![Page 1: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/1.jpg)
K. Salah 1
Administering Security Administering Security
Vulnerabilities, Risk Analysis, and Security PolicyVulnerabilities, Risk Analysis, and Security Policy
![Page 2: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/2.jpg)
K. Salah 2
VulnerabilitiesVulnerabilities
![Page 3: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/3.jpg)
K. Salah 3
VulnerabilitiesVulnerabilities
Security objectives:Security objectives: Prevent attacks Detect attacks Recover from attacks
Attacks: against weaknesses in the Attacks: against weaknesses in the information systemsinformation systems
Need: find weaknessesNeed: find weaknesses
![Page 4: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/4.jpg)
K. Salah 4
Identifying and Eliminating WeaknessesIdentifying and Eliminating Weaknesses
I.I. Vulnerability monitoringVulnerability monitoring
II.II. Secure system developmentSecure system development
III.III. User training and awarenessUser training and awareness
IV.IV. Avoiding single point of failureAvoiding single point of failure
![Page 5: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/5.jpg)
K. Salah 5
I. Vulnerability MonitoringI. Vulnerability Monitoring
Identify potential weaknesses in existing Identify potential weaknesses in existing information systemsinformation systems
Reveal wide-range of vulnerabilitiesReveal wide-range of vulnerabilities
![Page 6: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/6.jpg)
K. Salah 6
I. Security FlawsI. Security Flaws
Secure software installationSecure software installation Correct installation of software Change default settings Validate upgrades/changes Patch new security flaws
![Page 7: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/7.jpg)
K. Salah 7
I. Vulnerability Detection ToolsI. Vulnerability Detection Tools
Computer Oracle and Password System (COPS) Computer Oracle and Password System (COPS) – FREE– FREE Checks vulnerabilities of UNIX systems
Secure Analysis Tool for Auditing Networks Secure Analysis Tool for Auditing Networks (SATAN) – FREE (SATAN) – FREE
SAFEsuite (Internet Security Systems, Inc.) SAFEsuite (Internet Security Systems, Inc.) Family of network security assessment tools (web
security scanner, firewall scanner, intranet scanner, system security scanner)
Keyed to the IP address of the customer
![Page 8: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/8.jpg)
K. Salah 8
I. Keeping up with Security PublicationsI. Keeping up with Security Publications
Legal publications: how to remove Legal publications: how to remove vulnerabilitiesvulnerabilities CERT advisories SANS Security Digest
Hacker publications: “how to” exploit Hacker publications: “how to” exploit known vulnerabilities known vulnerabilities
Security mailing listsSecurity mailing lists
![Page 9: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/9.jpg)
K. Salah 9
II. Building Secure SystemsII. Building Secure Systems
1960s: US Department of Defense (DoD) risk 1960s: US Department of Defense (DoD) risk of unsecured information systemsof unsecured information systems
1981: National Computer Security Center 1981: National Computer Security Center (NCSC) at the NSA(NCSC) at the NSA DoD Trusted Computer System Evaluation
Criteria (TCSEC) == Orange Book
![Page 10: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/10.jpg)
K. Salah 10
II. National Information Assurance Partnership II. National Information Assurance Partnership (NIAP)(NIAP)
1997: National Institute of Standards and 1997: National Institute of Standards and Technology (NIST), National Security Agency (NSA), Technology (NIST), National Security Agency (NSA), and Industry and Industry
Aims to improve the efficiency of evaluationAims to improve the efficiency of evaluation Transfer methodologies and techniques to private Transfer methodologies and techniques to private
sector laboratoriessector laboratories Functions: developing tests, test methods, tools for Functions: developing tests, test methods, tools for
evaluating and improving security products, evaluating and improving security products, developing protection profiles and associated tests, developing protection profiles and associated tests, establish formal and international schema for CC.establish formal and international schema for CC.
