1 / 52

Guide to Network Defense and Countermeasures

Guide to Network Defense and Countermeasures. Chapter 3. Chapter 3 - Risk Analysis and Security Policy Design. Get started with basic concepts of risk analysis Decide how to minimize risk in your own network Explain what makes an effective security policy Formulate a network security policy

Download Presentation

Guide to Network Defense and Countermeasures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Guide to Network Defense and Countermeasures Chapter 3

  2. Chapter 3 - Risk Analysis and Security Policy Design • Get started with basic concepts of risk analysis • Decide how to minimize risk in your own network • Explain what makes an effective security policy • Formulate a network security policy • Perform ongoing risk analysis

  3. Getting Started with Risk Analysis • The consensus among security professionals is that there is no zero-risk situation • The first task when undertaking the formulation of a security policy is to assess the risk faced by employees, the network, and corporate databases • The goal is not to reduce risks to zero, but to devise ways to manage that risk in reasonable fashion • Because threats are changing all the time along with technology, the process of determining risks and developing a security policy to manage them is an ongoing process rather than a one-time operation

  4. Getting Started with Risk Analysis • Risk analysis is the study of how great the possibility of loss is in a particular situation • The six concepts that go into creating a risk analysis are: • Assets, which are physical (equipment and buildings), data-related (employee and customer records), application software, and personal assets • Threats, which are events that can happen, such as weather-related disasters, hacker access, power-related issues, and crime-related risks

  5. Getting Started with Risk Analysis • Six concepts of risk analysis (cont.): • Probabilities are geographic, physical, habitual, or other factors that affect the possibility that a threat will occur; it is a good idea to rank the biggest threats to your organization, with their probabilities described as: negligible, very low, low, medium, high, very high, and extreme • Vulnerabilities are situations or conditions that increase threat and that, in turn, increase risk; a key example is putting computers on the Internet

  6. Getting Started with Risk Analysis • Six concepts of risk analysis (cont.): • Consequences can result from a virus that forces the organization to take its Web site offline for a week; or a fire that destroys computer equipment; the probability of threats can now be extended to include a rating of the significance of their impact; other consequences associated with getting a system back online after an attack include cost impact, insurance claims, police reports, shipping or delivery, and the time and effort to restore systems to pre-attack status; ROI calculators can help to quantify these items

  7. Getting Started with Risk Analysis • Six concepts of risk analysis (cont.): • Safeguards are measures you can take to reduce threats such as installing firewalls and intrusion detection systems, locking doors, and using passwords and/or encryption; all assets have an inherent amount of risk associated with them; threat and vulnerability seek to make risk larger, whereas countermeasures work to reduce risk; residual risk is what is left over after counter-measures and defenses are implemented; risk never actually equals zero

  8. Getting Started with Risk Analysis • When the six concepts of risk analysis are addressed and codified, the building blocks are in place to prepare the risk analysis • Different types of risk analysis are used to create a security policy, and to evaluate how well the policy is performing (so that it can be improved) • The ultimate goal is not to reduce the risks to zero, but to manage the risk at reasonable levels • The two most common approaches to risk analysis are Survivable Network Analysis (SNA) and Threat and Risk Assessment (TRA)

  9. Getting Started with Risk Analysis • Survivable Network Analysis (SNA) is a security process developed by the CERT Coordination Center security group • SNA starts with the assumption that a computer system will be attacked; it leads you through a four-step process designed to ensure the survivability of a network should an attack occur • Survivability focuses on the essential services/assets and the critical system capabilities of a system; it also depends on resistance, recognition, and recovery

  10. Getting Started with Risk Analysis • The steps involved in SNA are: • System definition is a high-level overview of the requirements of the system organizationally • Essential capability definition is the identification of the essential services and assets of the system • Compromise capability definition is determined by designing scenarios in which intrusions occur, and then tracing the intrusion through the system • Survivability analysis is where points of fault are identified, along with recommendations for correction and resistance improvement

  11. Getting Started with Risk Analysis • Threat and Risk Assessment (TRA): • TRA approaches risk analysis from the standpoint of the threats and risks that confront an organization’s assets and the consequences of those threats and risks should they occur; similar to SNA, TRA leads you through a four-step process of analysis • TRA is carried out in different ways by different security organizations around the world and a variety of ratings systems are offered

  12. Getting Started with Risk Analysis • The steps involved in TRA are: • Asset definition, where you identify software, hardware, and any information you need to defend • Threat assessment, where you identify the kinds of threats that place the asset at risk, including vandalism, fire, natural disasters, Internet attacks • Risk assessment is the evaluation of each asset with respect to: existing safeguards; the severity of the threats and risks; the consequences of the threat or risk actually taking place • Recommendations to reduce risk

