable to not take action on an identified risk?

A. Never. Good security addresses and reduces all risks.

B. When political issues prevent this type of risk from being addressed.




101


C. When the necessary countermeasure is complex.

D. When the cost of the countermeasure outweighs the value of the asset andpotential loss.

9. What are security policies?

A. Step-by-step directions on how to accomplish security tasks

B. General guidelines used to accomplish a specific security level

C. Broad, high-level statements from the management

D. Detailed documents explaining how security incidents should be handled

10. Which is the most valuable technique when determining if a specific securitycontrol should be implemented?

A. Risk analysis

B. Cost/benefit analysis

C. ALE results

D. Identifying the vulnerabilities and threats causing the risk

11. Which best describes the purpose of the ALE calculation?

A. Quantifies the security level of the environment

B. Estimates the loss possible for a countermeasure

C. Quantifies the cost/benefit result

D. Estimates the loss potential of a threat in a year span

12. Tactical planning is:

A. Mid-term

B. Long-term

C. Day-to-day

D. Six months

13. What is the definition of a security exposure?

A. An instance of being exposed to losses from a threat

B. Any potential danger to information or systems

C. An information security absence or weakness

D. A loss potential of a threat

14. An effective security program requires a balanced application of:

A. Technical and non-technical methods

B. Countermeasures and safeguards

C. Physical security and technical controls

D. Procedural security and encryption



15. The security functionality defines the expected activities of a securitymechanism, and assurance defines:

A. The controls the security mechanism will enforce

B. The data classification after the security mechanism has been implemented

C. The confidence of the security the mechanism is providing

D. Cost/benefit relationship

16. Which statement is true when looking at security objectives in the privatebusiness sector versus the military sector?

A. Only the military has true security.

B. Businesses usually care more about data integrity and availability, whereasthe military is more concerned with confidentiality.

C. The military requires higher levels of security because the risks are somuch higher.

D. The business sector usually cares most about data availability andconfidentiality, whereas the military is most concerned about integrity.

17. How do you calculate residual risk?

A. Threats × risks × asset value

B. (Threats × asset value × vulnerability) × risks

C. SLE × frequency = ALE

D. (Threats × vulnerability × asset value) × controls gap

18. Which of the following is not a purpose of doing a risk analysis?

A. Delegate responsibility

B. Quantify impact of potential threats

C. Identify risks

D. Define the balance between the impact of a risk and the cost of the necessarycountermeasure

19. How does a risk analysis show management how much money to spend persecurity measure?

A. It shows management how much could be lost if the security measure isnot implemented.

B. It calculates the frequency of the risk times the cost/benefit ratio of the ALE.

C. It shows management how much money could be saved if the securityprogram was implemented.

D. It provides the qualitative severity of the security measure.


102





103


20. Which of the following is not a management role in the process ofimplementing and maintaining security?

A. Support

B. Perform risk analysis

C. Define purpose and scope

D. Delegate responsibility

21. Why should the team that is going to perform and review the risk analysisinformation be made up of people in different departments?

A. To make sure the process is fair and that no one is left out.

B. They shouldn’t. It should be a small group brought in from outside theorganization because otherwise the analysis is biased and unusable.

C. Because people in different departments understand the risks of theirdepartment and it ensures that the data going into the analysis is asclose to reality as possible.

D. Because the people in the different departments are the ones causing therisks, so they should be the ones held accountable.

22. Which best describes quantitative risk analysis?

A. Scenario-based analysis to research different security threats

B. A method used to apply severity levels to potential loss, probabilityof loss, and risks

C. A method that assigns monetary values to components in the risk assessment

D. A method that is based on gut feelings and opinions

23. Why is a truly quantitative risk analysis not possible to achieve?

A. It is possible, which is why it is used.

B. It assigns severity levels. Thus, it is hard to translate into monetary values.

C. It is dealing with purely quantitative elements.

D. Quantitative measures must be applied to qualitative elements.

24. If there are automated tools for risk analysis, why does it take so much timeto complete?

A. A lot of data has to be gathered to be inputted into the automated tool.

B. Management has to approve it and then a team has to be built.

C. Risk analysis cannot be automated because of the nature of the assessment.

D. Many people have to agree on the same data.




104


25. Which of the following is a legal term that pertains to a company or individualtaking reasonable actions and is used to determine liability?

A. Standards

B. Due process

C. Due care

D. Downstream liabilities

Answers

1. C. A company can have one specific data owner or different data owners whohave been delegated the responsibility of protecting specific sets of data. Oneof the responsibilities that goes into protecting this information is properlyclassifying it.

2. A. It is commonly stated that internal threats comprise 70–80 percent of theoverall threat to a company. This is because employees already have privilegedaccess to a wide range of company assets. The outsider who wants to causedamage must obtain this level of access before she can carry out the type ofdamage that internal personnel can carry out. A lot of the damages that arecaused by internal employees are brought about by mistakes and systemmisconfigurations.

3. C. If data is going to be available to a wide range of people, more security shouldbe implemented to ensure that only the necessary people access the data andthe operations they carry out are controlled. The security implemented cancome in the form of authentication and authorization technologies, encryption,and specific access control mechanisms.

