Course on Cyber Security

Overview of Security Management

The contents of this document are the copyright of C-DAC. No part of the
contents may be used or reproduced without prior permission from C-DAC.

Centre For Development Of Advanced Computing

(A Scientific Society of the Ministry of Communications and Information Technology)
2nd Floor, Delta Chambers, Ameerpet
Hyderabad-500016

Acknowledgements:
Department of Information Technology, Government of India.

Overview of Security Management Page 1 of 7

Course on Cyber Security

Introduction
In this lesson, an overview of security management is presented. We will discuss the
important concepts of security management, what is Information Security Management
System (ISMS) and the activities of security management. We will also study the eight
principles of security management that are very important while designing secure systems.

Security Management
Any information system is prone to attacks—by internal users (employees) or by external
users (hackers). An information system can be considered “secure” if it is free from ill-
effects of attacks. However, it is impossible to develop a perfectly secure system. Hence,
the main objective of security management is to minimize the damage of possible attacks.
The management has to specify the security objectives, develop the procedures and
evaluate the system. The management has to provide enough security controls so that the
users develop trust on the information system.

In most organizations, security is managed ‘reactively’. When something goes wrong, then
the management will react to that situation and will try to find out what went wrong. This
reactive management is not a healthy management. Management has to proactively
manage the security. Proactive management involves: identification of information assets,
study the current practices for securing the information assets, identify the threats and
vulnerabilities and then identify the mechanisms to provide the necessary security features.
Cost benefit analysis and risk analysis are the two important activities in this direction. The
proactive managers have to develop the necessary security policies and procedures. In
addition, management has to invest in training the people and installing security products
to achieve the security goals.

Threats and Counter-measures

The threats to information systems can be environmental or human. The environmental
threats can be divided into natural threats and man-made threats. Natural threats such as
floods, cyclones, typhoons and thunderstorms may destroy the information systems. Man-
made threats can be due to events such as fire, gas leak, power fluctuations, failure of air-
conditioners etc. Enough precautions need to be taken to overcome the effect of these
threats.

Human threats can be either intentional or unintentional. Intentionally, users may destroy
or steal information. Sometimes, unintentionally users may delete files or lose backup files.

Security management involves developing counter-measures to overcome the ill effects of

the threats. The management has to develop a security policy and the detailed procedures
to implement the policy. Necessary technology has to be used to overcome the ill effects of
the threats by installing security products such as anti-virus software, firewalls etc. The
management has to give thrust to training the people on security—security awareness is
fundamental to good security management. Many employees are ignorant of security
aspects and as a result, security violations take place.

Information Security Management

Every organization needs to be concerned about its information security. An Information
Security Officer has to be appointed by the top management who will have the authority to
implement the security controls and who is also responsible for information security. Please
note that authority without responsibility or responsibility without authority is of no use.
The CEO of the organization has to assign the responsibility and authority to the
Information Security Officer. The CEO also needs to allocate the necessary resources
(money and people) for information security activity. The Information Security Officer has
Overview of Security Management Page 2 of 7
Course on Cyber Security

to identify the threats to the information assets and information systems, analyze the
vulnerabilities, define and assess risk and then work out the countermeasures to be
implemented.

The security system needs to have three components: specifications or policy that defines
what the system is supposed to do; implementation or mechanism that describes how to
achieve the requirements specified in the policy; and assurance, the process of checking
whether the system really meets the security requirements.

Operational Issues
In many organizations, security is not given enough thrust mainly because investment on
security may not yield direct benefits though it costs a lot for the management. The
management has to carry out cost-benefit analysis and risk analysis before deciding on the
likely investment in security. The laws and customs also need to be studied while
formulating the security policy. For example, enough thrust has to be given to intellectual
property rights, copyright laws and liability laws. If one employee violates copyright laws or
intellectual property laws, the organization may have to pay severe penalties. Hence,
people management is of prime importance. Information systems need to be protected
from outside attacks by hackers. Equally important is protection from the insiders that is
employees as many security violations are due to the employees and ex-employees of the
organization. Lazy system administrators also contribute significantly to security
vulnerabilities. If the system administrator does not upgrade an operating system patch or
an anti-virus software, it is likely that the information systems will be attacked without
much difficulty.

Cost Benefit Analysis

For management, Return on Investment (ROI) is of prime concern. However, it is extremely
difficult to calculate the Return On Investment while developing secure information
systems. Training the people, installing security products, carrying out the necessary
security testing etc., cost lot of money and the direct benefits are not visible. However, the
management has to keep in mind that security violations may cause many indirect losses.
For example, if a hacker defaces the organization’s web site, then there will be lot of
publicity given to this incident in the press and as a result, the reputation of the
organization is lost. Same is the case if enough security is not provided for an e-commerce
portal. If the customer/client information shared with the organization is leaked to a third
party, the customer/client may sue the organization, and the organization is liable to pay
penalty. So, the management has to consider such indirect losses as well and carry out a
cost benefit analysis.