![Page 11: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/11.jpg)
K. Salah 11
III. Security Awareness and TrainingIII. Security Awareness and Training
Major weakness: users unawarenessMajor weakness: users unawareness Organizational effortOrganizational effort Educational effortEducational effort Customer trainingCustomer training Federal Trade Commission: program to educate Federal Trade Commission: program to educate
customers about web scamscustomers about web scams
![Page 12: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/12.jpg)
K. Salah 12
IV. Avoid Single Point of FailureIV. Avoid Single Point of Failure
Critical information resourcesCritical information resources Identification Backup Hiding
Separation of dutiesSeparation of duties Multi-person requirements Limit temptations
![Page 13: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/13.jpg)
K. Salah 13
Risk AnalysisRisk Analysis
![Page 14: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/14.jpg)
K. Salah 14
OverviewOverview
Definition and Purpose Of Risk AnalysisDefinition and Purpose Of Risk Analysis Elements of Risk Analysis Quantitative vs Qualitative Analysis
Quantitative ExampleQuantitative ExampleQualitative ExampleQualitative Example
![Page 15: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/15.jpg)
K. Salah 15
Risk Management CycleRisk Management Cycle
From GAO/AIMD-99-139
![Page 16: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/16.jpg)
K. Salah 16
What is Risk Analysis?What is Risk Analysis?
The process of identifying, assessing, and The process of identifying, assessing, and reducing risks to an acceptable levelreducing risks to an acceptable level Defines and controls threats and vulnerabilities Implements risk reduction measures
An analytic discipline with three parts:An analytic discipline with three parts: Risk assessment: determine what the risks are Risk management: evaluating alternatives for mitigating
the risk Risk communication: presenting this material in an
understandable way to decision makers and/or the public
![Page 17: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/17.jpg)
K. Salah 17
Benefits of Risk AnalysisBenefits of Risk Analysis
Assurance that greatest risks have been Assurance that greatest risks have been identified and addressedidentified and addressed
Increased understanding of risksIncreased understanding of risksMechanism for reaching consensusMechanism for reaching consensusSupport for needed controlsSupport for needed controlsMeans for communicating resultsMeans for communicating results
![Page 18: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/18.jpg)
K. Salah 18
Basic Risk Analysis StructureBasic Risk Analysis Structure
EvaluateEvaluate Value of computing and information assets Vulnerabilities of the system Threats from inside and outside
ExamineExamine Availability of security countermeasures Effectiveness of countermeasures Costs (installation, operation, etc.) of countermeasures
![Page 19: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/19.jpg)
K. Salah 19
Who should be Involved?Who should be Involved?
Security ExpertsSecurity Experts Internal domain expertsInternal domain experts
Knows best how things really work
Managers responsible for implementing Managers responsible for implementing controlscontrols
![Page 20: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/20.jpg)
K. Salah 20
Critical AssetsCritical Assets
People and skillsPeople and skills GoodwillGoodwill Hardware/SoftwareHardware/Software DataData DocumentationDocumentation SuppliesSupplies Physical plantPhysical plant MoneyMoney
![Page 21: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/21.jpg)
K. Salah 21
ThreatsThreats
Attacks against key security servicesAttacks against key security services Confidentiality, integrity, availability
One threat classificationOne threat classification Disclosure Deception Disruption Usurpation
![Page 22: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/22.jpg)
K. Salah 22
Example Threat ListExample Threat List
•T01 Access (Unauthorized to System - logical)
•T02 Access (Unauthorized to Area - physical)
•T03 Airborne Particles (Dust)•T04 Air Conditioning Failure•T05 Application Program Change(Unauthorized)•T06 Bomb Threat•T07 Chemical Spill•T08 Civil Disturbance•T09 Communications Failure•T10 Data Alteration (Error)•T11 Data Alteration (Deliberate)•T12 Data Destruction (Error)•T13 Data Destruction (Deliberate)•T14 Data Disclosure
