8
Security Management

8.1. Introduction

Computer security has become a very important subject for companies and institutions, as well as individuals. Because of this, numerous legal texts have been enacted in most of the world’s countries to structure this area and define solutions and measures to adopt when securing computer systems, which constitute the backbone and a valuable asset for companies, as well as individuals.

A security audit is a necessary legal and economic legal requirement for the survival and existence of the company, as well as for its reputation and influence. It is a periodic task led by security experts to identify security vulnerabilities and faults, along with the appropriate solutions and recommendations. A new discipline has thus been developed, that of the security consultant or auditor.

An audit goes through three necessary stages. The first step concerns the organizational and physical aspect. It identifies structural and physical vulnerabilities. Then, the second step is devoted to the technical aspect. It consists of uncovering security faults at various levels and providing the necessary solutions for such problems. Finally, the intrusive test must be passed, which consists of bombarding our own system with a series of attacks to evaluate how robust it is.

In the domestic sphere, as well as at the company level, it is necessary to plan a security policy with the objective of limiting risks, attenuating attacks and increasing the efficiency of security solutions. A security policy covers several axes, intervenes at several levels and calls on different actors to apply it appropriately.

In order to develop a security policy, it is necessary to first test the state of things and evaluate the existing level of security.

The development and follow-through of a security policy is governed by a piloting committee led by a security manager. Once the policy is developed, depending on the existing norms and standards and the identified interlocutors, its application will require the definition of directives and procedures that will facilitate its implementation and efficiency.

8.2. Security audits

A security audit, required by law in many countries, is necessary for a company to overcome the challenges of attacks and security failures.

8.2.1. Objectives

Security presents a very specific and specialized problem that can under no circumstances be resolved internally or by company personnel. Their expertise may be limited, which could prevent them from properly identifying and fixing the problem. An audit must warn users first, and after the identification of faults, must then provide solutions and measures to face them, in the form of recommendations.

8.2.1.1. Creating a security culture

Security is a culture above all, and the personnel of a company must have a minimum of this culture if they are to remain aware, secure and behave appropriately when faced with potential attacks.

An audit must focus on security and make the management, agents and clients aware of the issue of security by identifying bad habits. This culture can be presented through organizations, posters, charters and control measures limiting physical and computer access.

8.2.1.2. Establishing technical security solutions

After identifying security faults, the audit team must try to find solutions for such problems. The solutions must cover several aspects:

  • – topology and the interconnections of the local network;
  • – Internet connection;
  • – operating systems;
  • – applications in use;
  • – current means for authentication.

8.2.2. Audit action diagram

The action diagram during an audit is summarized in the following figure.

Schematic illustration of action diagram in an audit .

Figure 8.1. Action diagram in an audit

The first phase is devoted to the documentation and preparation of the task, with a precise and clear definition of the actors, interlocutors, circumstances, limits and obligations.

The second phase is the audit in the strictest sense, the on-site intervention using the appropriate generic and specific tools, both technical and otherwise.

Finally, during the third phase, the audit team focuses on the analysis of the results and the writing of a report.

Companies should not limit themselves to getting audits and then leaving the report to one side. It is important to apply the recommendations made, especially when the report is validated by authorized authorities.

Structure of computing and/or security services

Most companies neglect computing and security insofar as it serves as a tool facilitating the work and is not in and of itself a productive unit. The measures taken for computing are the product of numerous users who are not specialists in the field. For this reason, following every consultation, it is necessary create, restructure, enrich and ensure the independence of computing services and/or the security unit.

Training

For personnel development, training activities are necessary. The audit must provide an indicator regarding security knowledge within a company, and the investment in training should be based on this indicator.

Establishing security solutions

This is the technical aspect to implement after a security consultation. It covers several areas:

  • – Internet connection;
  • – antivirus;
  • – firewall;
  • – encryption;
  • – authentication.

8.2.3. Organizational and physical audit

Also called a high-level audit, this estimates risk by analyzing organizational and physical vulnerabilities.

8.2.3.1. Objectives

This is a preliminary stage that allows us to critique organizations and uncover bad structures or a bad division of labor and responsibilities among the participants.

The second stage is devoted to physical security through a critique of physical access to computing system sites.

8.2.3.2. Utilities and implementation

The discovery of organizational and physical vulnerabilities is done through appropriate questionnaires for management, agents and clients, covering various aspects.

