Information security as an ongoing effort

Transforming Lives. Inventing the Future. www.iit.edu

I ELLINOIS T UINS TI TOF TECHNOLOGY

ITM 478/578 1

Information Security as an Ongoing Effort

Ray TrygstadITM 478/578Spring 2004Master of Information Technology & Management ProgramCenter for Professional Development

Slides based on Whitman, M. and Mattord, H., Principles of Information Security; Thomson Course Technology 2003

ITM 478/578 2

ILLINOIS INSTITUTE OF TECHNOLOGY

Learning Objectives:Upon completion of this lesson the student should be able to:– Understand the need for the ongoing

maintenance of the information security program.

– Become familiar with recommended security management models.

– Understand a model for a full maintenance program.

– Understand key factors for monitoring the external and internal environment.

ITM 478/578 3


Learning Objectives:Upon completion of this lesson the student should be able to:– Learn how planning and risk assessment

tie into information security maintenance.– Understand how vulnerability assessment

and remediation tie into information security maintenance.

– Learn how to build readiness and review procedures into information security maintenance.

ITM 478/578 4


Introduction Avoid overconfidence after implementation

and testing of elements of a security profile Factors that drive change:

– New assets are acquired– New vulnerabilities associated with the new or

existing assets emerge– Business priorities shift– New partnerships are formed and old

partnerships dissolve– Organizational divestiture and acquisition occur– Employee turnover

ITM 478/578 5


Introduction If the program does not adjust adequately it

may be necessary to begin the cycle again Decision depends on how much change has

occurred and how well the organization and program for IS maintenance can accommodate change

If change is dealt with successfully and has created procedures and systems that can flex with the environment, security program can probably continue to adapt successfully

ITM 478/578 6


Introduction CISO determines whether the IS group can

adapt adequately and maintain the information security profile of the organization or whether recycle the SecSDLC process to redevelop a new information security profile

Less expensive and more effective when information security program is designed and implemented to deal with change

More expensive to reengineer the information security profile over & over

ITM 478/578 7


FIGURE 12-1 Maintenance and the SecSDLC

Ana lyze

Implement

Ma inta in

Physica l Design

Logica l Design

Maintenance and the SecSDLC

ITM 478/578 8


Managing For Change Once an organization has improved the

security posture of the organization, the security group must turn its attention to the maintenance of security readiness

Information security must constantly monitor the threats, assets, and vulnerabilities

The team also reviews external information to stay on top of the latest general and specific threats to its information security

ITM 478/578 9


Security Management Models An aggressive external and internal

monitoring program must be created to allow the information security team to stay abreast of changes in the environment

A management model must be adopted to facilitate this monitoring

Management models are frameworks that structure the tasks of managing a particular set of activities or business functions

ITM 478/578 10


The ISO Model The ISO management model is a five-layer

approach that provides structure to the administration and management of networks and systems

The core ISO model addresses management and operation thorough five topics: – Fault management– Configuration and name management– Accounting management– Performance management – Security management

ITM 478/578 11


ISO-based Security Management Model

The five areas of the ISO model are transformed into the five areas of security management as follows:– Fault management– Configuration and change management– Accounting and auditing management– Performance management– Security program management

ITM 478/578 12


Fault ManagementIdentifying, tracking, diagnosing, and

resolving faults in the system as applied to people and technology and then addressing them through remediation

In information security, fault management involves identifying faults in the applied information security profile, then addressing them through remediation

ITM 478/578 13


Vulnerability Assessment Physical and logical assessment of

vulnerabilities– most often accomplished with penetration testing

Penetration testing: security personnel simulate or perform specific, controlled attacks to compromise or disrupt own systems by exploiting documented vulnerabilities

Best procedures/tools for use in penetration testing and other vulnerability assessments are procedures and tools of the hacker community

ITM 478/578 14


Fault Management Tools Many intrusion detection systems detect

signatures of penetration tools & alert information security management of use

Security professionals should incorporate use of these tools to examine systems & test security; example tools might include:– Ethereal– Nessus– NMAP– Sam Spade– Snort

ITM 478/578 15


Fault Management: UsersUser problems can be created or

influenced by security programsFirewalls modifications, new IDS rules,

new systems policies may impact how users interact with systems

Proper user training and ongoing awareness campaigns can reduce problems but they are never completely eliminated

ITM 478/578 16


Fault Management: Help DeskHelp desk personnel must be trained

to recognize security problems as distinct from other system problems

One key advantage to commonly used help desk software is the ability to develop a knowledge base of common problems and solutions

