of How to Compile a Security Strategy
Reviewing Current Policies
Establishing an effective set of security policies and controls
requires using a strategy to determine the vulnerabilities that exist in
our computer systems and in the current security policies and controls
that guard them. The current status of computer security policies can be
determined by reviewing the list of documentation that follows. The review
should take notice of areas where policies are lacking as well as examine
documents that exist:
Return To Top
Assessing an organization's security needs also includes determining
its vulnerabilities to known threats. This assessment entails recognizing
the types of assets that an organization has, which will suggest the types
of threats it needs to protect itself against. Following are examples of
some typical asset/threat situations:
- The security administrator of a bank knows
that the integrity of the bank's information is a critical asset and
that fraud, accomplished by compromising this integrity, is a major
threat. Fraud can be attempted by inside or outside attackers.
- The security administrator of a Web site
knows that supplying information reliably (data availability) is the
site's principal asset. The threat to this information service is a
denial of service attack, which is likely to come from an outside
- A law firm security administrator knows that
the confidentiality of its information is an important asset. The
threat to confidentiality is intrusion attacks, which might be
launched by inside or outside attackers.
- A security administrator in any organization
knows that the integrity of information on the system could be
threatened by a virus attack. A virus could be introduced by an
employee copying games to his work computer or by an outsider in a
deliberate attempt to disrupt business functions.
Identifying Likely Attack Methods, Tools, and Techniques
Listing the threats (and most organizations will have several) helps
the security administrator to identify the various methods, tools, and
techniques that can be used in an attack. Methods can range from viruses
and worms to password and e-mail cracking. It is important that
administrators update their knowledge of this area on a continual basis,
because new methods, tools, and techniques for circumventing security
measures are constantly being devised.
Return To Top
For each method, the security plan should include a proactive
strategy as well as a reactive strategy.
The proactive or pre-attack strategy is a set of steps that
helps to minimize existing security policy vulnerabilities and develop
contingency plans. Determining the damage that an attack will cause on a
system and the weaknesses and vulnerabilities exploited during this attack
helps in developing the proactive strategy.
The reactive strategy or post-attack strategy helps security
personnel to assess the damage caused by the attack, repair the damage or
implement the contingency plan developed in the proactive strategy,
document and learn from the experience, and get business functions running
as soon as possible.
Return To Top
The last element of a security strategy, testing and reviewing the test
outcomes, is carried out after the reactive and proactive strategies have
been put into place. Performing simulation attacks on a test or lab system
makes it possible to assess where the various vulnerabilities exist and
adjust security policies and controls accordingly.
These tests should not be performed on a live production system because
the outcome could be disastrous. Yet, the absence of labs and test
computers due to budget restrictions might preclude simulating attacks. In
order to secure the necessary funds for testing, it is important to make
management aware of the risks and consequences of an attack as well as the
security measures that can be taken to protect the system, including
testing procedures. If possible, all attack scenarios should be physically
tested and documented to determine the best possible security policies and
controls to be implemented.
Certain attacks, such as natural disasters such as floods and lightning
cannot be tested, although a simulation will help. For example, simulate a
fire in the server room that has resulted in all the servers being damaged
and lost. This scenario can be useful for testing the responsiveness of
administrators and security personnel, and for ascertaining how long it
will take to get the organization functional again.
Testing and adjusting security policies and controls based on the test
results is an iterative process. It is never finished and should be
evaluated and revised periodically so that improvements can be
Return To Top
Good practice calls for forming an incident response team. The incident
response team should be involved in the proactive efforts of the security
professional. These include:
- Developing incident handling guidelines.
- Identifying software tools for responding to
- Researching and developing other computer
- Conducting training and awareness
- Performing research on viruses.
- Conducting system attack studies.
These efforts will provide knowledge that the organization can use and
information to issue before and during incidents.
After the security administrator and incident response team have
completed these proactive functions, the administrator should hand over
the responsibility for handling incidents to the incident response team.
This does not mean that the security administrator should not continue to
be involved or be part of the team, but the administrator may not always
be available and the team should be able to handle incidents on its own.
The team will be responsible for responding to incidents such as viruses,
worms, or other malicious code; intrusions; hoaxes; natural disasters; and
insider attacks. The team should also be involved in analyzing any unusual
event that may involve computer or network security.