(Unauthorized)•T15 Disgruntled Employee•T16 Earthquakes
•T17 Errors (All Types)•T18 Electro-Magnetic
Interference•T19 Emanations Detection•T20 Explosion (Internal)•T21 Fire, Catastrophic•T22 Fire, Major•T23 Fire, Minor•T24 Floods/Water Damage•T25 Fraud/Embezzlement•T26 Hardware
Failure/Malfunction•T27 Hurricanes•T28 Injury/Illness (Personal)•T29 Lightning Storm•T30 Liquid Leaking (Any)•T31 Loss of Data/Software•T32 Marking of Data/Media
Improperly•T33 Misuse of
Computer/Resource•T34 Nuclear Mishap
•T35 Operating System Penetration/Alteration
•T36 Operator Error
•T37 Power Fluctuation (Brown/Transients)
•T38 Power Loss
•T39 Programming Error/Bug
•T40 Sabotage
•T41 Static Electricity
•T42 Storms (Snow/Ice/Wind)
•T43 System Software Alteration
•T44 Terrorist Actions
•T45 Theft (Data/Hardware/Software)
•T46 Tornado
•T47 Tsunami (Pacific area only)
•T48 Vandalism
•T49 Virus/Worm (Computer)
•T50 Volcanic Eruption
![Page 23: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/23.jpg)
K. Salah 23
VulnerabilitiesVulnerabilities
Flaw or weakness in systemFlaw or weakness in system Security Procedures Design Implementation
Threats trigger vulnerabilitiesThreats trigger vulnerabilities Accidental Malicious
![Page 24: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/24.jpg)
K. Salah 24
Example VulnerabilitiesExample Vulnerabilities
•Physical•V01 Susceptible to unauthorized
building access•V02 Computer Room
susceptible to unauthorizedaccess•V03 Media Library susceptible
to unauthorizedaccess•V04 Inadequate visitor control
procedures•(and 36 more)•Administrative•V41 Lack of management
support for security•V42 No separation of duties
policy•V43 Inadequate/no computer
security plan policy
•V47 Inadequate/no emergency action plan
•(and 7 more)
•Personnel
•V56 Inadequate personnel screening
•V57 Personnel not adequately trained in job
•...
•Software
•V62 Inadequate/missing audit trail capability
•V63 Audit trail log not reviewed weekly
•V64 Inadequate control over application/program
changes
Communications
•V87 Inadequate communications system
•V88 Lack of encryption
•V89 Potential for disruptions
•...
•Hardware
•V92 Lack of hardware inventory
•V93 Inadequate monitoring of maintenance
personnel
•V94 No preventive maintenance program
•…
•V100 Susceptible to electronic emanations
![Page 25: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/25.jpg)
K. Salah 25
ControlsControls
Mechanisms or procedures for mitigating Mechanisms or procedures for mitigating vulnerabilitiesvulnerabilities Prevent Detect Recover
Understand cost and coverage of controlUnderstand cost and coverage of controlControls follow vulnerability and threat Controls follow vulnerability and threat
analysisanalysis
![Page 26: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/26.jpg)
K. Salah 26
Example ControlsExample Controls•C01 Access control devices - physical•C02 Access control lists - physical•C03 Access control - software•C04 Assign ADP security and assistant in
writing•C05 Install-/review audit trails•C06 Conduct risk analysis•C07Develop backup plan•C08 Develop emergency action plan•C09 Develop disaster recovery plan•...•C21 Install walls from true floor to true
ceiling•C22 Develop visitor sip-in/escort procedures•C23 Investigate backgrounds of new
employees•C24 Restrict numbers of privileged users•C25 Develop separation of duties policy•C26 Require use of unique passwords for
logon
•C27 Make password changes mandatory•C28 Encrypt password file•C29 Encrypt data/files•C30 Hardware/software training for personnel•C31Prohibit outside software on system•...•C47 Develop software life cycle developmentprogram•C48 Conduct hardware/software inventory•C49 Designate critical programs/files•C50 Lock PCs/terminals to desks•C51 Update communications system/hardware•C52 Monitor maintenance personnel•C53 Shield equipment from electromagneticinterference/emanations•C54Identify terminals
![Page 27: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/27.jpg)
K. Salah 27
Risk Control Trade OffsRisk Control Trade Offs
Only Safe Asset is a Dead AssetOnly Safe Asset is a Dead Asset Asset that is completely locked away is safe, but
useless Trade-off between safety and availability
Do not waste effort on efforts with low loss valueDo not waste effort on efforts with low loss value Don’t spend resources to protect garbage
Control only has to be good enough, not Control only has to be good enough, not absoluteabsolute Make it tough enough to discourage enemy