We can also use known models that offer a database of questionnaires related to many topics, and that can be adapted depending on the context of the audited company. This produces statistics and security indicators.

There are two possible approaches: ascending and descending.

  • Descending approach: this is a systematic, complete approach, but takes a long time to implement.
  • Ascending approach: this is an intuitive, incomplete approach whose implementation is fast, but has certain oversights in terms of precision.

8.2.4. Technical audit

Also called a low-level audit, this identifies technical vulnerabilities (in systems and networks). This part requires expertise from the auditors that covers multiple areas. There are several aspects that require auditing:

  • – network topology;
  • – system resistance;
  • – servers;
  • – connection equipment;
  • – network applications;
  • – SGBDs and databases;
  • – messaging systems;
  • – specific applications.

8.2.4.1. Objectives

This is the most important part, providing an audit of systems and computer applications by finding technical vulnerabilities and faults, on the one hand, and formulating appropriate technical recommendations, on the other hand.

A technical audit requires auditors with a minimum of expertise who will discuss issues with administrators and security managers by way of questionnaires and discussions, as well as the use of appropriate tools for systems, services and applications.

The tools used vary depending on the context and importance of the computer service and its content in terms of equipment and deployed solutions, data traffic, services and functions provided.

8.2.4.2. Implementation tools

Many computing tools can be used for a technical audit. The most appropriate tools are free software, the very same tools used by hackers and attackers.

Examples of these tools are as follows:

  • Nessus: this is a tool that discovers security faults in a network or segment of network.
  • NMAP: this is a tool that identifies open doors in a network, sub-network or computer.
  • LANguard: this is a tool that detects patches, shares, open doors, unused user accounts and missing service packs.

8.2.5. Intrusive test

This is a simulation of attacks that tests the strength of a computer system and its response to attacks. It consists of using attack tools and observing the way the system reacts. The intrusive test must be programmed carefully to avoid perturbing proper functioning.

8.2.6. Audit methodologies

There are several audit methodologies that can be adapted during an audit.

8.2.6.1. ISO 17799

Descended from the British BS 7799 norm, the ISO 17799 norm provides guidelines and recommendations for managing security1.

The ISO 17799 norm thus offers a model for identifying and implementing solutions for the following risks:

  • Security policy: this writes and disseminates the company security policy.
  • Security organization: this defines roles and responsibilities, and also takes control of partners and outside activity.
  • Asset classification and control: this takes inventory of company assets and defines how critical they are and their associated risk.
  • Personnel security: this consists of hiring, training and security sensitivity training.
  • Physical and environmental security: this consists of security perimeters and an inventory of security equipment.
  • Communication and operation management: this consists of procedures in case of an accident, recovery plans, definition of service levels and recovery times.
  • Access control: this consists of establishing access controls at different levels (systems, networks, buildings, etc.).
  • System development and maintenance: this takes into account security notions in systems from conception to maintenance.
  • Business continuity planning: this consists of definitions of availability needs, recovery times and emergency exercises.
  • Compliance: this consists of respecting author rights, legislation and the rules of the company.

8.2.6.2. MARION

The MARION method (acronym for the French equivalent of Methodology of Analysis of Computing Risks Oriented by Level) is an audit methodology that, as its name suggests, evaluates the level of security in a company (the risks) by way of moderated questionnaires that provide indicators in the form of notes on different topics related to security.

The level of security is evaluated following 27 indicators divided into six themes, each given a score of 0 to 4, with level 3 being the level to reach if we are to have what is considered adequate security. The method is based on questionnaires focusing on precise areas. The questionnaires must allow vulnerabilities specific to the company in all areas of security to be evaluated.

The group of indicators is evaluated using several hundreds of questions, whose responses are moderated (the moderations evolving along with the updates to the method).

The themes are as follows:

  • – organizational security;
  • – physical security;
  • – continuity;
  • – computer organization;
  • – computer security and use;
  • – application security.

8.2.6.3. MEHARI

MEHARI (acronym for the French equivalent of Harmonized Method of Risk Analysis) is derived from two other risk analysis methods, MARION and MELISA. This method was developed and kept in France by CLUSIF, the French Security Club for Information Systems. MEHARI is one of the most commonly used methods of risk analysis today. This method appears to be a veritable tool kit for computer system security, identifying risks within an organization in various ways. This tool kit is made up of several modules which, independently of the selected security method, provide in particular:

  • – an analysis of security stakes (by describing the types of feared malfunctions), and a classification of resources and information following the three basic tenets of security: confidentiality, integrity and availability;
  • – an audit of security services to evaluate the efficiency of each, its control and to summarize vulnerabilities;
  • – an analysis of risky situations, providing an evaluation of possibilities and intrinsic impacts, as well as risk attenuation factors, and finally, an indicator of risk gravity.

