Security Analysis,

Assessment, and Assurance

Jaime Anatoli Gonzales Caceres

24/09/2021
TOPICS
In this presentation we will talk about the following
topics:

Asset
Treats Identification
Security by Analysis
Security Assesment and Assurance
BACKGROUND
A good security analysis process begins with a
complete identification of all the organization’s
assets.
By identifying the assets, identifying threats to each
asset makes it easy to identify most threats to the
system.
And it makes it easy for the next and subsequent
stages of the analysis process, like:
Threat sources
Types
Analysis techniques.
ASSET (information security, computer
security and network security)
 An asset is any data, device, or other component of
the environment that supports information-related
activities.
Assets generally include hardware (e.g. servers and
switches), software (e.g. mission critical applications
and support systems) and confidential information.
THREAT IDENTIFICATION
A cyber security threat refers to any possible
malicious attack that seeks to unlawfully access
data, disrupt digital operations or damage
information

A threat is the combination of an asset, and a

vulnerability.
A hacker can exploit the combination to gain access to
the system.
Although every system resource has value, there are
those with more intrinsic value than others.
 To increase the overall security of the system, focus
first on identified resources with high intrinsic value.
The security threats to any system component can be
deliberate or nondeliberate.

A threat is deliberate if the act is done with the intention of

breaching the security of an object.

Nondeliberate threats, however, are acts and situations that,

although they have the potential to cause harm to an object,
were not intended. There are many varied sources of threats,
including human factors, natural disasters, infrastructure
failures, and misconfiguration of systems.

In addition, system threats also exist in system security

policies and procedures.
Human Factors
Now let us look human factors resulting from human
perception and physical capabilities that may
contribute to increased risks to the system.

Communication
Human-machine interface
New tools and technologies
Training
The human component in the computer systems is
considerable and plays a vital role in the security of
the system.

While inputs to and sometimes outputs from hardware

components can be predicted and also in many cases
software bugs once found can be fixed and the problem
forgiven, the human component in a computer system
is so unpredictable and so unreliable that the inputs
to the system from the human component may never
be trusted, a major source of system threats.
Misconfiguration of the System
 Many times system administrators are not up to speed when it comes to the security
of the systems for which they are responsible.
 System administrators quite often forget to install a required security software
product because they had the intention to do but later they forgot; they have no idea
how to do it; they do not read widely enough to find the needed software or they
delegated the job to do it to somebody else; and they never followed up to make sure
it was installed.
 These vulnerabilities are not only limited to installing security software but also
include accidental settings like permissions on files and folders, group memberships,
or others that allow access to the protected system resources.

There are many vulnerabilities that fall under this category;

and they are difficult to find because system administration of
any system covers a variety of issues big and small, many
overseen by junior staff usually with limited experience.
When it comes to delegating security responsibilities,
remember to use the principle of least privilege.
 The principle of least privilege helps in that if you only
have the privileges required to do the work that you need to
do, then there is no chance, even by accident, that you can
change configuration settings in an area that you are not
supposed to be and perhaps do not understand.
The rule of thumb for system administrators is always to
limit the number of users that have administrative
privileges on any computer on the system
Natural Disasters
Natural disasters caused by earthquakes, fires, floods,
hurricanes, tornados, lightning, and many others are the
most fearsome forms of computer system threats.
Worse still, natural disasters cannot be predicted
accurately enough.
However, there are several ways to plan for natural disaster
threats. These include creating up-to-date back ups stored
at different locations that can be quickly retrieved and set
up and having a comprehensive recovery plan.
Recovery plans should be implemented rapidly.
Infrastructure Failures
A system may not be available to users when any component of its
infrastructure, functioning or otherwise, makes the system unable to provide
those services requested by the user in a reasonable amount of time.
There are several system components that can cause this to happen,
including hardware, software, and humanware. Any of these may fail the
system anytime without warning.

Hardware Failures: The operating environment contributes greatly to hardware

failures. (hostile environment, due to high temperatures, and dust)

Software Failures: Probably is the greatest security threat, when everything is

considered. Failure or poor performance of a software product can be attributed
to a variety of causes, most notably human error, the nature of software itself,
and the environment in which software is produced and used.
Policies, Procedures, and Practices
Policies are written descriptions of the security precautions that everyone using the system must
follow.
Procedures, on the other hand, are definitions spelling out how to implement the policies for a
specific system or technology.
Practices are implemented based on the environment, resources, and capabilities available at the
site.