![Page 28: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/28.jpg)
K. Salah 28
Types of Risk AnalysisTypes of Risk Analysis
QuantitativeQuantitative Assigns real numbers to costs of safeguards and damage Annual loss expectance (ALE) Probability of event occurring Can be unreliable/inaccurate
QualitativeQualitative Judges an organization’s risk to threats Based on judgment, intuition, and experience Ranks the seriousness of the threats for the sensitivity of the
asserts Subjective, lacks hard numbers to justify return on investment
![Page 29: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/29.jpg)
K. Salah 29
Qualitative Risk AnalysisQualitative Risk Analysis
Generally used in Information SecurityGenerally used in Information Security Hard to make meaningful valuations and meaningful
probabilities Relative ordering is faster and more important
Many approaches to performing qualitative risk Many approaches to performing qualitative risk analysisanalysis
Same basic steps as quantitative analysisSame basic steps as quantitative analysis Still identifying asserts, threats, vulnerabilities, and
controls Just evaluating importance differently
![Page 30: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/30.jpg)
K. Salah 30
Key PointsKey Points
Key Elements of Risk AnalysisKey Elements of Risk Analysis Assets, Threats, Vulnerabilities, and Controls
Most security risk analysis uses qualitative Most security risk analysis uses qualitative analysisanalysis
Not a scientific processNot a scientific process Companies will develop their own procedure Still a good framework for better understanding
of system security
![Page 31: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/31.jpg)
K. Salah 31
Security PolicySecurity Policy
![Page 32: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/32.jpg)
K. Salah 32
Overview Overview
Understanding why policy is important. Understanding why policy is important. Defining various policies. Defining various policies. Creating an appropriate policy. Creating an appropriate policy. Deploying policies. Deploying policies. Using policy effectively. Using policy effectively.
![Page 33: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/33.jpg)
K. Salah 33
Understanding Why Policy is Understanding Why Policy is Important Important
The two primary functions of a policy are:The two primary functions of a policy are: It defines the scope of security within an
organization. It clearly states the expectations from everyone
in the organization.
![Page 34: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/34.jpg)
K. Salah 34
Understanding Why Policy is Understanding Why Policy is Important Important Policy defines how security should be implemented.Policy defines how security should be implemented. It includes the system configurations, network It includes the system configurations, network
configurations, and physical security measures. configurations, and physical security measures. It defines the mechanisms used to protect information It defines the mechanisms used to protect information
and systems.and systems. It defines how organizations should react when It defines how organizations should react when
security incidents occur. security incidents occur. Policy provides the framework for employees to work Policy provides the framework for employees to work
together. together. It defines the common goals and objectives of the It defines the common goals and objectives of the
organization’s security program. organization’s security program. Proper security awareness training helps implement Proper security awareness training helps implement
policy initiatives effectively. policy initiatives effectively.
![Page 35: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/35.jpg)
K. Salah 35
Defining Various Policies Defining Various Policies
Information policy.Information policy. Security policy. Security policy. Computer use policy. Computer use policy. Internet use policy. Internet use policy. E-mail policy.E-mail policy. User management procedures. User management procedures. System administration procedures. System administration procedures. Backup policy.Backup policy. Incident response policy. Incident response policy. Configuration management procedures. Configuration management procedures. Design methodology. Design methodology. Disaster recovery plans.Disaster recovery plans.