  13. Getting Started with Risk Analysis • Risk analysis is a group of related activities that typically take the following sequence: • Initial tiger team sessions: hold meetings and conduct interviews with stakeholders so as to collect pertinent information and review scope • Asset valuation: identify the assets to protect and determine their value; get manager input • Evaluating vulnerability: investigate the level of threat and vulnerability in relation to asset value • Calculate risk: assign a numeric values to low-level through very high security issues

  14. Getting Started with Risk Analysis • Risk analysis is not a one-time activity that is used solely to create a security policy • Risk analysis evolves to take into account the changing size and activities of an organization, the progression to larger and more complex computer systems, and new threats from both inside and outside the corporate network • The initial risk analysis is used to formulate a security policy which is then enforced and monitored; new threats and intrusion attempts cause a reassessment of the risks faced

  15. Getting Started with Risk Analysis • An important part of risk analysis is preparing estimates of the financial impact of losses • There are a number of different models for estimating the impact; software is often used to help prepare reports that substantiate estimates and provide charts and graphs to support figures • Project Risk Analysis by Katmar Software gives an excellent structure with which to list organizational assets, and it allows cost estimates to be made using a variety of statistical models including likely cost, low cost, and high cost

  16. Deciding How to Minimize Risk • Risk management is the process of identifying, choosing, and setting up countermeasures justified by identified risks • The countermeasures described in this process are the statements that go into the security policy • The risk management issues that will need to be considered are: how to secure physical resources (hardware); how to secure network information databases; how to conduct routine analysis; how to respond to security incidents when they occur

  17. Deciding How to Minimize Risk • Deciding how to secure hardware: • Consider obvious physical protection, such as environmental controls and locking up hardware • List all servers, routers, cables, workstations, printers, and all other pieces of hardware; make a topology map to that shows device connections, along with an IP allocation register • Rank resources in order of importance so that security efforts focus first on the most critical resources; rank can be assigned using arbitrary numbers, but a scale of 1 to 10 is suggested

  18. Deciding How to Minimize Risk • Deciding how to secure information: • Information needs to be protected; the logical assets of a company include documents, spreadsheets, Web pages, email, log files, personnel data, customer data, and financial data • One means of protecting customer and employee information is to isolate it from the Internet so that hackers cannot gain access to it • Other protection mechanisms are data encryption, message filtering, data encapsulation, redundancy, and systematic data back ups

  19. Deciding How to Minimize Risk • Deciding how to secure information (cont.): • Corporate information, that which is confidential, proprietary, or private, must also be protected • The security policy must cover the corporate information that employees handle and minimize the associated risks by specifying these measures: never leave laptops or palm devices unattended; always password protect corporate information; encrypt all financial data; password-protect all job-records and customer information; restrict personnel information to HR staff and/or upper management

  20. Deciding How to Minimize Risk • Deciding how to conduct routine analysis: • Risk analysis must be done on a routine basis and starts with the following questions: How often will risk analysis be performed? Who will perform the risk analysis? Do all hardware and software resources need to be reviewed every time? • The calculations and evaluations associated with risk analysis require subjective assessments of how much a resource is worth and how valuable it is; due to these issues and the often complex nature of calculations involved, risk analysis software helps alleviate potential roadblocks

  21. Deciding How to Minimize Risk • Deciding how to handle security incidents: • Use the security policy to define how to respond to security break-ins; if a break-in form is required, consider using one of the published forms on the Federal Agency Security Practices Web site of the National Institute of Standards and Technology • Address the incident response section of the security policy by describing the need for careful and expeditious handling of an intrusion; include types of intrusions such as: IDS alarms; repeated unsuccessful logins; unexplained new user accounts and files; system issues

  22. Deciding How to Minimize Risk • Handling security incidents (cont.): • If an incident occurs, the security policy should spell out exactly which security staff needs to be notified, and where they should assemble • It is common for an organization to designate a Security Incident Response Team (SIRT), which is a group of employees designated to take countermeasures when an incident is reported • Typically, the SIRT contains IT operations and technical support staff, IT application staff, a chief security officer, and other security specialists

  23. Deciding How to Minimize Risk • Describing escalation procedures: • Escalation procedures are sets of responsibilities, roles, and measures taken to respond to incidents • To determine how a response may escalate, come up with a system for ranking the severity of an incident; each ranking can be mapped to an escalation chain, which is a hierarchy of staff members who need to be involved in responding to incidents and making decisions • To help determine the value of a resource at risk, develop worst-case scenarios that describe the worst possible threat consequences

