33 Administering security
Hiteishi Diwanji
Administering security
Security Plan :
- How organization addresses security requirements. Security planning needs periodic revisions according to the need of an organization.
- A good security plan includes current security practices and changes to be adopted to improve practices.
Contents of a security plan:
- Policy: Includes the goals set for security and readiness of the people for putting efforts towards achieving goals.
- Current State: Describes the status of security while planning is taking place.
- Requirements: Recommendations for how to fulfill the goals set for achieving security.
- Recommended controls: Maps controls to vulnerabilities identified in the policy and requirements.
- Accountability: Description of responsibility attached to every activity related to security.
- Timetable: Identify when to perform functions related to security.
- Continuing attention: Define the organization for updating the security plan according to time line.
Requirements lead to recommendations to fulfill goals pertaining to security. Recommended controls map to vulnerabilities. Responsibility for security activity is identified by mentioning Accountability. Timetable maps the time when each security. Continuing attention suggest when to periodically update security plan.
Approaches to create and update security plan:
Policy:
A security policy is a high level statement of function and objective. If policy is to be strengthened, it involves cost and inconvenience to users.
Policy statements answer 3 questions.
- Who all should have access?
- Which resources in the organization are allowed accesses?
- What type of access should each user is allowed for each resource?
Policy statement specifies:
- Goals to be achieved by organization.
- Which group in an organization is responsible for security?
- Organization’s commitment to security.
Current Security Status:
Risk analysis: Determine the vulnerabilities by performing risk analysis.
- he risk analysis describes the current status of security.
Current status is described by listing assets of an organization, security threats to assets, controls to protect the assets.
Requirements:
- completeness
- realism
- need
- verifiability
- traceability
Recommended Controls:
Responsibility for Implementation (Accountability):
Identify which people are responsible for implementation. In case of zero day attack, security policy must specify what action must be taken.
Roles of people:
Timetable:
- Shows at what time the activity of plan will be executed and what process it will follow.
- Time line chart helps management track how many steps of the plan have been implemented.
Continuing Attention:
- Objects and applied controls need to be scrutinized periodically and updated according to need.
- The security plan defines the time when the periodic review must take place.
Team members needed for security planning:
Security planning team has member from each of the following group:
- Computer hardware group
- System administrators
- System programmers
- Application programmers
- Data entry personnel
- Physical security personnel
- Representative users
- Commitment to the plan is —- Security functions will be implemented and security activities are carried out.
- The planning team
- Those affected by security recommendations
- Management
Business Continuity Plans
- This is a documentation describing the situation of computer security incident and how a business will continue to function. The situations are catastrophic situations and long duration.
- To assess the impact of failure of business, ask questions:
- Develop strategy: Strategy finds how the key assets can be safeguarded?
- Develop Plan:
Whose responsibility when an incident takes place?
What actions to be performed?
Who will perform the actions?
- Incident Response Plans
Risk is distinguished by
- Calculating loss occurred due to an event
- The probability of the event to occur.
- The variation in the outcome.
Risk exposure – Calculate the effects of a risk by multiplying the risk impact and the risk probability.
- Avoid the risk
- Transfer the risk
- Accept the risk
- Risk analysis – Examine a system and the context in which it is operating to determine possible exposures and potential harm that can be caused.
Steps of a risk analysis
- Identify assets
- hardware
- software
- data
- people
- documentation
- Computer supplies
- Civil infrastructure
- Power, water,air and other environmental conditions
- Human and social assets
- Evaluate the vulnerabilities
- Estimate probability of exploitation
- Calculate annual loss that may occur
- Assess the controls that may be applied and their cost.
- Project annual savings of control.
you can view video on Administering security |
Suggested Reading:
- Cryptography and Network Security Principles and Practice by William Stallings, sixth Edition, PEARSON.
- Security in Computing by Charles Pfleeger & Shari Lawrence Pfleeger, fourth Edition, PEARSON.
- Network Security by Charlie Kaufman, Radia Perlman, Mike Speciner, second Edition, PHI.
- The Complete Reference – Network Security by Roberta Bragg, Mark Rhodes-Ousley & Keith Strassberg, Tata McGraw Hill
- Network Security Bible by Eric Cole, Ronald Krutz, James Conley, Wiley
- Hacking 6 Exposed by Stuart McClure, Joel Scambray & George Kurtz , Tata McGraw Hill .
- www.snort.org
- https://nmap.org