Lecturer: Vo Ta Hoang

Email: [email protected]
Mobile Phone: 0988652979
Principles of Information Security
Sixth Edition

Chapter 12
Information
Security
Maintenance

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Learning Objectives (1 of 2)

• Upon completion of this material, you should be able to:

– Discuss the need for ongoing maintenance of the
information security program
– List the recommended security management models
– Define a model for a full maintenance program
– Identify the key factors involved in monitoring the external
and internal environment
– Describe how planning, risk assessment, vulnerability
assessment, and remediation tie into information security
maintenance

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Learning Objectives (2 of 2)

– Explain how to build readiness and review procedures

into information security maintenance
– Discuss digital forensics and describe how to manage it
– Describe the process of acquiring, analyzing, and
maintaining potential evidentiary material

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Introduction

• Organizations should avoid overconfidence after

improving their information security profile.
• Organizational changes that may occur include:
– Acquisition of new assets, emergence of new
vulnerabilities, shifting business priorities, partnerships
form or dissolve, employee hire and turnover
• If a program is not adequately adjusting, it may be
necessary to begin the cycle again.
• If an organization creates adjustable procedures and
systems, the existing security improvement program
can continue to work well.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Security Management Maintenance Models

• Management model must be adopted to manage and

operate the ongoing security program.
• Models are frameworks that structure the tasks of
managing particular set of activities or business
functions.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 NIST SP 800-100 Information Security
Handbook: A Guide for Managers (1 of 6)
• This provides managerial guidance for establishing and
implementing an information security program.
• There are 13 areas of information security management
presented
– Provides for specific monitoring activities for each task.
– Tasks should be done on an ongoing basis.
– Not all issues are negative.
• Information security governance
– Agencies should monitor the status of their programs to
ensure:
▪ Ongoing information security activities are providing appropriate
support

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 NIST SP 800-100 Information Security
Handbook: A Guide for Managers (2 of 6)
▪ Policies and procedures are current
▪ Controls are accomplishing their intended purpose
• System Development Life Cycle: the overall process of
developing, implementing, and retiring information
systems through a multistep process.
• Awareness and training
– Tracking system should capture key information on
program activities.
– Tracking compliance involves assessing the status of the
program
– Security policies must continue to evolve

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 NIST SP 800-100 Information Security
Handbook: A Guide for Managers (3 of 6)
• Capital planning and investment control
– Departments required to allocate funding toward highest-
priority investments
– Designed to facilitate the expenditure of agency funds
• Interconnecting systems
– The direct connection of two or more information systems
for sharing data and other information resources
– Can expose the participating organizations to risk
– If one of the connected systems is compromised,
interconnection could be used as conduit

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 NIST SP 800-100 Information Security
Handbook: A Guide for Managers (4 of 6)
• Performance measures
– Metrics should be used for monitoring the performance of
information security controls
– Six-phase iterative process
• Security planning
– One of the most crucial ongoing responsibilities in
security management
• Information technology contingency planning
– Consists of a process for recovery and documentation of
procedures

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 NIST SP 800-100 Information Security
Handbook: A Guide for Managers (5 of 6)
• Risk management
– Ongoing effort
– Tasks include performing risk identification, analysis, and
management
• Certification, accreditation, and security assessments
– An essential component of any security program
– The status of security controls is checked regularly
– Auditing: the review of a system’s use to determine if
misuse/malfeasance has occurred

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 NIST SP 800-100 Information Security
Handbook: A Guide for Managers (6 of 6)
• Security services and products acquisition
• Incident response: incident response life cycle
• Configuration (or change) management: manages the
effects of changes in configurations, five-step process

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Figure 12-1 Information security
measurement program implementation

Source: NIST SP 800-55 Rev. 1.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Figure 12-2 Conversion strategies

Source: NIST SP 800-35

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 The Security Maintenance Model

• Designed to focus the organizational effort on

maintaining systems
• Recommended maintenance model based on five
subject areas:
– External monitoring
– Internal monitoring
– Planning and risk assessment
– Vulnerability assessment and remediation
– Readiness and review

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 12-4 The maintenance model

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Monitoring the External Environment
(1 of 7)
• Objective to provide early awareness of new and
emerging threats, threat agents, vulnerabilities, and
attacks so the organization can mount an effective
defense.
• Entails collecting intelligence from data sources and
giving that intelligence context and meaning for use by
organizational decision makers.
• Data sources
– Acquiring threat and vulnerability data is not difficult
– Turning data into information decision makers can use is
the challenge

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Monitoring the External Environment
(2 of 7)
– External intelligence comes from vendors, computer
emergency response teams (CERTs), public network
sources, or membership sites
– Regardless of where or how external monitoring data are
collected must be analyzed in the context of the
organization’s security environment to be useful
• Monitoring, escalation, and incident response
– Function of external monitoring process is to monitor
activity, report results, and escalate warnings
– Monitoring process has three primary deliverables:

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Monitoring the External Environment
(3 of 7)
▪ Specific warning bulletins issued when developing threats
and specific attacks pose measurable risk to the
organization
▪ Periodic summaries of external information
▪ Detailed intelligence on highest risk warnings
• Data collection and management
– Over time, external monitoring processes should capture
information about external environment in appropriate
formats
– External monitoring collects raw intelligence, filters for
relevance, assigns a relative risk impact, and
communicates to decision makers in time to make a
difference

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Monitoring the External Environment
(4 of 7)
• Primary goal is an informed awareness of state of
organization’s networks, systems, and security
defenses.
• Internal monitoring accomplished by:
– Inventorying network devices and channels, IT
infrastructure and applications, and information security
infrastructure elements
– Leading the IT governance process
– Real-time monitoring of IT activity
– Monitoring the internal state of the organization’s
networks and systems

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Monitoring the External Environment
(5 of 7)
• Network characterization and inventory
– Organizations should have/maintain carefully planned
and fully populated inventory of network devices,
communication channels, and computing devices
– Once characteristics are identified, they must be carefully
organized and stored using a mechanism (manual or
automated) that allows timely retrieval and rapid
integration of disparate facts

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Monitoring the External Environment
(6 of 7)
• Making intrusion detection and prevention systems work
– The most important value of raw intelligence provided by
the intrusion detection system (IDS) is providing
indicators of current or imminent vulnerabilities
– Log files from IDS engines can be mined for information
– Another IDS monitoring element is traffic analysis
– Analyzing attack signatures from unsuccessful system
attacks can identify weaknesses in various security efforts

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Monitoring the External Environment
(7 of 7)
• Detecting differences
– Difference analysis: procedure that compares current
state of network segment against known previous state of
same segment
– Unexpected differences between the current state and the
baseline state could indicate trouble

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 12-4 External monitoring

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 12-6 Internal monitoring

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Planning and Risk Assessment (1 of 4)

• Primary objective is to keep a lookout over the entire

information security program.
• Primary objective is accomplished by identifying and
planning ongoing information security activities that
further reduce risk.
• Primary objectives
– Establishing a formal information security program review
process
– Instituting formal project identification, selection, planning,
and management processes

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Planning and Risk Assessment (2 of 4)

– Coordinating with IT project teams to introduce risk

assessment and review for all IT projects
– Integrating a mindset of risk assessment throughout the
organization
• Information security program planning
and review
– Periodic review of ongoing information security program
and planning for enhancements and extensions is
recommended
– It should examine future IT needs of organization and its
impact on information security

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Planning and Risk Assessment (3 of 4)
– A recommended approach takes advantage of the fact
that most organizations have annual capital budget
planning cycles and manage security projects as part of
that process
• Large projects should be broken into smaller projects for
several reasons
– Smaller projects tend to have more manageable impacts
on networks and users
– Larger projects tend to complicate the change control
process in the implementation phase
– Shorter planning, development, and implementation
schedules reduce uncertainty

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Planning and Risk Assessment (4 of 4)

– Most large projects can easily be broken down into

smaller projects, giving more opportunities to change
direction and gain flexibility
• Security risk assessments
– A key component for driving security program change is
risk assessment (RA)
– RA identifies and documents the risk that a project,
process, or an action introduces to the organization and
offers suggestions for controls
– Information security group coordinates the preparation of
many types of RA documents

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 12-7 Planning and risk
assessment

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Vulnerability Assessment and Remediation
(1 of 11)
• Primary goal: identification of specific, documented
vulnerabilities and their timely remediation
• Accomplished by:
– Using vulnerability assessment procedures
– Documenting background information and providing
tested remediation procedures for vulnerabilities
– Tracking vulnerabilities from the time they are identified
– Communicating vulnerability information to owners of
vulnerable systems
– Reporting on the status of vulnerabilities
– Ensuring that the proper level of management is involved
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Vulnerability Assessment and Remediation
(2 of 11)
• Process of identifying and documenting specific and
provable flaws in the organization’s information asset
environment.
• Five following vulnerability assessment processes can
help many organizations balance intrusiveness of
vulnerability assessment with the need for a stable and
effective production environment.
• Penetration testing
– A level beyond vulnerability testing
– Is a set of security tests and evaluations that simulate
attacks by a malicious external source (hacker)

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Vulnerability Assessment and Remediation
(3 of 11)
– Penetration test (pen test): usually performed periodically
as part of a full security audit
– Can be conducted one of two ways: black box or white
box
• Internet vulnerability assessment
– Designed to find and document vulnerabilities present in
an organization’s public network
– Steps in the process include:
▪ Planning, scheduling, and notification
▪ Target selection
▪ Test selection

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Vulnerability Assessment and Remediation
(4 of 11)
▪ Scanning
▪ Analysis
▪ Record keeping
• Intranet vulnerability assessment
– It is designed to find and document the selected
vulnerabilities likely present on the internal network
– Attackers are often internal members of the organization,
affiliates of business partners, or automated attack
vectors (such as viruses and worms)
– This assessment is usually performed against critical
internal devices with a known, high value by using
selective penetration testing

