Professional Documents
Culture Documents
Module 11 Maintaining InfoSec 211
Module 11 Maintaining InfoSec 211
Security Maintenance
Objectives
Upon completion of this material, you should be able to:
• Understand the need for ongoing maintenance of the information security
program
• Recognise and describe the recommended security maintenance model
• Identify the key factors involved in monitoring the external and internal
environment
• Describe how planning, risk assessment, vulnerability assessment, and
remediation tie into information security maintenance
• Explain how to build readiness and review procedures into information
security maintenance
• Identify resources available for information security professionals
• Understand change and configuration management
Introduction
• What to monitor
• What to measure
• When to measure
• Who will measure
NIST SP 800-100 A Guide for Managers
1. Implementation
2. Effectiveness and efficiency
3. Impact
Effectiveness/efficiency measures are used to monitor if program-level processes and
system-level security controls are implemented correctly, operating as intended, and
meeting the desired outcome
Change management
the administration of changes in the strategy, operation,
or components of the information security program.
Configuration management
an approach to implementing change in a system that uses
policies and maintain system inventory and supporting
documentation. Technical
hardware, software, data
Nontechnical
procedures, people
Configuration and Change Management
1. External monitoring
2. Internal monitoring
3. Planning and risk assessment
4. Vulnerability assessment and
remediation
5. Readiness and review
Monitoring the External Environment
Primary Goal:
provide early awareness of new threats, threat agents,
vulnerabilities, and attacks that is needed to mount an
effective defense
1. External monitoring
2. Internal monitoring
3. Planning and risk assessment
4. Vulnerability assessment and
remediation
5. Readiness and review
Monitoring the Internal Environment
Primary Goal:
Maintain informed awareness of the state of the
organization’s networks, information systems, and security
defenses
Internal monitoring accomplished by:
Doing inventory of network devices and channels, IT infrastructure and
applications, and information security infrastructure elements
Leading the IT governance process
Real-time monitoring of IT activity
Monitoring the internal state of the
organization’s networks and systems
Monitoring the Internal Environment
Detecting differences
Difference analysis: procedure that
compares current state of network segment
against known previous state of same
segment
Differences between the current state and
the baseline state that are unexpected
could be a sign of trouble and need
investigation
Suggested Method of Data Source Purpose
Frequency Analysis
Quarterly Manual Firewall rules and logs To verify that new rules follow all risk assessment and
procedural approvals, identify illicit rules; ensure
removal of expired rules and detect tampering
Quarterly Manual Edge router rules and logs To verify that new rules follow all risk assessment and
procedural approvals, identify illicit rules; ensure
removal of expired rules and detect tampering
Quarterly Manual Internet footprint To verify that public internet addresses registered to the
organization are accurate and complete
Monthly Automated Fingerprint all IP addresses To verify that only known and authorized devices
offering critical services can be reached from the
internal network
Weekly Automated Fingerprint services on critical To verify that only known and approved services are
servers on internal network offered from critical servers in the internal network
Daily Automated Fingerprint all IP addresses from To verify that only known and approved servers and
the outside other devices can be reached from the public network
1. External monitoring
2. Internal monitoring
3. Planning and risk assessment
4. Vulnerability assessment and
remediation
5. Readiness and review
Planning and Risk Assessment
Primary objectives
Establishing a formal information security program review
Instituting formal project identification, selection,
planning, and management processes
Coordinating with IT project teams to introduce risk
assessment and review for all IT projects
Integrating a mindset of risk assessment across
organization
Planning and Risk Assessment (2)
1. External monitoring
2. Internal monitoring
3. Planning and risk assessment
4. Vulnerability assessment and
remediation
5. Readiness and review
Vulnerability Assessment & Remediation
Primary goal:
Identification of specific, documented vulnerabilities and their timely
remediation
Accomplished by:
Using vulnerability assessment procedures
Documenting background information and providing tested remediation
procedures for vulnerabilities
Tracking vulnerabilities from when they are identified
Communicating vulnerability information to owners of vulnerable
systems
Reporting on the status of vulnerabilities
Ensuring the proper level of management is involved
Vulnerability Assessment & Remediation
1. Penetration testing
• A level beyond vulnerability testing
• Is a set of security tests and evaluations that
simulate attacks by a malicious external source
(hacker)
• Penetration test (pen test): usually performed
periodically as part of a full security audit
• Can be conducted one of two ways: black box or
white box
Vulnerability Assessment & Remediation
2. Internet vulnerability assessment
- Designed to find and document vulnerabilities present in
organization’s public-facing network
- Steps in the process include:
Planning, scheduling, and notification
Target selection
Test selection
Scanning
Analysis
Record keeping
Vulnerability Assessment & Remediation
Documenting vulnerabilities
• Vulnerability tracking database should
provide details as well as a link to the
information assets
• Low-cost and ease of use makes relational
databases a realistic choice
• Vulnerability database is an essential part of
effective remediation
Vulnerability Assessment & Remediation
Remediating vulnerabilities
Objective is to repair flaw causing a vulnerability instance or
remove risk associated with vulnerability
As last resort, informed decision makers with proper authority can
accept risk
Important to recognize that building relationships with those who
control information assets is key to success
Success depends on organization adopting team approach to
remediation, in place of cross-organizational push and pull
Vulnerability Assessment & Remediation
Threat removal
In some circumstances, threats can be removed without
repairing vulnerability
Other vulnerabilities may be mitigated by inexpensive controls
Vulnerability repair
Best solution in most cases is to repair the vulnerability
Applying patch software or implementing a workaround often
accomplishes this
Most common repair is the application of a software patch
Vulnerability Assessment & Remediation
The Security Maintenance Model
1. External monitoring
2. Internal monitoring
3. Planning and risk assessment
4. Vulnerability assessment and
remediation
5. Readiness and review
Readiness and Review
Primary Goal
keep the information security program functioning
as designed and continuously improving
Accomplished by:
Policy review
Program review
Rehearsals
Readiness and Review
Most organizations:
• Cannot sustain a permanent digital forensics team
• Collect data and outsource analysis
Information security group personnel should be trained to
understand and manage the forensics process to avoid
contamination of potential EM.
Expertise can be obtained by training.
Summary
Configuration and Change Management: Configuration management deals with identification, maintenance,
status reporting, and verification of configurable items. Change management is concerned with the
identification, impact analysis, documentation, and approving or rejecting of change requests.
Factors that are likely to shift an organizations information security posture include; acquisition or disposal
of new assets, staffing changes, busines partnerships, the threat landscape, among others.
Management Resources: ISO 27000 series of standards, NIST Special Publications 800-55 and SP 800-100.
The Security maintenance model is designed to focus organizational effort on maintaining systems and is
based on five subject areas:
1. External monitoring
2. Internal monitoring
3. Planning and risk assessment
4. Vulnerability assessment and remediation
5. Readiness and review
Digital forensics can be used to document what happened during attack on assets and how the attack
occurred, consequently, assist with the information security maintenance effort.