Tracking of trouble tickets includes tracking problem resolution

ITM 478/578 17


Configuration and Change Management Configuration management is

administration of the configuration of the components

Change management is administration of changes in the strategy, operation, or components

Each involve nontechnical as well as technical changes:– Nontechnical changes impact procedures and

people– Technical changes impact the technology

implemented to support security efforts in the hardware, software, and data components

ITM 478/578 18


Nontechnical Change Management

Changes to information security may require implementing new policies and procedures

The document manager should– maintain a master copy of each document– record and archive revisions made – keep copies of the revisions, along with

editorial comments on what was added, removed, or modified

ITM 478/578 19


Nontechnical Change Management

Policy revisions are not implemented and enforceable, until they have been disseminated, read, understood, and agreed to

Software is available to make the creation, modification, dissemination, and agreement documentation processes more manageable

ITM 478/578 20


Technical Configuration & Change Management

Technical components have version numbers, revision dates, and requirements to monitor and administer change, just a documents do

Configuration item: Hardware or software item that will be modified/revised throughout life cycle

ITM 478/578 21



Version: Recorded state of a particular revision of a software or hardware configuration item; often noted as the version number in the form M.N.b.– Major release: A significant revision of the

version from its previous state – (M)– Minor release (update or patch): A minor revision

of the version from its previous state – (N.b) Build: Snapshot of a particular version of

software assembled from its various component modules

Build list: A list of the versions of components that comprise a build

ITM 478/578 22



Configuration: A collection of components that make up a configuration item

Revision date: Date associated with a particular version or build

Software library: Collection of configuration items; usually controlled – Developers use it to construct revisions

and issue new configuration items

ITM 478/578 23


Procedures associated with configuration management:– Configuration identification: The identification

and documentation of the various components, implementation, and states of configuration items

– Configuration control: The administration of changes to the configuration items and the issuance of versions (usually only performed by an entity that actually develops its own versions of configuration items)

– Configuration status accounting: The tracking and recording of the implementation of changes to configuration items

– Configuration audit: Auditing and controlling the overall configuration management program


ITM 478/578 24


Accounting & Auditing Management Chargeback accounting enables

organizations to internally charge for system use– Some resource usage is commonly tracked

Accounting management involves monitoring use of a particular component of a system

Auditing is the process of reviewing the use of a system, not to check performance, but to determine misuse or malfeasance– Automated tools can consolidate various systems

logs, perform comparative analysis, and detect common occurrences or behavior that is of interest

ITM 478/578 25


Performance Management It is important to monitor the performance

of security systems and their underlying IT infrastructure to assure they are working effectively

Common metrics are applicable in security, especially when the components being managed are associated with network traffic

To evaluate ongoing performance of a security system, establish performance baselines

Monitor all possible variables, collecting and archiving performance baseline data, and then analyze it

ITM 478/578 26


Security Program Management The ISO five-area framework supports a

structured management model by ensuring that various areas are addressed

British Standard BS 7799 contains two standards designed to assist this effort

Part 2 of the BS 7799 introduces a process model:– Plan: via a risk analysis – Do: apply internal controls to manage risk – Check: undertake periodic and frequent review to

verify effectiveness– Act: use planned incident response plans as necessary

ITM 478/578 27


The Maintenance Model A maintenance model is intended to

complement the chosen management model and focus organizational effort on maintenance

Figure 12-2 diagrams a full maintenance program and forms a framework for the discussion of maintenance that follows– External monitoring– Internal monitoring– Planning and risk assessment– Vulnerability assessment and remediation– Readiness and review

ITM 478/578 28


The Maintenance Model

FIGURE 12-2 The Maintenance Model

ITM 478/578 29


Monitoring the External Environment Objective is to provide the early awareness

of new and emerging threats, threat agents, vulnerabilities, and attacks that is needed to mount an effective and timely defense

External monitoring entails collecting intelligence from data sources, and then giving that intelligence context and meaning for use by decision makers within the organization

ITM 478/578 30


FIGURE 12-3 External Monitoring

External Monitoring

ITM 478/578 31


Data Sources Acquiring data is not difficult

– there are many inexpensive or free sources Turning data into information that

decision makers can use is the challenge External intelligence comes from three

classes of sources:– Vendors– CERT organizations– Public network sources

ITM 478/578 32


Data SourcesA viable external monitoring program:

– Creates documented and repeatable procedures

– Provides proper training– Equips staff with proper access and tools– Designs criteria and cultivating expertise– Develops suitable communications

methods– Integrates the Incident Response Plan

with the results of the external monitoring process

ITM 478/578 33


Monitoring, Escalation, & Incident Response

Function is to monitor activity, report results, and escalate warnings

Integrate into the IRP The monitoring process has three primary

deliverables:– Specific warning bulletins issued when

developing threats and specific attacks pose a measurable risk to the organization

– Periodic summaries of external information– Detailed intelligence on the highest risk

warnings

ITM 478/578 34


Data Collection & Management Over time, the external monitoring

processes should capture knowledge about the external environment in a format that can be referenced both across the organization as threats emerge and for historical use

External monitoring collects raw intelligence, filters it for relevance to the organization, assigns it a relative risk impact, and communicates these findings to the decision makers in time to make a difference

ITM 478/578 35


Monitoring the Internal Environment Maintain informed awareness of the state of

the organization’s networks, systems, and defenses by maintaining an inventory of IT infrastructure and applications

Active participation in, or leadership of, the IT governance process

Real-time monitoring of IT activity using intrusion detection systems

Automated difference detection methods that identify variances introduced to the network or system hardware and software

ITM 478/578 36


FIGURE 12-4 Internal Monitoring

Internal Monitoring

ITM 478/578 37


Network Characterization & Inventory

Have a carefully planned and fully populated inventory for all network devices, communication channels, and computing devices

Once characteristics have been identified, they must be carefully organized and stored using a mechanism, manual or automated, that allows timely retrieval and rapid integration of disparate facts

ITM 478/578 38


The Role of IT Governance The primary value of active engagement in

an organization-wide IT governance process is the increased awareness of the impact of change

This awareness must be translated into a description of the risk that is caused by the change through operational risk assessment

Awareness of change comes from two parts of the IT governance process:– Architecture review boards– IT change control process

ITM 478/578 39


Making Intrusion Detection Systems Work

Most important value of the raw intelligence provided by IDS is to prevent risk in the future

Log files from the IDS engines can be mined to add information to the internal monitoring knowledge base

Analyzing attack signatures for unsuccessful system attacks can identify weaknesses in various security efforts

ITM 478/578 40


Planning and Risk Assessment

Keep an eye on the entire information security program

Done by:– Identify and plan ongoing information

security activities that further reduce risk– Assess risk to identify and document risks

from projects that may be latent

ITM 478/578 41


Planning and Risk Assessment Primary outcomes:

– Establish a formal information security program review

– Institute formal project identification, selection, planning, and management processes

– Coordinate with IT project teams to introduce risk assessment and review for all IT projects

– Integrate a mindset of risk assessment across the organization

ITM 478/578 42


FIGURE 12-5 Planning & Risk Assessment

Planning & Risk Assessment

ITM 478/578 43


Information Security Program Planning & Review

Periodic review of an ongoing information security program coupled with planning for enhancements and extensions

The strategic planning process should examine the IT needs of the future organization and the impact those needs have on information security

A recommended approach takes advantage of the fact that most organizations have annual capital budget planning cycles, and manage security projects as part of that process

ITM 478/578 44


InfoSec Improvement through Ongoing Projects

Projects follow the SecSDLC model Large projects should be broken into smaller

projects for several reasons:– Smaller projects tend to have more manageable

impacts to the networks and users– Larger projects tend to complicate the change

control process in the implementation phase– Short planning, development, & implementation

schedules reduce uncertainty – Most large projects can easily be assembled from

smaller projects, giving more opportunities to change direction and gain flexibility

ITM 478/578 45


Security Risk Assessments A key component to success is the information

security operational risk assessment (RA) The RA is a method to identify and document

the risk that a project, process, or action introduces to the organization and offer suggestions for controls

RA documents can include:– Network connectivity– Dialed modem– Business partner connectivity– Application– Vulnerability– Privacy– Acquisition or divesture

ITM 478/578 46


Vulnerability Assessment & Remediation Identification of specific, documented

vulnerabilities and their timely remediation How?