![Page 36: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/36.jpg)
K. Salah 36
Information Policy Information Policy
Identification of sensitive information. Identification of sensitive information. Classifications.Classifications.Marking and storing sensitive information.Marking and storing sensitive information.Transmission of sensitive information. Transmission of sensitive information. Destruction of sensitive information. Destruction of sensitive information.
![Page 37: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/37.jpg)
K. Salah 37
Identification of Sensitive Information Identification of Sensitive Information
Sensitive information differs depending on Sensitive information differs depending on the business of the organization.the business of the organization.
It may include business records, product It may include business records, product designs, patent information, and company designs, patent information, and company phone books. phone books.
It may also include payroll, medical It may also include payroll, medical insurance, and any other financial insurance, and any other financial information. information.
![Page 38: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/38.jpg)
K. Salah 38
Classifications Classifications
Only the lowest level of information should Only the lowest level of information should be made public. be made public.
All proprietary, company sensitive, or All proprietary, company sensitive, or company confidential information is company confidential information is releasable to employees. releasable to employees.
All restricted or protected information must All restricted or protected information must be made available to authorized be made available to authorized employees only. employees only.
![Page 39: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/39.jpg)
K. Salah 39
Marking and Storing Sensitive Marking and Storing Sensitive Information Information
The policy must mark all sensitive information. The policy must mark all sensitive information. It should address the storage mechanism for It should address the storage mechanism for
information on paper or on computer systems. information on paper or on computer systems. Incase of information stored on computer Incase of information stored on computer
systems, the policy should specify appropriate systems, the policy should specify appropriate levels of protection. levels of protection.
Use encryption wherever required. Use encryption wherever required.
![Page 40: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/40.jpg)
K. Salah 40
Transmission of Sensitive Information Transmission of Sensitive Information
The policy addresses how sensitive information The policy addresses how sensitive information needs to be transmitted. needs to be transmitted.
It specifies the encryption method to be used It specifies the encryption method to be used while transmitting information through electronic while transmitting information through electronic mail. mail.
Incase of hardcopies of information, request a Incase of hardcopies of information, request a signed receipt. signed receipt.
![Page 41: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/41.jpg)
K. Salah 41
Destruction of Sensitive Information Destruction of Sensitive Information
To destroy sensitive information:To destroy sensitive information: Shred the information on paper. Use cross-cut shredders that provide an added
level of protection. PGP desktop and BCWipe can be used to
delete documents placed on a desktop.
![Page 42: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/42.jpg)
K. Salah 42
Security Policy Security Policy
Identification and authentication. Identification and authentication. Access control.Access control.Audit. Audit. Network connectivity. Network connectivity. Malicious code.Malicious code.Encryption. Encryption. Waivers. Waivers. Appendices.Appendices.
![Page 43: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/43.jpg)
K. Salah 43
Identification and Authentication Identification and Authentication
The security policy defines how users will The security policy defines how users will be identified. be identified.
It defines the primary authentication It defines the primary authentication mechanism for users and administrators. mechanism for users and administrators.
It defines stronger mechanism for remote It defines stronger mechanism for remote access such as VPN or dial-in access. access such as VPN or dial-in access.
![Page 44: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/44.jpg)
K. Salah 44
Access Control Access Control The security policy defines the standard The security policy defines the standard
requirement for access control of electronic files. requirement for access control of electronic files. The requirement includes the required The requirement includes the required
mechanism and the default requirements for mechanism and the default requirements for new files. new files.
The mechanism should work with authentication The mechanism should work with authentication mechanism to allow only authorized users to mechanism to allow only authorized users to access the information. access the information.
![Page 45: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/45.jpg)
K. Salah 45
Audit Audit
Security policies must frequently audit the Security policies must frequently audit the following events:following events: Logins (successful and failed). Logouts. Failed access to files or system objects. Remote access (successful and failed). Privileged actions. System events (such as shutdowns and
reboots).
