SECURITY ASSESSMENT (:red_cross:Vulnerability Identification and…
Vulnerability Identification and Assessment
system software [most serious]
application software (3reasons) [largest number of vulnerabilities]
control software.(2 reasons)
the 4 reasons
system security policies and procedures.
policy is building blocks of an organization's security
When compared to a similar industry, weaknesses should be noted in quality, conformity, and comprehensiveness.
System Security Policy
Why it is important?
To be successful
Have the backing of the organization top management
Involve every one in the organization
Precisely describe a clear vision of a secure environment
Set priorities and costs of what needs to be protected.
Be a good teaching tool for everyone in the organization about security and what needs to be protected, why, and how it is to be protected.
Set boundaries on what constitutes behavior as far as security and privacy
Create a security clearing house and authority.
Be flexible enough to adopt to new changes.
Be consistently implemented throughout the organization.
The 5 steps to achieve its goals
Determine the resources that must be protected and draw a profile of its characteristics.
For each identifiable resource determine the type of threat and the likelihood of such a threat.
For each identifiable resource determine what measures will protect it the best and from whom.
Develop a policy team consisting of at least one member from senior administration, legal staff, employees, member of IT department, and an editor or writer to help with drafting the policy.
Determine what needs to be audited.
Define the acceptable use of system resources such as Email, News, Web
Consider how to deal with each of the following: Encryption, Password, Key creation and distributions, Wireless devices that connect on the organization's network
Provide for remote access
schedule a time to review these structures regularly
Security Requirements Specification
For the user:
user name, location, and phone number of the responsible system owner, and data/application owner. The range of security clearance levels, the set of formal access approvals, and the need-to-know of users of the system.
For the resources:
resource type, document any special physical protection, brief description of a secure operating system.
if the resource is data then also do the following:
classification level: top secret, secret, confidential; and categories of data: restricted, formally restricted
any special access programs for the data
any special formal access approval necessary for access to the data o any special handling instructions
any need-to-know restrictions on users
any sensitive classification or lack of.
Attempts to achieve
Employs a set of structured verification techniques and verification procedures
Demonstrates that the security controls of the system are implemented correctly
Identifies risks to confidentiality, integrity, and availability of information and resources
ways to plan for the natural disaster
up-to-date backups stored at different locations
Data design, analysis and interpretation
New tools and technologies
Workload and user capacity
nature of software
the environment in which software is produced and used
approaches to overcome hardware threats
The human component in a computer system is so unpredictable and so unreliable
Threat Analysis by Annualized Loss Expectations
Schneierls Attack Tree Method
Security Monitoring and Auditing
monitoring tools categories
Network Performance and Diagnosis
Dynamic IP and DNS event logger
Remote Control and File Sharing applications event logger
File Transfer Tools
– Alert – Chart – Log – Report
Review all aspects of the system's stated criteria.
Review all threats identified.
Choose a frequency of audits whether daily, weekly, or monthly .
Review practices to ensure compliance to written guidelines.