– Use vulnerability assessment procedures which are documented to safely collect intelligence about network, platforms, dial-in modems, and wireless network systems

– Document background information and provide tested remediation procedures for reported vulnerabilities

– Track, communicate, report, and escalate to management itemized facts about discovered vulnerabilities and success or failure organizational attempts as remediation

ITM 478/578 47


FIGURE 12-6 Vulnerability Assessment and Remediation

Vulnerability Assessment & Remediation

ITM 478/578 48


Vulnerability Assessment The process of identifying & documenting

specific & provable flaws in an organization’s information asset environment

While the exact procedures can vary, the five vulnerability assessment processes that follow can serve many organizations as they attempt to balance the intrusiveness of vulnerability assessment with the need for a stable and productive production environment

ITM 478/578 49


Internet Vulnerability Assessment Designed to find and document vulnerabilities

present in the public-facing network Since attackers use all means this assessment is

performed against all public-facing systems using every possible penetration testing approach

The steps in the process are:– Plan, schedule, and notify – Select target– Select test– Scan– Analyze– Keep records

ITM 478/578 50


Intranet Vulnerability Assessment Designed to find and document selected

vulnerabilities present on an internal network

Attackers are often internal members of the organization, affiliates of business partners, or automated attack vectors (such as viruses and worms)

Usually performed against selected critical internal devices with a known, high value by using selective penetration testing

Steps in the process are almost identical to the steps in the Internet vulnerability assessment, except as noted

ITM 478/578 51


Platform Security Validation Designed to find and document

vulnerabilities present due to misconfigured systems in use within the organization

These misconfigured systems fail to comply with company policy or standards as adopted by the IT governance groups and communicated in the information security and awareness program

Fortunately automated measurement systems are available to help with the intensive process of validating the compliance of platform configuration with policy

ITM 478/578 52


Wireless Vulnerability AssessmentDesigned to find and document the

vulnerabilities that may be present in the wireless local area networks of the organization

Since attackers from this direction are likely to take advantage of any loophole or flaw, this assessment is usually performed against all publicly accessible areas using every possible wireless penetration testing approach

ITM 478/578 53


Modem Vulnerability Assessment Designed to find and document any

vulnerability that is present on dialup modems connected to the organization’s networks

Since attackers from this direction take advantage of any loophole or flaw, this assessment is usually performed against all telephone numbers owned by the organization, using every possible penetration testing approach

One of the elements of this process, using scripted dialing attacks against a pool of phone numbers, is often called war-dialing

ITM 478/578 54


Documenting Vulnerabilities

Vulnerability tracking database should provide details as well as linkage to the information assets

Low-cost and ease of use makes relational databases a realistic choice

The vulnerability database is an essential part of effective remediation

ITM 478/578 55


Documenting Vulnerabilities

The data stored in the vulnerability database should include:– A unique ID number for reporting and tracking– Linkage to information assets – Vulnerability details– Dates/times of notification and remediation– Current status– Comments– Other fields as required

ITM 478/578 56


Remediating Vulnerabilities Repair the flaw causing a vulnerability

instance or remove the risk from the vulnerability

As a last resort, informed decision makers with the proper authority can accept the risk

When approaching the remediation process, it is important to recognize that building relationships with those who control the information assets is the key to success

Success depends on the organization adopting a team approach to remediation, in place of cross-organizational push and pull

ITM 478/578 57


Acceptance of Risk In some instances risk must simply be

acknowledged as part of an organization’s business process

Information security professionals must assure the general management community that decisions made to assume risk for the organization are made by properly informed decision makers with proper level of authority to assume the risk

Information security must make sure the right people make risk assumption decisions with complete knowledge of the impact of the decision balanced against the cost of the possible security controls

ITM 478/578 58


Threat Removal In some circumstances, threats can be

removed without repairing the vulnerability

The vulnerability can no longer be exploited, and the risk has been removed

Other vulnerabilities may be amenable to other controls that allow an inexpensive repair and still remove the risk from the situation

ITM 478/578 59


Vulnerability Repair Optimal solution in most cases is to repair

the vulnerability Applying patch software or implementing a

work-around to the vulnerability often accomplishes this

In some cases, simply disabling the service removes the vulnerability; in other cases simple remedies are possible

Of course, a common remedy remains the application of a software patch to make the system function in the expected fashion and to remove the vulnerability

ITM 478/578 60


Readiness and Review Keep the program functioning as designed and

continuously improving Accomplished by:

– Policy review: Sound policy needs to be reviewed and refreshed from time to time to provide a current foundation for the information security program

• Policy review is the primary initiator of the readiness and review domain

– Readiness review: Major planning components should be reviewed on a periodic basis to ensure they are current, accurate, and appropriate

– Rehearsals: When possible, major plan elements should be rehearsed to make sure all participants are capable of responding as needed

ITM 478/578 61


Readiness and Review

FIGURE 12-6 Vulnerability Assessment and Remediation

ITM 478/578 62


Epilogue

When CISOs can’t sleep, what is keeping them awake?

A solid maintenance program can complement every information security program, and over time can even strengthen a weak program

ITM 478/578 63


The End…

Questions?