![Page 46: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/46.jpg)
K. Salah 46
Audit Audit
Each event should also capture the following Each event should also capture the following information:information: User ID (if there is one) Date and time Process ID (if there is one) Action performed Success or failure of the event
![Page 47: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/47.jpg)
K. Salah 47
Network Connectivity Network Connectivity
The security policy specifies the rules for The security policy specifies the rules for network connectivity and the protection network connectivity and the protection mechanisms. It includes:mechanisms. It includes: Dial-in connections. Permanent connections. Remote access of internal systems. Wireless networks.
![Page 48: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/48.jpg)
K. Salah 48
Malicious Code Malicious Code
The security policy specifies where security The security policy specifies where security programs that look for malicious code need to be programs that look for malicious code need to be placed. placed.
Some appropriate locations are file servers, Some appropriate locations are file servers, desktop systems, and electronic mail servers.desktop systems, and electronic mail servers.
It should specify the requirements for security It should specify the requirements for security programs.programs.
It should require updates of signatures for such It should require updates of signatures for such security programs on a periodic basis. security programs on a periodic basis.
![Page 49: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/49.jpg)
K. Salah 49
Encryption Encryption
The security policy should define the The security policy should define the acceptable encryption algorithms for use. acceptable encryption algorithms for use.
It can refer to the information policy to It can refer to the information policy to choose the appropriate algorithms to choose the appropriate algorithms to protect sensitive information. protect sensitive information.
It should also specify the procedures It should also specify the procedures required for key management. required for key management.
![Page 50: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/50.jpg)
K. Salah 50
Waivers Waivers The security policy should provide a mechanism The security policy should provide a mechanism
for risk assessment and formulating a for risk assessment and formulating a contingency plan. contingency plan.
For each situation, the system designer or For each situation, the system designer or project manager should fill a waiver form. project manager should fill a waiver form.
The security department reviews the waiver The security department reviews the waiver request and provides risk assessment results request and provides risk assessment results and recommendations to minimize the risk. and recommendations to minimize the risk.
The waiver should be approved by the The waiver should be approved by the organization’s officer in charge of the project. organization’s officer in charge of the project.
![Page 51: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/51.jpg)
K. Salah 51
Appendices Appendices
The security policy appendices should have The security policy appendices should have details of:details of: Security configurations for various operating
systems. Network devices. Telecommunication equipments.
![Page 52: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/52.jpg)
K. Salah 52
Computer Use Policy Computer Use Policy
Ownership of computers - States that all computers are Ownership of computers - States that all computers are owned by the organization. owned by the organization.
Ownership of information - States that all information Ownership of information - States that all information stored on or used by the organization’s computers is stored on or used by the organization’s computers is proprietary to the organization.proprietary to the organization.
Acceptable use of computers - States all acceptable and Acceptable use of computers - States all acceptable and unacceptable use of the organization’s computers. unacceptable use of the organization’s computers.
No expectation of privacy - States that the employee No expectation of privacy - States that the employee have no expectation of privacy for any information have no expectation of privacy for any information stored, sent, or received on the organization’s stored, sent, or received on the organization’s computers.computers.
![Page 53: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/53.jpg)
K. Salah 53
Internet Use Policy Internet Use Policy
The Internet use policy is a part of the general The Internet use policy is a part of the general computer use policy. computer use policy.
It can be a separate policy due to the specific It can be a separate policy due to the specific nature of the Internet use. nature of the Internet use.
The Internet use policy defines the appropriate The Internet use policy defines the appropriate uses of the Internet within an organization. uses of the Internet within an organization.
It may also define inappropriate uses such as It may also define inappropriate uses such as visiting non-business-related web sites. visiting non-business-related web sites.
![Page 54: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/54.jpg)
K. Salah 54
E-mail Policy E-mail Policy
Internal mail issues - The electronic mail Internal mail issues - The electronic mail policy should not be in conflict with other policy should not be in conflict with other human resource policies. human resource policies.