Many organizations do not have written policies or procedures, or anything that is

directly related to information security. In addition to security policies and procedures,
security concerns also can be found in personnel policies; physical security procedures;
for example, the protocols for accessing buildings and intellectual property statements.
Quality
The quality of service provided by the system is one of the indicators of
security.
If the system provides quality services, it means that the system is:
 Accessible
 Available
 Services can be requested and delivered in a reasonable amount of time in the
quantities requested.

In short, it means that the system is secure.

System quality is made up of a lot of components not only
software, hardware, and humanware, but also policies and
procedures that must be streamlined, easy to follow, and
enforced.
Comprehensiveness
If the organization’s security is required in a variety of forms, such
as physical and electronic, then the organization’s security policy
and procedures must effectively address all of them.

In addition, all phases of security must be addressed (inspection,

protection, detection, reaction, and reflection).

If one phase is not effectively addressed or not addressed at all,

then a security threat may exist in the system.

The policies and procedures must address all known sources of

threat, which may include physical, natural, or human.
 Security by Analysis
Security threat analysis is a technique used to identify
system resources that are susceptible to a threat and to
focus on them.
In general, system security threat analysis is a process
that involves:
ongoing testing and evaluation of the security of a
system’s resources
to continuously and critically evaluate their security from
the perspective of a malicious intruder
and then use the information from these evaluations to
increase the overall system security.
 The process of Security Threat Analysis involves:

 Determining those resources with higher intrinsic value.

 Where possible, identifying the threat impact on all critical system resources.

 Documenting why the chosen resources need to be protected in the hierarchy in

which they are put.

 Identifying known and plausible threats for each identified resource in the
system (known vulnerabilities are much easier to deal with than vulnerabilities
that are purely speculative.)

 Identifying necessary security services/mechanisms to counter the vulnerability.

 Creating a risk evaluation criteria.

 Developing and attaching probability to each identifiable threat for each

resource.
Security analysis, in general, is an examination and evaluation of the various
threats affecting each and every system resource.

 When computer systems were still in stand-alone mode, it was easy to deal
with security issues.

In any case, there was no massive sharing of information beyond passing a
floppy.

Security was not as complicated as it is today.

The widespread use, the interconnectivity, the interdependence, the

sophistication of computers have all made security a complex issue and
guaranteeing the security of systems on inspection and intuition alone is
becoming less and less plausible and almost impossible.
Approaches to Security Threat Analysis
As the resulting impact of the threat analysis is the most
important thing, it should describe:
how the organization is going to be affected?
how it is to respond to the threat?
the threat is creating some modification to the status of the assets?
there is loss or destruction of assets?
and finally there is or likely to be any interruptions?

This information can be acquired through several approaches

that include simple threat analysis by attack trees, defense in
depth, and others
Attack Tree Method
An attack tree is a visual
representation of possible
attacks against a given target.
The root of the attack forms
the goal of the attack.
The internal node from the
leaves form the necessary
subgoals an attacker must
take in order to reach the The cheapest path in the tree, from a leaf to the root, identifies
the most likely attack path and probably the weakest link.
goal, in this case, the root.
Defense in Depth
Defense in Depth (DiD) is a security strategy used:
in military:
where the strategy requires the defender to concentrate all
military resources on the frontline, which if broken by the
attacker would leave everything else less defended.
In nonmilitaristic terms, like in organizational security:
 the strategy means the use of multiple security
techniques to mitigate the risk of one component of the
defense being compromised or circumvented.
.
This can be achieved by using all of the security best
practices that include people, technology, and
operations.
An example of the use of the DiD strategy would be to
protect an organization’s network by:
 installing firewalls from different manufacturers on every
subnet and at the organization’s gateways
 installing antivirus software at every client, server, and firewall

in the network
 Security Assessment and Assurance
Security assessment:
is a process that consists of a comprehensive and continuous analysis of the security threat risk to
the system.

It involves:
auditing the system
assessing the vulnerabilities of the system
maintaining a credible security policy
Maintaining a vigorous regime for the installation of patches and security updates.

The process to achieve these goals consists of several tasks, including:

a system security policy
security requirement specifications
identification and analysis of threats
vulnerability assessment
security certification
the monitoring of vulnerabilities, and auditing.
System Security Policy
Security policies, as we have seen, are essential and
vital in any organization.
A security policy is a set of policies, procedures, and
guidelines that tell all employees and business
partners what constitutes acceptable and unaccept
able use of the organization’s computer system.
The security policy also spells out what resources need
to be protected and how the organization can protect
such resources.
Security assurance:
is also a continuous security state of the security process.
The process of security assurance, a post-state of security
assessment, starts with a thorough system security policy,
whose components are used for system requirement
specifications.
The security requirement specifications are then used to
identify threats to system resources.
 An analysis of these identified threats for each resource is
then done. The vulnerabilities identified by the threats are
then assessed and if the security measures taken are good
enough, they are then certified, along with the security staff.
Security Certification
Certification is a technical evaluation of the effectiveness of a system or an individual for
security features.

