Security Management Practices - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

Security Management Practices

Description:

Personal interview. Employee training and awareness. Employment Policies and Practices ... Lack of antivirus Software. Virus. Resulting in this Threat. Can ... – PowerPoint PPT presentation

Number of Views:880
Avg rating:3.0/5.0
Slides: 37
Provided by: miles80
Category:

less

Transcript and Presenter's Notes

Title: Security Management Practices


1
Security Management Practices
  • 2004 Summer Workshop
  • Data Collection and Data Sharing
  • July 13, 2004

Presented byRaza Hasan DBA DHMHs Center for
Cancer Surveillance Control
2
Security Management
  • Ensuring Confidentiality, Integrity and
    Availability of information assets

3
How?
  • Develop and implement a Security Program
  • Conduct Risk Management

4
Security Policies
  • Organization policy
  • Is used to create an organization's central
    computer security program
  • Issue specific polices
  • Addresses issues such as Internet usage, e-mail
    privacy, etc.
  • System specific policies
  • Addresses security for a specific system

5
Examples of Security Policies
  • Network/Web Policy
  • Employment Policy
  • Database Policy

6
Network/Web Security Policy
  • Attempts to minimize risks associated with
    services offered through Networks/Web

7
Network/Web Security Policy
  • Security policy depends on accurate
    identification of your
  • Assets (what you try to protect)
  • Threats (what you try to protect your assets
    from)
  • Services (what you allow your users to do)

8
Examples of Assets
  • Data
  • Computer/Network resources
  • Reputation

9
Examples of Threats
  • Sophisticated hackers
  • Script Kiddies
  • Spies
  • Hostile insiders (consultants, employees)
  • Accidents by valid users

10
Examples of Network/Web Services
  • Public
  • Web site
  • Email
  • E-Commerce
  • Private
  • Internal web site
  • Internal email
  • Web surfing
  • Virtual Private Network (VPN)

11
Elements of Network/Web Policy
  • A good network/Web security policy dictates what
    traffic you allow in and out of your network, and
    what you allow between network segments
  • Architecture
  • Firewall

12
Architecture
  • A network architectures security can be improved
    with physical components such as firewalls and
    network configuration, for example, network
    address translation, virtual private networks,
    and establishing Demilitarized Zones (DMZs).
  • A networks security can be weakened by adding
    poorly configured dial-up services and improperly
    implemented DMZs.

13
Firewalls
  • Device that restricts traffic between two
    networks based upon a defined set of rules
  • Usually a dedicated device it should perform no
    other role.

14
Firewall Diagram
Untrusted Network
Firewall
Protected Network
15
Typical Network Configuration
  • Demilitarized Zone (DMZ)
  • Separates external network, public servers, and
    private systems.
  • If hackers manage to take over a server, they do
    not automatically get access to the private
    systems.
  • Must be careful not to grant special access
    between the public servers and the private
    network.

16
Example Policy
17
Example Policy (contd)
  • Protocols permitted between networks (all others
    denied)

18
Employment Policies and Practices
  • Job Position Description
  • Separation of duties
  • Least privilege
  • Determine position sensitivity
  • Filling the position
  • Background checks
  • Personal interview
  • Employee training and awareness

19
Employment Policies and Practices User
Administration
  • User Account Management
  • Process of requesting/establishing/issuing/closing
    user accounts
  • Tracking users and access authorizations
  • Managing the above functions
  • Audit and management reviews
  • Detecting unauthorized or illegal activities
  • Temporary assignments, transfers and termination
  • Contractor access considerations
  • Public access considerations

20
Database Security Policy
  • Aggregation Problem
  • When several access rights allow access to a
    piece of information that should not be known
  • Can be solved by
  • Separating information into containers
  • Provide context dependant classification
  • Elevate containers security to a higher level

21
Database Security (contd)
  • Inference Problem
  • Occurs when a user can deduce information from
    the information they have access to
  • Can be solved by
  • Fuzzy queries
  • Database design
  • Specify content and context dependant rules

22
Risk Management
  • Risk is the possibility of something adverse
    happening to the organization
  • Risk management is the process of assessing risk
    and taking steps to reduce it
  • Four ways to manage risk
  • Risk assignment and transfer (insurance)
  • Risk rejection (ignore risk)
  • Risk reduction (install safeguards)
  • Risk acceptance (e.g., costs exceed the benefits)

23
Risk Management Framework
  • Risk Assessment
  • Determine assessment scope and methodology
  • Collect and analyze data
  • Interpret risk and analyze results
  • Risk Mitigation
  • Select safeguards
  • Accept residual risk
  • Implement controls and monitor effectiveness

24
Risk Assessment Quantitative Techniques
  • Annual Loss Expectancy (ALE)
  • ALEI x F
  • I estimated impact in dollars
  • F estimated frequency of occurrence per year
  • Net Present Value (NPV)
  • NPV PV (Benefits) PV (Costs)

25
Risk Assessment Qualitative Techniques
  • Judgment and intuition of experts (a.k.a. gut
    feeling)
  • Delphi technique
  • Polling

26
Risk Management Involves
  • Identification
  • Assets (Classification)
  • Threats
  • Vulnerabilities
  • Safeguards

27
Data Classification Schemes
Government Top Secret Secret Confidential Sensi
tive Unclassified
  • Corporate
  • Sensitive
  • Confidential
  • Private
  • Public

Highest Level Lowest Level
In order to develop effective information
security policy, information produced or
processed by an organization must be classified
according to its sensitivity to loss or
disclosure.
28
Distinction Between a Threat and Vulnerability
  • A threat is an activity, deliberate or
    intentional, with the potential for causing harm
    to a computer system or activity
  • A vulnerability is a flaw or weakness that may
    allow harm to occur to a computer system or
    activity

29
(No Transcript)
30
(No Transcript)
31
Common Threats and Vulnerabilities
  • Causes of economic losses in public and private
    sectors
  • 65 due to errors and omissions
  • 13 due to dishonest employees
  • 6 due to disgruntled employees
  • 8 due to loss of supporting infrastructure
  • 5 due to water not related to fires and floods
  • Less than 3 due to outsiders

32
Common Threats and Vulnerabilities
  • Fraud and theft
  • Employee sabotage
  • Loss of physical or infrastructure support
  • Malicious hackers or crackers
  • Industrial espionage
  • Malicious code

33
Recommendations
  • Develop a Policy
  • Implement Security controls in all System
    Development Phases
  • Raise Awareness

34
System Development Controls
  • Security needs to be integrated in the full
    system development cycle (process)
  • Phase 1 Initiation
  • Phase 2 Development/Acquisition
  • Phase 3 Implementation
  • Phase 4 Operation/Maintenance
  • Phase 5 Disposal

35
Security Awareness/Training Implementation
  • To implement an effective security awareness
    training program you need to
  • Identify program scope, goals and objectives
  • Identify training staff
  • Identify target audiences
  • Motivate management and employees
  • Administer the program
  • Maintain the program
  • Evaluate the program (very difficult)

36
References
  • NIST Computer Security Resource Center
    http//csrc.ncsl.nist.gov/
  • SANS Institute www.sans.org
  • DHMH Policies accessible through its Intranet
    http//indhmh/irma/itpolicies/
  • Presenters Contact
  • Raza Hasan
  • Phone 410-767-6932
  • Email rhasan_at_dhmh.state.md.us
Write a Comment
User Comments (0)
About PowerShow.com