External mail issues - Electronic mail External mail issues - Electronic mail leaving an organization may contain leaving an organization may contain sensitive information. Therefore, it may be sensitive information. Therefore, it may be monitored. monitored.
![Page 55: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/55.jpg)
K. Salah 55
User Management Procedures User Management Procedures
New employment procedure - Provides new New employment procedure - Provides new employees with the proper access to computer employees with the proper access to computer resources. resources.
Transferred employee procedure - Reviews Transferred employee procedure - Reviews employee’s computer access when they are employee’s computer access when they are transferred within the organization. transferred within the organization.
Employee termination procedure - Ensures Employee termination procedure - Ensures removal of users who no longer work for the removal of users who no longer work for the organization. organization.
![Page 56: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/56.jpg)
K. Salah 56
System Administration Procedure System Administration Procedure
Software upgrades - Defines how often a system Software upgrades - Defines how often a system administrator will check for new patches or updates. administrator will check for new patches or updates.
Vulnerability scans - Defines how often and when the Vulnerability scans - Defines how often and when the scans will be conducted by security. scans will be conducted by security.
Policy reviews - Specifies the security requirements for Policy reviews - Specifies the security requirements for each system.each system.
Log reviews - Specifies configuration of automated tools Log reviews - Specifies configuration of automated tools that create log entries and how exceptions must be that create log entries and how exceptions must be handled. handled.
Regular monitoring - Documents when network traffic Regular monitoring - Documents when network traffic monitoring will occur.monitoring will occur.
![Page 57: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/57.jpg)
K. Salah 57
Backup Policy Backup Policy
Frequency of backups - Identifies how often Frequency of backups - Identifies how often backups actually occur. backups actually occur.
Storage of backups - Defines how to store Storage of backups - Defines how to store backups in a secure location. It also states the backups in a secure location. It also states the mechanism for requesting and restoring mechanism for requesting and restoring backups. backups.
Information to be backed up - Identifies which Information to be backed up - Identifies which data needs to be backed up more frequently. data needs to be backed up more frequently.
![Page 58: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/58.jpg)
K. Salah 58
Incident Response Procedure Incident Response Procedure Incident handling objectives - Specifies the objectives of the organization Incident handling objectives - Specifies the objectives of the organization
when handling an incident. when handling an incident. Event identification - States corrective actions for an intrusion or user Event identification - States corrective actions for an intrusion or user
mistake. mistake. Escalation - Specifies an escalation procedure such as activating an Escalation - Specifies an escalation procedure such as activating an
incident response team. incident response team. Information control - Specifies what information is classified and what can Information control - Specifies what information is classified and what can
be made public. be made public. Response - Defines the type of response when an incident occurs. Response - Defines the type of response when an incident occurs. Authority - Defines which individual within the organization or the incident Authority - Defines which individual within the organization or the incident
response team has the authority to take action. response team has the authority to take action. Documentation - Defines how the incident response team should document Documentation - Defines how the incident response team should document
its actions. its actions. Testing of the procedure - Tests the IRP once it is written. It also identifies Testing of the procedure - Tests the IRP once it is written. It also identifies
the loop holes in the procedure and suggests corrective actions. the loop holes in the procedure and suggests corrective actions.
![Page 59: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/59.jpg)
K. Salah 59
Configuration Management Configuration Management Procedures Procedures
Initial system state - Documents the state of a Initial system state - Documents the state of a new system when it goes into production. It new system when it goes into production. It should include details of the operating system, should include details of the operating system, version, patch level, application details, and version, patch level, application details, and configuration details. configuration details.
Change control procedure - Executes a change Change control procedure - Executes a change control procedure when a change is to be made control procedure when a change is to be made to an existing system. to an existing system.
![Page 60: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/60.jpg)
K. Salah 60
Design Methodology Design Methodology
Requirements definition - Specifies the security Requirements definition - Specifies the security requirements that need to be included during the requirements that need to be included during the requirement definition phase. requirement definition phase.
