TSN3251 Computer Security

LECTURE 13
Security Administration

1
What we are planning to
discuss?
 Introduction
 Security Planning
 Risk Analysis
 Security Policies
 Physical Security
Introduction
 Security is a combination of technical, administrative,
and physical controls.
 So far, we have looked at security from a technology
perspective.
 In this lecture, we will consider administrative and
physical aspects.
 Four related areas:
 Planning: What advance preparation and study lets us know that our
implementation meets our security needs for today and tomorrow?
 Risk Analysis: How do we weigh the benefits of controls against their costs,
and how do we justify any controls?
 Policy: How do we establish a framework to see that our computer security
needs continue to be met?
 Physical Control: What aspects of the computing environment have an
impact on security?
Security Planning (1)…
 Basically, users lack appreciation of security. Every
interaction with the computing system has
 Confidentiality
 Integrity
 Availability requirements
on the data, application and physical machines.

 Every organization using computers to create and store

valuable assets should perform thorough and effective
security planning
Security Plan (2)…
- What is it?
 Official record of company’s security practices.

 A document that includes how these practices can be

changed, e.g. approvals, etc.

 A document that must be well prepared for

management, developers and users to appreciate the
importance of security.
Security Plan (3)…
- Issues to be addressed
 7 Issues to be addressed by a security plan.

 Policy: The goals of the computer security effort.

 Current State: Status of security at the time of plan.
 Requirements: Improvements needed to meet the goals
from current state.
 Recommended Controls: Mapping controls to the
vulnerabilities in the policy and requirements.
 Accountability: Describing who is responsible for each
security activity
 Timetable: Identifying when different security functions
are to be done.
 Continuing Attention. Specifying a structure for
periodically updating the security plan.
Security Plan (4)…
- Policy
 Identify the goals on the organization’s security.
 Highest priority-serving customers or securing data
 should the system protect data from leakage to outsiders
 Protect against loss of data due to physical disaster
 Protect the data’s integrity
 Protect against loss of business when computing
resources fail
 Who is going to be made responsible?
 Small computer security group, with each employee, with
relevant managers?
 Commitment of the organization to security
 Who provides security support for staff
 Where does the security fit into the organization’s
structure
Security Plan (5)…
- Current Security Status
 Listing of organizational assets,
 Identify security threats to the assets and
 Controls in place to protect the assets.
 Defines the limits of responsibility for security
Security Plan (6)…
- Security Requirements
 Functional or performance demands placed on a
system to ensure a desired level of security.
 Usually derived from organizational needs.
 Can be internal or external requirements
 Requirements explain what should be
accomplished, not how
 Implementation details should be left to the designers
 Example: Security planner should state only that access to
the data records should be restricted. He/she should not
state that certain data records should require passwords for
access (an implementation decision)
 Security Plan (7)…
- Recommended Controls

 What type of controls can be put in place to meet the

requirements.
 Following risk assessments, a set of vulnerabilities can be
mapped to a set of controls to be implemented.
Security Plan (8)…
- Accountability
 A section of the security plan should identify which
people are responsible for implementing the security
requirements.
 Personal Computer Users are responsible for their own
machines or a designated group?
 Project leaders may be responsible for the security of data and
computations
 DBA are responsible for the access to and the integrity of the
data in their databases.
 Managers are responsible to ensure that the people they
supervise implement security measures.
 Even HR maybe responsible to screen potential employees for
trustworthiness and arranging security training programs.
Security Plan (9)…
- Timetable
 Plan should include a timetable that shows who
and when the elements of the plan will be
performed.
 These dates also give milestones for the
management to keep track of the
implementation.
 Certain security implementation must precede
others.
 Plan must be flexible to accommodate changes.
Security Plan (10)…
- Continuing Attention
 Define ways to evaluate (measure) the effectiveness
of the security implementation.

 Technology evolves rapidly, hence security needs

continuous evaluation and revision.

 Security plan should set times for the periodic reviews,

based on calendar time or on the nature of system
changes.
Security Planning (11)
- Team Members
 A committee representing various areas of the company
is generally needed to develop the security plan.

 Must get commitment from all parties involved, else

pointless.

 Need to consider Business Continuity Plan and assess

impact on business, e.g. DOS attack on data center.

 Form incident response team and evaluate after the

incident.
 Risk Analysis (1)…

 What is security risk analysis?

 Identify the loss with a security breach, e.g. lost productivity,

quality, financial loss, compromised security, lost time etc.
This is call risk impact.

 Assess the likelihood that the event can happen.

 Formulate risk control to determine how we can reduce the

impact.
Risk Analysis (2)…
- Strategies for dealing with risk
 Avoid the risk: Change system characteristics?

 Transfer the risk: Allocate the risk to other systems,

people, organizations or assets or buying insurance to
cover any financial loss.

 Assuming the risk: Accept it, control it with available

resources and prepare to deal with the loss if it occurs.
Risk Analysis (3)…
- Steps of Risk Analysis
 Identify assets
 Determine vulnerabilities
 Estimate likelihood of exploitation
 Compute expected annual loss
 Survey applicable controls and their
costs
 Project annual savings of control
Risk Analysis (4)
- Limitations
 Creates a false sense of precision and confidence.

 It is very hard to perform a good and accurate risk

analysis

 Not paid much attention. Done and kept away.

 Lack of accuracy.
Security Policies (1)…
 Security policies are used for several purposes.

 Information on sensitive information assets.

 Clarify responsibilities.

 Market/promote security awareness among existing employees

 A guide for new employees.

Security Policies (2)
 In the document, state
 Purpose
 Protected Assets/Resources (What)
 Nature of the Protection (Who and How)

 Have a scale for the level of data sensitivity.

 Example: Defined levels of data sensitivity for an
organization can include sensitive, personal or
protected, company confidential and open.
Physical Security (1)…
 Used to describe protection needed outside the computer
system
 Typical physical security controls include guards, locks
and fences to deter direct attacks
 Natural disasters
 Floods
 Fire
 Storms, volcanoes, Earthquake
 Power Loss
 Controls include UPS, Surge Suppressor, Regulator etc.
Physical Security (2)…
 Human Vandals
 Unauthorized Access and Use
 Theft

 Interception of Sensitive Information

 Shredding
 Overwriting Magnetic Data
 Degaussing
 Destroy magnetic fields
 Fast way to neutralize a disk or tape
Physical Security (3)
- Contingency Planning
 Backups
 Offsite Backups
 Network Storage
 Cold Site
 A facility with power and cooling available, in which a computing
system can be installed to begin immediate operation during
disaster.
 A computing center can have equipment installed and resume
operation from a cold site within a week of a disaster.
 Hot Site
 A computer facility with an installed and ready-to-run computing
system
 To activate the hot site, it is necessary only to load software and
data from offsite backup copies
References
 Slides adopted from the books

 Charles P. Pfleeger and Shari Lawrence Pfleeger,

“Security in Computing”, Fourth Edition, Prentice
Hall, 2007

 William Stallings and Lawrie Brown, “Computer

Security: Principles and Practice”, fourth Edition,
Prentice Hall, 2018

24