The defenses of a system are not dependent only on secure technology, but they also depend
on the effectiveness of staffing and training.

A well trained and proficient human component makes a good complement to the security
of the system, and the system as a whole can withstand and react to intrusion and malicious
code.

Certification of a system or an individual attempts to achieve the following objectives, so that

the system:
Employs a set of structured verification techniques and verification procedures during the system
life cycle,
Demonstrates that the security controls of the system are implemented correctly and effectively,
and
Identifies risks to confidentiality, integrity, and availability of information and resources
Security Monitoring
Security monitoring is an essential step in security assurance for a
system.
To set up continuous security monitoring, controls are put in place to
monitor whether a secure system environment is maintained.
The security personnel and sometimes management use these
controls to determine whether any more steps need to be taken to
secure the systems.
Although monitoring decisions are made by the security
administrator, what should be monitored and the amount of
information logged is usually determined by either management or
the security administrator.
Let us now focus on the monitoring tools, type of data gathered,
and information analyzed from the data.
Monitoring Tools
There are several tools that can be used to monitor the
performance of a system.
The monitoring tool, like a sensor, once selected and
installed, should be able to gather vital information on
system statistics, analyze it, and display it graphically
or otherwise.
In more modern systems, especially in intrusion
detection tools, the monitoring tool also can be
configured to alert systems administrators when certain
events occur.
Most modern operating systems, such as Microsoft
Windows, Unix, Linux, Mac OS, and others, have built-in
performance monitors.
A variety of system monitoring tools are available, the
majority of which fall into one of the following
categories:

System performance
Network security
Network performance and diagnosis
Networking links
Dynamic internet protocol (IP) and DNS event loggers.
Remote control and file sharing
File transfer tools.
Type of Data Gathered/Collected
Because of the large number of events that take place
in a computer system, the choice of what event to
monitor can be difficult.
Most event loggers are preset to monitor events based
on set conditions.
For example, for work stations and servers, the
monitor observes system performance, including
central processing unit (CPU) performance, memory
usage, disk usage, system, security, DNS server,
directory service, and file replication service.
In addition, the monitor also may
receive syslog messages from other
computers, routers, and firewalls on
a network.
In a network environment, the
logger may generate notifications
that include e-mail, a network pop-
up, pager, syslog forwarding, or
broadcast messages to users or the
system administrator in real time,
following preset specified criteria.
Analyzed Information
The purpose of a system monitoring tool is to capture vital system data,
analyze it, and present it to the user in a timely manner and in a form in
which it makes sense. The logged data is then formatted and put into a
form that the user can utilize. Several of these report formats are:
Alert is a critical security control that helps in reporting monitored system
data in real time.
Chart is a graphic object that correlates performance to a selected object
within a time frame.
Log is the opposite of alerting, in that it allows the system to capture data
in a file and save it for later viewing and analysis.
Report is a more detailed and inclusive form of system logs. Log Reports
provide statistics about the system’s resources and how each of the selected
system resource is being used and by whom.
Auditing
Auditing is another tool for the security assessment and
assurance of a computer system and network.
Unlike monitoring, auditing is more durable and not ongoing, and,
therefore, it is expensive and time consuming.
Like monitoring, auditing measures the system against a predefined
set of criteria, noting any changes that occur.
The criteria are chosen in such a way that changes should indicate
possible security breaches.
A full and comprehensive audit should include the following steps:
 Review of all aspects of the system’s stated criteria
 Review of all threats identified

 Choice of the frequency of audits, whether daily, weekly, or monthly

 Review of practices to ensure compliance to written guidelines
 CONCLUSION
For security assurance of networked systems, there must be a
comprehensive security evaluation to determine the status of the
security and ways to improve it through mitigation of security
threats.
So an examination and evaluation of the various factors affecting
the value of a security must be carried out; and the security must
assessed to determine the adequacy of existing security measures
and safeguards and also to determine if improvement in the
existing measures is needed.
Many of the activities that take place in a network are uninvited and
are intrusions. For a network to be considered secure, all these
activities must be monitored, tracked, and categorized.
Thanks
谢谢
Gracias!