Chapter 5
Management Issues
1
�Outline
▪ Software Security
▪ Information Security
▪ Legal Issues
2
�Software Security
▪Majority of security incidents result from defects in software design or
code
▪Attackers exploit the security holes left out by software developers
▪Post-deployment security is more popular than pre-deployment
because:
▪ Easily understood by administrators
▪ Difficult to get security “assurance” from vendor
▪ Vendors are obsessed by “time-to-market”
▪ Difficult to know/tailor security requirements for general
3
� Risk management
▪ Software security as risk management!
▪ Risk: “The possibility of suffering harm or loss”
▪ Management: “The act or art of treating, directing, carrying on, or
using for a purpose”
▪ Risk Management is the process concerned with
▪ identification, measurement, control and minimization of security risks in
information systems to a level that commensurate with the value of the
assets protected
4
�Software Risk Management
▪ Use a high quality software engineering methodology
▪ Risk analysis should be performed at every stage of the
development
▪ Requirement analysis
▪ Design
▪ Coding
▪ Testing, etc
5
�Software
▪ Free Software
▪ Freedoms to use, copy, study, modify and redistribute both
modified and unmodified copies of software programs
▪ Open Source
▪ Similar in idea to "free software" but slightly less rigid
▪ OSS provides a number of benefits to security
6
�Open Source Software
▪ OSS model gives some economic incentives for others to review your code
▪ Users of the software may want to check the security of the software
▪ Some users who want to make changes to the software will look at the software
▪ However, you cannot be sure of the security of the software just because it is
OSS
▪ Many vulnerabilities are hard to detect
▪ Some software sources are difficult to read
▪ Some software sources don’t have many readers
▪ Additional vulnerabilities!
▪ Code scanning can be used by attackers!
7
�Open Software Security Guiding Principles
▪ Secure the weakest link
▪ Practice defense in depth
▪ Follow the principle of least privilege
▪ Compartmentalize
▪ Keep it simple
▪ Promote privacy
▪ Remember that hiding secrets is hard
▪ Be reluctant to trust
▪ Use your community resources
8
�Auditing Software
▪ Auditing software’s functionality is a complex activity
▪ Most software development companies consider security of their software only once
or twice during the development cycle
▪ Software teams prefer to use their time mainly on developing new functionalities that
can be seen
▪ Ideally every software project should have an independent security person or team
▪ A good time for an initial security analysis is after the preliminary design
▪ You can avoid security risks in the architecture of your software with limited cost
▪ You will be more willing to make major changes
9
�Information Security
➢Policies, Standards and Procedures
▪ Security attacks come from the various security threats and vulnerabilities
▪ Security techniques/solutions are available to minimize the risks
▪ The human factor is a major concern in security
▪ Organizations need to ensure that the security of their information is
protected irrespective of the employees they may have
❖They achieve this objective using:
▪ Policies,
▪ Standards and
▪ Procedures
10
�Cont’d
• A policy is a high-level statement of enterprise’s beliefs, goals, and
procedures; and the general means for their attainment
• Standards are mandatory requirements that support individual policies
• Procedures are mandatory step-by-step, detailed actions required to
complete a task successfully
• Guidelines are similar to standards but are not mandatory
11
�Cont’d
• The objective of an information security is to protect the integrity,
confidentiality and availability of the information
• An information protection program should be part of an overall asset
protection program
• Information security policies, standards and procedures enable
organizations to
• Ensure that their security policies are properly addressed
• Every employee knows what he/she needs to do to ensure the information security of the company
• Similar responses is given for every problem
12
�Developing policies: A good policy should
▪ Be easy to understand (By all people who will have to read the policy)
▪ Be applicable (Don’t copy others’ policy word by word since it may not be
applicable to you)
▪ Be doable (The restrictions should not stop work!)
▪ Be enforceable (If it cannot be enforced, it will probably remain on paper)
▪ Be phased in (Organizations need time to digest policy)
▪ Be proactive (Say what needs to be done rather than what is not allowed)
▪ Avoid absolute (Be diplomatic)
▪ Meet business objectives (Should lower the security risks to a level acceptable by the
organization without hampering the work of the organization to unacceptable level)
13
�Cont’d
▪ The components of a global policy typically include
▪ Scope
▪ Responsibilities
▪ Who is responsible for what
▪ Compliance or consequences
▪ What will happen if you are not compliant
▪ Writing a policy requires a lot of (multiple) skills and attention
▪ A global policy is developed by a steering committee established for
this purpose
14
�Developing standards
▪ Standards define what is to be accomplished in specific terms
▪ Every industry has standards that try to ensure some quality of product or
service, or enable interoperability
▪ Many industry standards have information security issues
▪ Ex. Banking, Healthcare
▪ Some of the standards become national regulations and organizations will
have to follow that
▪ Organizations can also develop their own standards (enterprise standards)
▪ Standards are easier to update than global policies
▪ Standards have to be reviewed regularly.
15
�❖Standards must be
▪ Reasonable
▪ Flexible
▪ Current
▪ Practical
▪ Applicable
▪ Up-to-date
▪ Reviewed regularly
▪ Standards should enable the enterprise to fulfill its business objectives
while minimizing the security risks
16
�Developing Procedures
▪ Developing a procedure should be faster than developing a policy since it does not need
to be approved by management
▪ The best way to write a procedure is to use a technical writer (different from the subject
matter expert (SME)
▪ Procedure writing process
▪ Interview with the SME
▪ Preparation of a draft
▪ Review of the draft by the SME
▪ Update of the procedures based on the comments
▪ Final review by SME
▪ Update of the procedures based on the comments
▪ Testing of the procedures
▪ Publishing of the procedures
▪ Procedures should also be reviewed regularly
17
�Legal Issues :Computer Forensics
▪ Computer Forensics is a branch of forensic science that deals with the
application of computer investigation and analysis techniques in the
interests of determining potential legal evidence. Computer forensics is
also known as digital forensics.
▪ Computer forensics has sub branches within it such as firewall forensics,
network forensics, database forensics and mobile device forensics.
18
�❖Steps taken in Computer Forensics on the subject computer
▪ Protects the subject computer system during the forensic examination
from any possible alteration, damage, data corruption, or virus
introduction.
▪ Discovers all files on the subject system. This includes existing normal
files, deleted yet remaining files, hidden files, password-protected files,
and encrypted files.
▪ Recovers discovered deleted files.
19
�Cont’d
▪ Reveals the contents of hidden files as well as temporary or swap files
used by both the application programs and the operating system.
▪ Accesses the contents of protected or encrypted files.
▪ Analyzes all possibly relevant data found in special areas of a disk.
▪ Prints out an overall analysis of the subject computer system, as well
as a listing of all possibly relevant files and discovered file data.
▪ Provides expert consultation and/or testimony
20
