Cryptosmith

I’ve been working on ways of teaching information security. I think it’s essential to teach some sort of systematic approach to security (“the process”) and that this should include risk assessment, policy development, monitoring, and such. For educational purposes, my process contains six phases

The phases are:

1. Identify assets
2. Analyze risks
3. Specify policy
4. Implement defenses
5. Monitor defenses
6. Recover from attacks

I call them phases because I use the word “steps” when talking about activities within a phase.

Risk Analysis

This is a peculiar process, since the custom is to do a numerical assessment of highly qualitative data.

Policy: an ambiguous term

In computer security, policy can mean any of several things:

• A statement of security requirements – using the term requirements in the systems engineering sense: the policy lists security requirements and goals; criteria for assessing success of an implementation
• A list of rules or procedures -  for example, a password policy or acceptable use policy is often a statement of what users are (or are not) supposed to do.
• Configuration rules for a firewall – firewalls and filtering routers generally maintain a set of rules that state how traffic is to be handled, and these are sometimes called the firewall’s “policy”

In this process, the word “policy” refers to a statement of security requirements or goals. We perform a risk assessment in order to identify the high priority risks. The security policy is the conclusion we draw from that assessment. In short:

To summarize the difference between policy and implementation:

The policy says what we want; the implementation is what we get

Monitoring

When we monitor the defenses, we must look for policy compliance as well as for successful behavior of the defense measures.

Here is an example: we wish to protect an asset, so we put it inside a container. The policy says “Protect the asset” and the implementation is “Keep the container locked and secure.” We need to monitor the system to ensure that we achieve our goals. In some cases, as in safe deposit boxes, the bank assumes that the assets are intact as long as the boxes appear intact from the outside.

However, let’s look at an asset that needs more careful monitoring. For example, if the asset is a plant, we can’t just monitor the outside of the container to ensure its safety. We also need to open the container and ensure the plant has water and whatever else it might need. While it’s convenient to just monitor the security implementation, it’s our policy that spells out what we’re trying to do.

Posted under Security | No Comments »