8.3. Security policy demonstration

A security policy, written and published, must be established in any organization making use of a large- or medium-sized computer system. It requires a test to validate and measure the requirements and the existing levels of security.

8.3.1. Security test and evaluation

Tests and evaluations are a necessary first step before proceeding to the formulation of a security policy. Security tests take many forms and use diverse and targeted tools.

8.3.1.1. Security test types

Security tests are used to verify the strength of a computer system and identify weaknesses and limits. These tests fall into the following categories:

  • – penetration test;
  • – network analysis;
  • – vulnerability analysis;
  • – password cracking;
  • – examination of records;
  • – integrity control;
  • – virus detection.

These types of tests cover the different areas of security and their results make up an inventory of the computer system, which will be the starting point for defining and formulating a security policy.

8.3.1.2. Security test tools

To provide an efficient evaluation, we should use different types of free software, the same ones used by hackers and attackers.

The most commonly used tools are:

  • – Nmap/Zenmap;
  • – SuperScan;
  • – SIEM;
  • – GFI LANguard;
  • – Tripwire;
  • – Nessus;
  • – L0phtCrack;
  • – Metaspoilt.
Nmap/Zenmap

Nmap, short for Network Mapper, is a free and open-source tool used for discovering networks and security audits2. Many system and network administrators also find it useful for tasks, such as network inventories, calendar management for service updates and monitoring the availability of the host or service. Nmap uses raw IP packets in an innovative way to determine which hosts are available on the network, which services (name and application version) these hosts offer, which operating systems (and versions of the operating systems) they use, what kind of packet filters or firewalls are being used and dozens of other characteristics. It was conceived to analyze large networks quickly, but works very well for unique hosts. Nmap works on all the principal computer operating systems, and official binary packages are available for Linux, Windows and Mac OS X. In addition to the traditional executable line command Nmap, the later version includes an advanced graphic interface and a Results Viewer (Zenmap), a flexible tool for data transfer, redirection and debugging (Ncat), a tool for comparing analysis results (Ndiff) and a tool for generating packets and response analysis (Nping).

Nmap has the following characteristics:

  • Flexible: it takes charge of dozens of advanced techniques to map out networks filled with IP filters, firewalls, routers and other obstacles. This includes numerous mechanisms for analyzing ports (TCP and UDP), detecting operating systems, versions, ping sweeps and so on.
  • Powerful: Nmap has been used to analyze enormous networks with literally hundreds of thousands of computers.
  • Portable: most operating systems are supported, namely, Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga and so on.
  • Easy: traditional versions of line command are available in addition to graphic versions (GUI) using binaries for those who do not wish to compile Nmap from sources.
  • Free: the principal objective of the Nmap project is to contribute to making the Internet a bit more secure and offer administrators, auditors and hackers an advanced tool for exploring networks. Nmap is available for free download, and is also delivered with a complete source code that can be modified and redistributed according to the license terms.

Zenmap is the official graphic interface of the security scanner, Nmap. It is a free and open-source multi-platform application (Linux, Windows, Mac OS X, BSD, etc.) that makes Nmap easy to use for beginners, all while providing advanced functions for experienced Nmap users. Frequently used analyses can be recorded as profiles to facilitate repeated execution. The results of the saved analyses can be compared to each other to see how they differ.

GFI LANguard

GFI LANguard is the award-winning network analysis and security software used by more than 20,000 clients3. GFI LANguard analyzes networks and ports to detect and repair vulnerabilities with minimal management.

Any network administrator must individually manage vulnerability issues, patches and audits, sometimes using several products. With GFI LANguard, these three keystones of vulnerability can be managed with just one software program.

GFI LANguard provides a complete image of an installation network and helps maintain the network secure, easily and efficiently.

Tripwire

Tripwire is integrity control software that ensures that sensitive files on a computer are not modified without it creating an alert4. To do this, the software creates a database (or a reference table for simpler cases) containing the digital signature (hash) of files that the administrator wishes to keep an eye on. During the integrity control phase, Tripwire recalculates the digital signature of each file to be monitored and verifies that this signature corresponds to the one calculated at the time the database was created. If the two signatures do not correspond, Tripwire sends an alert.