Risk Analysis
To carry out a realistic cost benefit analysis, the management has to do a systematic risk
analysis. The management’s objective should be to reduce the risk of losing the information
or losing the availability of systems and networks, to the extent possible. Risk analysis is
done in four phases. To start with, vulnerability analysis is carried out. This analysis is to
study the loopholes of the present systems and networks. After that, the risk is assessed by
estimating the impact of the vulnerabilities on the information. Once all the possible risks
are identified, then the risk items have to be prioritized based on the impact. Then the
management has to work out the strategies to reduce the risks. As risk analysis and risk
management are very important management activities, we will discuss them in more detail
in a separate lesson.

Overview of Security Management Page 3 of 7

Course on Cyber Security

Security Assurance
The management has to take the necessary steps to protect its information assets and this
has to be done by following a very systematic process. The process of ensuring that the
information management system meets its security goals is called security assurance. The
security assurance process can be divided into five sub-processes. These are security
requirements specifications, design of a security system, implementation of the system,
testing the system to ensure that it meets the requirements and periodically auditing the
system to check whether any improvements can be made.

Formal Methods
During the research on information security during the last few decades, lot of ‘formal’
methods have been developed. Formal methods try to remove the vagueness that is
inherent in natural language description of security requirement specifications and
verification. However, unfortunately, only in academic and research circles, these formal
methods are very popular. These methods are yet to find wide acceptance in commercial
environment. A number of formal specification and verification languages have been
developed to specify and verity security systems. These methods are used extensively to
specify and verify security protocols, cryptographic protocols such as key distribution,
authentication protocols etc. The main advantage of these formal methods is that you can
specify the requirements in unambiguous terms. If you specify the requirements in a
natural language say English, then there will be lot of ambiguity. But then, you need to
have the mathematical inclination of a Professor to get into formal methods and most of the
system administrators and information security officers do not appreciate the importance of
these formal methods.

Formal Evaluation Methodologies

You may claim that your organization provides a secure information system. But then, how
do your clients or customers believe it? They need to develop a trust on your information
system and this is not easy. So, formal evaluation methodologies have been developed
using which you can subject your information system for evaluation by neutral third parties
who certify that your system is really ‘secure’. These methodologies are used to test
security products as well as security management systems. These formal evaluation
methodologies specify the requirements for the security functionality, security assurance
requirements, methodology for determining that the product/system meets the
requirements and a method of evaluation of the results.

The various formal evaluation methodologies are: Trusted Computer System Evaluation
Criteria (TCSEC), Information Technology Security Evaluation Criteria (ITSEC) and Common
Criteria (CC). We will discuss the details of these methodologies in a separate lesson.

ISMS
In security management, the concept of Information Security Management System (ISMS)
is very important. The information assets of your organization, the computers and the
networks, the applications and all the information processing technologies together become
the information system. To provide the security, you need to develop the security
objectives, security policy, various security controls that have to be put in place and the
security procedure documents. These form the components of the ISMS.

After the various components of ISMS are put in place, you need to check whether the
ISMS meets the security objectives. This process is security assurance. Security assurance
is similar to quality assurance. You need to define the process and the procedures and show
documentary evidence that you are really following the procedures. A number of
Overview of Security Management Page 4 of 7
Course on Cyber Security

international standards and frameworks have been developed which describe the best
practices for security management. These include: ISO 17799 or BS 7799, SSE-CMM and
OCTAVE. We will study about these standards and frameworks in more detail later.

Security System Design Principles

Security management is a very challenging task and many a time a thankless job too. If
things go well, the persons in charge of security are not given any credit; but if things go
wrong, the people in charge of security are blamed. Even when things go well, the security
personnel are blamed for causing lot of inconvenience in the name of security! But then,
persons in charge of security need to keep some important principles in mind. Satzer and
Schroeder formulated eight design principles for designing security systems. You can refer
to the book “Computer Security: Art and Science” by Matt Bishop (Pearson Education,
2003) for more details about these principles. We will briefly discuss these 8 principles.

Principle of Least Privileges

The principle of least privileges says “a user should be given only those privileges that are
required to complete his task”. In other words, a user has to be given only that information
that is required, do not give any extra information or extra privileges. As an example, a
person working in HR department need not be given the privileges to even read the
accounting database.