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Vulnerability Assessment and Remediation
(5 of 11)
– Steps in the process are almost identical to the steps in
the Internet vulnerability assessment
• Platform security validation
– It is designed to find and document vulnerabilities that
may be present because misconfigured systems are in
use within the organization
– These misconfigured systems fail to comply with
company policy or standards
– Fortunately, automated measurement systems are
available to help with the intensive process of validating
the compliance of platform configuration with policy

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Vulnerability Assessment and Remediation
(6 of 11)
• Wireless vulnerability assessment
– It is designed to find and document vulnerabilities that
may be present in wireless local area networks of the
organization
– Since attackers from this direction are likely to take
advantage of any flaw, assessment is usually performed
against all publicly accessible areas using every possible
wireless penetration testing approach

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Vulnerability Assessment and Remediation
(7 of 11)
• Documenting vulnerabilities
– Vulnerability database should provide details about
reported vulnerability as well as a link to the information
assets
– Low cost and ease of use make relational databases a
realistic choice
– Vulnerability database is an essential part of effective
remediation

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Vulnerability Assessment and Remediation
(8 of 11)
• Remediating vulnerabilities
– Objective is to repair flaw causing a vulnerability instance
or remove the risk associated with vulnerability
– As last resort, informed decision makers with proper
authority can accept risk
– Important to recognize that building relationships with
those who control information assets is key to success
– Success depends on the organization adopting team
approach to remediation, in place of cross-organizational
push and pull

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Vulnerability Assessment and Remediation
(9 of 11)
• Acceptance or transference of risk
– In some instances, risk must be either simply
acknowledged as part of the organization’s business
process or transferred to another organization via
insurance
– Management must be assured that decisions made to
accept risk or buy insurance were made by properly
informed decision makers
– Information security must make sure the right people
make risk assumption decisions with complete knowledge
of the impact of the decision

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Vulnerability Assessment and Remediation
(10 of 11)
• Threat removal
– In some circumstances, threats can be removed without
repairing vulnerability
– Other vulnerabilities may be mitigated by inexpensive
controls
• Vulnerability repair
– Best solution in most cases is to repair the vulnerability
– Applying patch software or implementing a workaround
often accomplishes this
– Most common repair is the application of a software patch

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Vulnerability Assessment and Remediation
(11 of 11)
• Primary goal is to keep the information security program
functioning as designed and continuously improving.
• Accomplished by:
– Policy review
– Program review
– Rehearsals

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 12-8 Vulnerability assessment
and remediation

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 12-9 Readiness and review

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Digital Forensics (1 of 2)

• Used to document what happened during attack on

assets and how attack occurred
• Based on the field of traditional forensics
• Involves preservation, identification, extraction,
documentation, and interpretation of digital media for
evidentiary and/or root-cause analysis
• Evidentiary material (EM): any item or information that
applies to an organization’s legal or policy-based case

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Digital Forensics (2 of 2)

• Used for two key purposes:

– To investigate allegations of digital malfeasance
– To perform root-cause analysis
• Organization chooses one of two approaches:
– Protect and forget (patch and proceed): defense of data
and systems that house, use, and transmit it
– Apprehend and prosecute (pursue and prosecute):
identification and apprehension of responsible individuals,
with additional attention to collection and preservation of
potential EM that might support administrative or criminal
prosecution

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 The Digital Forensics Team

• Most organizations
– Cannot sustain a permanent digital forensics team
– Collect data and outsource analysis
• Information security group personnel should be trained
to understand and manage the forensics process to
avoid contamination of potential EM.
• Expertise can be obtained by training.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Affidavits and Search Warrants

• Affidavit
– Sworn testimony that certain facts are in the possession
of the investigating officer; can be used to request a
search warrant
– The facts, the items, and the place must be specified
• When an approving authority signs the affidavit, it
becomes a search warrant, giving permission to
– Search for EM at a specified location
– Seize specific items for official examination

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Digital Forensics Methodology

• All investigations follow the same basic methodology

– Identify relevant EM
– Acquire (seize) the evidence without alteration or damage
– Take steps to assure that the evidence is at every step
verifiably authentic and is unchanged from the time it was
seized
– Analyze the data without risking modification or
unauthorized access
– Report the findings to the proper authority

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
Figure 12-10 The digital forensics
process

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Evidentiary Procedures

• Strong procedures for handling potential evidentiary

material can minimize the probability of an organization
losing a legal challenge.
• Organizations should develop specific procedures,
along with guidance for effective use.
• The policy document should be supported by a
procedures manual.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Summary
• Maintenance of the information security program is essential
• Security management models assist in planning for ongoing
operations
• It is necessary to monitor the external and internal
environment
• Planning and risk assessment are the essential parts of
information security maintenance
• Need to understand how vulnerability assessment and
remediation tie into information security maintenance
• Need to understand how to build readiness and review
procedures into information security maintenance
• Digital forensics and management of digital forensics
function
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.
 Questions

1. Explain the security maintenance model?