Monitored files can be classified according to different degrees of criticality. Tripwire can be rather complex to configure because files and configurations are encrypted. The alerts sent after the files are modified can be sent via email.

Nessus

Nessus is a computer security tool5. It signals potential or clear weaknesses on tested computers. This includes, among others, services vulnerable to attacks that would allow control to be taken of the computer, sensitive information to be accessed, and service to be denied.

Nessus works with Unix and Windows; its last version was 8.4.0, published on May 14, 2019.

It is widely used by users and computer system administrators. It is generally used by security managers and auditors.

Nessus detects live computers on a network, sweeps open doors, identifies active services and their versions, and then attempts various attacks.

Nessus is divided in two parts: nessusd, which is a daemon (service) executing requests and communication with the target, and nessus, which is a client application that recovers data and shows the result.

This division is classic, with the daemon running with advanced privileges (root), while the graphic interface, more complex and thus vulnerable, runs under the identity of an unprivileged user. The tests are played out using plugins; some are compiled in C, but most are written in the script language NASL (Nessus Attack Scripting Language).

Nessus is a network security scanner capable of detecting weaknesses that can be exploited locally; as well as remotely, by either:

  • – identifying a version number in a banner, but this process is limited to one particular class of weaknesses: network service weaknesses that can only be exploited locally; or
  • – acquiring the list of software or packets installed on the computer being tested and comparing it to the patches published by editors.

8.3.2. Security policy development

A security policy that appears as a well-defined action plan composed of a group of measures guarantees a minimal level of security. This policy covers all aspects and calls on many interlocutors at various levels. It must foresee measures to take and people to alert in case an organizational failure or a technical intrusion is detected.

The principal objective, namely maintaining a level of security, comes through the establishment of a culture and technical security solutions.

The first sub-objective is ensured through training sessions, charters, posters, sports, alerts and so on.

The second sub-objective covers policies, archives, monitoring, analysis, filtering, updates, alerts and so on.

Once defined, a security policy must be formulated and written before being distributed and applied.

8.3.2.1. Security policy interlocutors

For the development and establishment of a security policy, numerous actors can be called upon:

  • Security manager: this is an individual charged with developing and updating the security policy.
  • Committee of collaborators: this is a team of diverse specialists in the company that can help the security manager develop, apply, monitor and update the security policy.
  • Users: these are the personnel making use of and accessing computer services.
  • External users: these are composed of consultants and security auditors participating in audits within the company or assisting with the resolution of a precise security problem, or any other external collaborator in the field of computing.

8.3.2.2. Security policy steps

The establishment and application of a security policy goes through several steps, which are defined as follows:

  • – designate a computer security manager who will be in charge of creating, applying and updating the security policy;
  • – define the perimeter and objectives of the computer security policy, in order to limit the field of application of this policy and be able to evaluate its impacts and influences for better efficiency;
  • – analyze the existing equipment and software, and maintain an updated register of all of the elements making up the computer system. This register is important during modifications of components of the computer configuration. In the case of an incident, it can help IT teams find the origin of the problem and identify responsibilities;
  • – analyze computing risks in terms of possible damage and the probability that an incident will occur;
  • – determine the necessary means for reducing risks and taking charge of incidents, or for managing continuous activity;
  • – write a computing charter for all collaborators;
  • – communicate the computer security policy, with all of its details and procedures, to all users within the company.

8.3.3. Elements of a security policy

For a security policy to be efficient and applicable, it must be composed of several complementary elements that cover different hierarchical levels of the company.

8.3.3.1. Governance policy

The importance of computer security demands a high-level intervention in a company with the purpose of increasing the efficiency of decision-making and action-taking.

To satisfy this requirement, a security manager and security committee are necessary.

The security manager reports to the management of computer services, fulfilling the following tasks and abilities:

  • – they can send alerts to general management;
  • – they have the logistical and financial means and the necessary authority to complete tasks;
  • – they can define and apply the security policy in direct cooperation with the members of the security committee;
  • – they must periodically prepare a report with a security inventory.

The security committee includes and brings together the pertinent actors of a company, that is, all of the directors. It is led by the security manager and ensures technical vigilance and creates a culture of cyber security.