  24. What Makes a GoodSecurity Policy? • A good security policy is comprehensive and flexible; it is often a group of documents, each with its own specific emphasis • The information gathered during the risk analysis phase should go into the security policy, along with a list of the policy goals, and the importance of employees reading and following its guidelines • An ongoing security cycle is started which follows the sequence of: policy design; implementation; ongoing monitoring; and reassessment

  25. What Makes a GoodSecurity Policy? • Good security policies (cont.): • The cornerstone of a good policy is the Acceptable Use Policy, which spells out how employees may use organizational resources • Security policies identify the most important corporate security priorities for managers • Security policies help administrators by specifying employee security tasks; the Privileged Access Policy covers administrator network access/use • Once a policy is in effect, it must be determined how often additional risk analysis should be done

  26. Formulating a Security Policy • The steps involved in creating a policy: • Call for the assembly of a group that will meet to formulate the security policy • Determine approach: restrictive or permissive • Identify the assets to be protected • Determine which network communications to audit and the frequency of review • List the security risks that need to be addressed • Define acceptable uses of resources / passwords • Create the security policy

  27. Formulating a Security Policy • Categories of security policies: • Acceptable Use defines acceptable, as well as unacceptable, use of organizational resources; is usually listed first in a security policy because it affects the largest number of employees • User Account specifically spells out use of user (employee, contractor, supplier) accounts • Remote Access spells out exactly what security measures need to be present on remote desktops before users can connect to the corporate network

  28. Formulating a Security Policy • Categories of security policies (cont.): • Password Protection states password particulars such as character length and type, number of incorrect login attempts, and administrator password checking capability • Internet Use covers how employees can access and use the Internet, including e-mail use, software downloads, Web site access, and privacy • Local Area Network defines and establishes responsibilities for the protection of data that is processed, stored, and transmitted on the LAN

  29. Performing Ongoing Risk Analysis • When performing the routine reassessment of the company and asset risks, consider: • How frequently risk analysis should be performed in terms of a routine timeframe, and the conditions that warrant a new analysis • Working with management in regards their approach in determining the costs associated with security and how these costs affect company ROI • Dealing with the security policy approval process that can take several weeks to several months

  30. Performing Ongoing Risk Analysis • Performing routine reassessment (cont.): • The process of amending the security policy; in particular, informing those affected (security policy team, management, employees) by changes to the organization’s security configuration • Responding to security incidents as indicated in the policy’s Incident Handling and Escalation Procedures; incident handling defines what to look out for and to what level of escalation; escalation describes how to increase corporate state of readiness (who responds and in what timeframe) when a threat arises

  31. Performing Ongoing Risk Analysis • Performing routine reassessment (cont.): • Updating the security policy based on security incidents that are reported as a result of ongoing security monitoring, and based on any new risks the company faces • The ultimate goal of changing the security policy is to change employee habits so that they behave more responsibly; better protection will result in fewer intrusions and disputes and ultimately enables a company to focus on its primary mission

  32. Chapter Summary • Risk analysis is key in the formulation of one of the most essential elements in corporate network defense configuration: a security policy. Risks need to be calculated and security policies amended on an ongoing basis as a network configuration evolves

  33. Chapter Summary • Risk analysis covers hardware, software, and informational assets; it covers their threats and the likelihood of threat occurrence. Vulnerabilities are described, as well as related consequences. The first task is to assess network and user levels of risk. Risk analysis should be performed before and after the creation of a security policy, and its goal is to manage risk at reasonable levels on an ongoing basis

  34. Chapter Summary • After assessing the level of asset risk, determine countermeasures that will minimize risk. Decide how to secure the physical assets, the logical assets, databases, applications, and employee personal assets. Then come up with a plan for conducting risk analysis on a routine basis and plan for handling security incidents. As well, assess network threats, such as hackers, power outages, and environmental disasters. Next, determine threat probabilities, and implement the safeguards and countermeasures that reduce their likelihood. First, though, use assembled data to perform a risk analysis using an approach such as SNA or TRA. A risk analysis describes the level of risk faced by each organizational asset, as well as the economic impact if lost/damaged

  35. Chapter Summary • Once the risk level of network assets has been determined, develop safeguards that can manage that risk. Determine ways to secure hardware assets, such as environmental controls, locks, or alarms. Laptop data can be protected through passwords and through file encryption. Logical assets such as word processing, or other documents can be protected by backups and by isolation from the Internet. Corporate data can be protected by effective use of passwords. The countermeasures described will form the basis of the security policy. In addition, risk analysis includes some provision for regular updates. It also includes recommendations of measures to be taken in case security incidents occur

More Related