4. B. The best answer to this question is B because to properly classify data thedata owner needs to evaluate the availability, integrity, and confidentialityrequirements of the data. Once this is done this will dictate what employees,contractors, and users can access the data, which is expressed in answer A. Thisassessment will also help determine the controls that should be put into place.

5. D. The key to this question is the use of the word “ultimately.” Management isultimately responsible for everything that takes place within a company. Theyneed to make sure data and resources are being properly protected on anongoing basis. They can delegate tasks to others, but they are ultimatelyresponsible.

6. B. Standards are rules that must be followed, thus they are compulsory.Guidelines are recommendations. Procedures are step-by-step instructions.

7. A. Without senior management’s support a security program will not receivethe necessary attention, funds, resources, and enforcement capabilities.

8. D. Companies may decide to live with specific risks they are faced with becauseit would cost more to try and protect themselves than they have a potential of





105

losing if the threat became real. Countermeasures are usually complex to adegree, and there are almost always political issues surrounding different risks,but these are not reasons to not implement a countermeasure.

9. C. A security policy captures senior management’s perspectives and directiveson what role security should play within the company. They are usually vagueand use broad terms so they can cover a wide range of items.

10. B. Although the other answers may seem correct, B is the best answer here.This is because a risk analysis is performed to identify risks and come up withsuggested countermeasures. The ALE tells the company how much it could loseif a specific threat became real. The ALE value will go into the cost/benefit analysis,but the ALE does not address the cost of the countermeasure and the benefitof a countermeasure. All the data captured in answers A, C, and D are insertedinto a cost/benefit analysis.

11. D. The ALE calculation estimates the potential loss that can affect one assetfrom a specific threat within a one-year time span. This value is used to figureout the amount of money that should be earmarked to protect this asset fromthis threat.

12. A. There are three types of goals that make up the planning horizon: operational,tactical, and strategic. The tactical goals are mid-term goals that must beaccomplished before the overall strategic goal is accomplished.

13. A. An exposure means that a vulnerability has been exploited by a threatagent. Examples are: a hacker accesses a database through an open port onthe firewall, an employee shares confidential information via e-mail, ora virus infects a computer.

14. A. Security is not defined by a firewall, an access control mechanism, asecurity policy, company procedures, employee conduct, or authenticationtechnologies. It is defined by all of these and how they integrate together withinan environment. Security is not purely technical and it is not purely procedural,but rather, a mix of the two.

15. C. The functionality describes how a mechanism will work and behave. Thismay have nothing to do with the actual protection it provides. Assurance isthe level of confidence in the protection level a mechanism will provide. Whensystems and mechanisms are evaluated, their functionality and assurance shouldbe examined and tested individually.

16. B. Although answer C may seem correct to you, it is a subjective answer.Businesses will see their threats and risks as being more important thananother organization’s threats and risks. The military has a rich history ofhaving to keep their secrets secret. This is usually not as important in thecommercial sector relative to the military.

17. D. The equation is more conceptual than it is practical. It is hard to assigna number to a vulnerability and a threat individually. What this equation issaying is look at the potential loss of a specific asset and look at the controls




106


gap, which means what the specific countermeasure cannot protect against.What is left is the residual risk. Residual risk is what is left over aftera countermeasure is implemented.

18. A. The other three answers are the main reasons to carry out a risk analysis. Ananalysis is not carried out to delegate responsibilities. Management will take onthis responsibility once the results of the analysis are reported to them and theyunderstand what actually needs to be carried out.

19. A. The crux of carrying out a risk analysis is to calculate risk and estimate howmuch specific threats could cost the company. From these numbers seniormanagement can make a decision on the best security mechanisms and howmuch should be spent on them.

20. B. The number one ingredient management needs to provide when it comes tosecurity is support. They need to define the role of security, the scope of security,and the different assessments that will be carried out. They will also delegatewho does what pertaining to security. They will not carry out the analysis, butare responsible for making sure one is done and that they act on the resultsit provides.

21. C. An analysis is only as good as the data that goes into it. Data pertaining torisks the company faces should be extracted from the people who understandthe business functions and environment of the company the best. Each departmentunderstands their own threats and resources, and may have possible solutionsto specific risks that affect their part of the company.

22. C. A quantitative risk analysis assigns monetary values and percentages tothe different components within the assessment. A qualitative analysis usesopinions of individuals and a rating system to gauge the severity level ofdifferent threats and the benefits of specific countermeasures.

23. D. During a risk analysis the team is trying to properly predict the future andall the risks that future may bring. It is somewhat of a subjective exercise andeducated guessing must take place. It is very hard to properly predict that aflood will take place once in ten years and cost a company up to $40,000 indamages, but this is what a quantitative analysis tries to accomplish.

24. A. An analysis usually takes a long time to complete because of all the data thatmust be properly gathered. There are usually a lot of different sources for thistype of data and properly extracting it is extremely time consuming. In mostsituations it involves setting up meetings with specific personnel and goingthrough a question-and-answer process.

25. C. A company’s or individual’s actions can be judged by the “Prudent PersonRule,” which looks at how a prudent or reasonable person would react insimilar situations. Due care means to take these necessary actions to protectthe company, its assets, customers, and employees. Computer security hasmany aspects pertaining to practicing due care. If management does notensure that these things are in place, they can be found negligent.



chapter security management practices - landing

Documents