Information Systems Security

Computer System

Life Cycle Security

Integrating security to computer system

Security should not be an afterthought Security can be applied more systematically Security needs to be incorporated into all

phases of the computer life cycle to ensure that security can keep up with change in the system’s environment, technology, procedures and personnel.

Computer System Life Cycle Initiation Development/Acquisition Implementation Operation/Maintenance Disposal

Note: the SDLC is included in the Development/Acquisition phase

Initiation

The discovery of the need for a new system or enhancement to an existing system

The system characteristics and functionality proposed within the given constraints

Basic security aspect of the system developed through Sensitivity Assessment

Sensitivity Assessment

What information is handled What potential damage could occur through

error, unauthorized disclosure or modification, or unavailability of data or system

What laws or regulations affect security To what threats is the system or information

particularly vulnerable

Sensitivity Assessment

Are there significant environmental considerations

What are the security relevant characteristics of the user community

What internal security standards, regulations, or guidelines apply to the system

Development/Acquisition

Determine security features, assurances, and operational practices

Incorporating the security requirement into design specification

Actually acquiring them

Determining security requirements

Technical (access controls) Assurances (background check for

developers) Operating practices (awareness and training) Balance between function and usability Based on cost-benefit analysis

Taking security requirements into specifications

The information on security requirements needs to be validated, updated and organized into detailed security protection requirements and specifications used by system developers and purchasers

Acquiring the system

If the system is being built Monitor the development process for security

problems Incorrect code Poor development tools Manipulation of code Malicious insiders Trojan horses

Acquiring the system

If the system is bought Ensure security is part of contract documents Security analysis of proposed systems

Implementation

Proper configuration of the system Security testing Security certification and accreditation

Some hints on installation

Obtain software from refutable vendor Verify the software Test on test system before moving to

production system Read the installation and see what happens Do a complete installation before

customization Cleanse the test system before moving to

production system

Operation and Maintenance

Security operation and administration Operational assurance Periodic re-analysis of the system and re-

accreditation Manage change

Security operation and administration

Holding training classes Backup Manage cryptographic keys Administer user accounts and access

privileges Apply upgrade and patch

Operational Assurance

Monitoring Perform system audit

Periodic re-analysis

Is there a major change in the system Environmental change System change New vulnerability found Time lapse

Disposal

Information archived Media sanitized

Overwriting Degaussing Destruction

Can license of software be transferred

Configuration Management

The control of changes that are made to the hardware, software, firmware, and the documentation of the information system throughout its life cycle, and the auditing and reporting of the changes.

This can be looked upon as a quality assurance process.

Configuration Management

To configuration items Identify and document the functional and

physical characteristics of the configuration item

Control changes to configuration items and their related documentation

Configuration Management Record and report information needed to

manage configuration items effectively, including the status of proposed changes and the implementation status of approved changes

Audit configuration items to verify conformance to specifications, drawing, interface control documents and other contract requirements.

Configuration Management

To digital data files Uniquely identify the digital data files,

including versions of the files and their status (e.g. working, released, submitted, approved)

Record and report information needed to manage the data files effectively, included the status of updated versions of files

Configuration ManagementThings to consider

How to initiate the change Who are the concerned parties What is the approval process How to phase in the changes What to do with the older versions What if problem happens

Configuration Management Work required

Revision control Installation and testing Fault tracing System integration Maintenance of development environment Periodic auditing

Penetration Testing

To test a system by breaking in To identify methods of gaining access to a

system by using common tools and techniques used by the attackers

The objective is to determine feasibility of an attack, the amount of business impact of a successful exploit, if discovered.

Penetration Testing The process involves an active analysis of

the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures

Penetration Testing Any security issues that are found will be

presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

Penetration Testing

To be used with careful consideration, notification and planning

It might slow the organization’s network response time and in some extreme case cause damage to the system

Formal permission must be obtained from the organization and the rule of engagement established

Type of Test

Blue teaming Test with the knowledge and consent of the

organization’s IT staff

Red teaming Test without the knowledge of the

organization’s IT staff but full knowledge and permission of the upper management

Type of Test

External test Tester are not provided with any real

information about the target environment but has to collect it covertly

Internal Test Tester are granted some level of access to

the network usually as a user

Testing methodology

The attack phases

Reference

An Introduction to Computer Security: The NIST Handbook – Chapter 8

Mil-STD 973: Configuration Management Guideline on Network Security Testing –

NIST publication 800-42