Principle of Fail-Safe Defaults

The principle of fail-safe defaults says “a user should be denied access to an object unless
he/she is given the access to that object explicitly”. In other words, the principle says that
by default deny the access to a particular information asset. If the user has to access that
asset, he should be explicitly given the permission. As an example, suppose you are
working on a multi-user system. When you create a new file, by default, it should not have
permission for others to read or write on to the file. You should explicitly give the
permission for other users to read or write.

Principle of Economy of Mechanism

The principle of economy of mechanism says “keep the security mechanisms as simple as
possible”. Many security officers think that the security system should have lot of
complexity. But if you make the design complex, the implementation will be complex and
testing will be complex and that creates more problems.

Principle of Complete Mediation

The principle of complete mediation says “every access to an object is checked and ensured
that the access is allowed”. This principle is implemented even while designing operating
systems and application software to avoid security violations. For example, you may open a
file, read some data and close the file. Suppose you open a file and then the data is read
twice. Now there is a possibility that the second read operation is a security violation.
Someone else’s program is checking whether the file is already open and then it is carrying
out unauthorized read operation. This principle puts restrictions on cache operations such
as caching the DNS IP address.

Principle of Open Design

Principle of open design says “security of a system should not be dependent on the secrecy
of the design or implementation”. Of course, this is a debatable issue. Many security
experts feel that there is nothing wrong if you make public your security designs. For
Overview of Security Management Page 5 of 7
Course on Cyber Security

example consider cryptography. You need not keep the cryptographic algorithm secret at
all. You need to keep secret only the keys. As long as your cryptographic algorithm is very
strong, there is nothing wrong in making the algorithm public. Of course, those who do not
subscribe to this principle can argue that by keeping the algorithm secret, the hacker will
have more difficult time trying to decode the text—after all, first he has to try out different
algorithms and then try to decode the text.

Principle of Separation of Privileges

The principle of separation of privileges says “privileges should not be granted based on a
single condition”. A simple example is two persons signing a cheque. When two persons
have to sign a cheque, the cheque will not be cleared if only one person signs it. When two
persons sign it, it can be presumed that both have verified the cheque.

Principle of Least Common Mechanism

The principle of least common mechanism says “mechanisms for accessing resources
should not be shared”. This principle is generally implemented in De-militarized zones.
When both genuine users (say employees of the organization) and outsiders (some genuine
users and some hackers) access the web site, the access mechanism should be different. In
DMZ, this access is divided by incorporating an inner firewall and an outer firewall.

Principle of Psychological Acceptability

The principle of psychological acceptability says “it should be easy to access resources in
spite of security mechanisms”. It is very easy to say this, but in practice it is very difficult.
At airports we want a good security, but we do not like the inconvenience cause by frisking.
However, the management needs to minimize the inconvenience caused to users by
incorporating the security mechanisms.

Vulnerability Analysis
Keeping in view the eight principles described above, the information system security has
to be designed and implemented. But then, there is no guarantee that the system is fully
secure. So, periodically, vulnerability analysis has to be carried out to find out the loopholes
in the security system. This is done through a systematic testing by simulating attacks. The
attacks can be insider attacks (by employees) or outsider attacks (by external users). By
simulating the insider attacks and outsider attacks, the vulnerability analysis is done and
loopholes are discovered. Nowadays, ‘ethical hackers’ are being employed to do the
vulnerability analysis. Note that vulnerability analysis requires lot of ingenuity.

Security Products
After the loopholes are found out, the next step is to prevent attacks by introducing the
necessary security features into the information systems. A number of security products
such as anti-virus software, intrusion detection systems, intrusion prevention systems,
firewalls, access control systems, forensic tools etc. need to be installed so that the
information systems are protected from hackers.

The major suppliers of security products are: Check Point, Cisco, Jupiner Networks, McAfee,
Portwise, RSA Security, Symantec, Trend Micro, Watchguard etc. You may like to go
through their web sites which give a wealth of information on security and their products.
However, note that just installing high-end security products is not enough; policies,
procedures and trained people are a must for a system to be really secure.

Overview of Security Management Page 6 of 7

Course on Cyber Security

Summary
• Security management involves identification of information assets, current security
practices, threats and vulnerabilities and development of security policy, security
procedures and training the people.
• The top management has to commit itself to information security by allocating the
necessary resources and identifying the persons responsible for information security.
• Security management can be divided into three important activities: requirements
specifications which describe what the system is supposed to do; implementation
which describes how to do and assurance which is the process to check whether the
system is really working as per the requirements.
• Information Security Management System (ISMS) covers the information assets,
systems and networks and all related information processing technologies.
• The various components of ISMS are: security objectives, security policy, security
controls and security procedure documents.
• While designing a security system, the eight design principles need to be kept in
mind.

Overview of Security Management Page 7 of 7