Design - Specifies that security should be represented to Design - Specifies that security should be represented to ensure that the project is secured during the design ensure that the project is secured during the design phase. phase.
Test - Specifies that when the project reaches the testing Test - Specifies that when the project reaches the testing phase, the security requirement should also be tested. phase, the security requirement should also be tested.
Implementation - Specifies that the implementation team Implementation - Specifies that the implementation team should use proper configuration management should use proper configuration management procedures. procedures.
![Page 61: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/61.jpg)
K. Salah 61
Disaster Recovery Plans Disaster Recovery Plans
Single system or device failures - Includes a network Single system or device failures - Includes a network device, disk, motherboard, network interface card, or device, disk, motherboard, network interface card, or component failure. component failure.
Data center events - Provides procedures for a major Data center events - Provides procedures for a major event within a data center. event within a data center.
Site events - Identifies the critical capabilities that need Site events - Identifies the critical capabilities that need to be restored. to be restored.
Testing the DRP - Identifies key employees and Testing the DRP - Identifies key employees and performs walkthroughs of the plan periodically. performs walkthroughs of the plan periodically.
![Page 62: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/62.jpg)
K. Salah 62
Creating an Appropriate Policy Creating an Appropriate Policy
To create an appropriate policy:To create an appropriate policy: Identify which policies are most relevant and important
to an organization. Conduct a risk assessment to identify risk areas. Define all acceptable and unacceptable employee
behavior. State all restrictions clearly. Identify individuals and other stakeholders who will be
affected by the policy. State expectations clearly. Define a set of possible outlines. Draft the policy based on the outline. Include stakeholders during discussions and invite
suggestions. Brainstorm before developing the final policy.
![Page 63: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/63.jpg)
K. Salah 63
Deploying the Policy Deploying the Policy
Every department of the organization that is Every department of the organization that is affected by the policy must accept the underlying affected by the policy must accept the underlying concept. concept.
Conduct security awareness training where Conduct security awareness training where employees are informed of the intended change. employees are informed of the intended change.
Make well-planned transitions rather than radical Make well-planned transitions rather than radical changes while implementing the policy. changes while implementing the policy.
![Page 64: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/64.jpg)
K. Salah 64
Using Policy Effectively Using Policy Effectively
Identify security requirements early in the Identify security requirements early in the process. Security should be a part of the design process. Security should be a part of the design phase of the project.phase of the project.
Examine existing systems to ensure it is in Examine existing systems to ensure it is in compliance to new policies.compliance to new policies.
Conduct periodic audits to ensure compliance Conduct periodic audits to ensure compliance with the policy. with the policy.
Review policies regularly to ensure they are still Review policies regularly to ensure they are still relevant for the organization. relevant for the organization.
![Page 65: K. Salah1 Administering Security Vulnerabilities, Risk Analysis, and Security Policy](https://reader038.vdocuments.site/reader038/viewer/2022110207/56649d6a5503460f94a4882d/html5/thumbnails/65.jpg)
K. Salah 65
Summary Summary
Policies define how security is implemented within an organization. Policies define how security is implemented within an organization. Each policy must have a purpose, scope, and responsibility. Each policy must have a purpose, scope, and responsibility. An organization must establish information policy, security policy, An organization must establish information policy, security policy,
computer use policy, Internet and e-mail policy, and a backup computer use policy, Internet and e-mail policy, and a backup policy. policy.
An organization must also define user management, system An organization must also define user management, system administration, incident response, and configuration management administration, incident response, and configuration management procedures. procedures.
The disaster recovery plan details recovery action for various levels The disaster recovery plan details recovery action for various levels of failures. of failures.
While creating a policy ensure that it will be relevant and important While creating a policy ensure that it will be relevant and important to an organization. to an organization.
Involve stakeholders in policy discussions. Conduct security Involve stakeholders in policy discussions. Conduct security awareness trainings regularly. awareness trainings regularly.
Include security issues at each development phase of a project.Include security issues at each development phase of a project.