8.3.3.2. Technical policy

The technical section of the security policy covers technical domains. It varies depending on the material and software assets installed, and the degree of criticality of the information that is dealt with.

A technical security policy is composed of a group of technical measures and solutions for saving, filtering, monitoring and follow-up. The distinct areas are as follows:

  • – establishment of anti-malware software such as antivirus, antispam and antispyware, with the necessary updates and patches;
  • – deployment of filtering solutions using routers and firewalls;
  • – development and application of a saving policy;
  • – development of specific solutions to apply depending on installed services.

8.3.3.3. End-user policy

The section on security culture is of capital importance. It must be addressed to all personnel without neglecting any of the end-users. The end-user is anyone with access to the computer system and represents an important link in the chain of computer security and the policy to be established.

The user must be sensitized and informed via targeted training sessions, posters and charters, which must be adhered to.

8.4. Norms, directives and procedures

Several norms and standards can be used when conducting an audit or following up on its results and impacts, as well as in establishing a computer security policy:

  • family of ISO 20000 norms: ISO 20000-1 and ISO 20000-2 norms are standards describing the management processes for efficient delivery of computer services to a company and its clients. These respect ITIL requirements6;
  • family of ISO 27000/ISMS norms: establishment, use, updating and management of a computer security policy, or information security management systems (ISMS);
  • ISO/FDIS 31000 norm: risk management;
  • ISO/IEC 38500 norm: computer security governance;
  • British Standards Institution BS 25999-1 norms: BCM, practice codes;
  • British Standards Institution BS 25999-2 norms: BCM, specifications.

8.4.1. ISO 27000 norm

The ISO 27000 series of norms was specifically reserved by the ISO for questions of information security. The 27000 series includes a range of individual norms and documents. A certain number of them have already been published.

  • ISO 27001: this is the specification of an information security management system (ISMS) that replaced the former BS7799-2 norm.
  • ISO 27002: this is the standard number of the 27000 series that was at the origin of the ISO 17799 norm (formerly known as BS7799-1).
  • ISO 27003: this will be the official number of a norm meant to offer suggestions for establishing an ISMS (IS management system).
  • ISO 27004: this norm covers measures and metrics for managing information security systems, including the controls suggested in ISO 27002.
  • ISO 27005: this ISO norm is independent of the methodology for managing risks connected with information security.
  • ISO 27006: this norm offers guidelines for accrediting organizations that offer an ISMS certification.

8.4.2. ISO/FDIS 31000 norm

ISO 31000 designates a family of norms for managing risks, codified by the international organization for normalization. The objective of the ISO 31000 norm is to offer the principles and guidelines for risk management, as well as the processes for establishing it strategically and operationally. It does not seek to promote the uniformity of risk management in organizations, but rather to harmonize the multitude of existing approaches, standards and methodologies for risk management.

Currently, the ISO 31000 family includes:

  • – ISO 31000:2018, Risk management, Principles and Guidelines;
  • – ISO/CEI 31010:2009, Risk Management, Risk Evaluation Techniques;
  • – ISO Guide 73:2009, Risk Management, Vocabulary.

8.4.3. ISO/IEC 38500 norm

ISO/IEC 38500 is the international norm for the governance of information technology by companies. It is the first official norm for computer governance.

This norm concerns the governance of management processes related to information and communication services used by an organization. These processes can be controlled by computer specialists in an organization or by external service providers.

8.5. Conclusion

Security audits are necessary for securing computer systems, but they remain insufficient; they must be completed and heeded by technological monitoring throughout a company, in order to follow the daily state of security through audit and surveillance tools, and through a strictly cooperative relationship with appropriate organizations.

The security audit constitutes an important step for the survival of a company. It provides a constructive external critique by experts in the domain. This task, required by law, is beneficial for a company seeking to protect its computing assets.

A security policy, well-defined and correctly applied, is the finishing touch to the security measures and activities taken by users. It covers organizational and technical aspects and creates a culture that protects the company from risks and threats.

Computer security continuously presents itself as an urgent issue, to the detriment of other factors; it takes its importance and relevance from both circumstances and conditions that remind us of the volume of destruction, material and otherwise, for individuals, companies and states.

  1. 1 www.iso.org.
  2. 2 nmap.org.
  3. 3 www.zdnet.fr.
  4. 4 www.tripwire.com.
  5. 5 https://www.nessus.org.
  6. 6 www.iso.org.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset