1
Information Security: The Big Picture - SANS GIAC
© 2000
1
Information Security:
The Big Picture – Part II
Stephen Fried
2
Information Security: The Big Picture - SANS GIAC
© 2000
2
International Standards &
Policies
• Trusted Computer System
Evaluation Criteria (TCSEC –
Orange Book) (1985)
• Trusted Network Interpretation
(TNI) (1987)
•ITSEC
In most industries there is a common set of rules and procedures that govern that industry. The rules may be imposed by
the industry itself or they may be imposed by governmental and legal requirements. Examples of such standards in the
US would be the Uniform Commercial Code that governs commercial transactions across the United States, or various
national and local building codes that govern how structures are to be built.
Many attempts have been made to standardize the practices and policies across the security industry as well.
Unfortunately, because the information security field has been constantly evolving over the last several decades, there has
been no unified consensus on what constitutes good security practice, how those practices should be defined, and how
security should be measured. However, over the years several attempts have stood out as having considerable merit and
weight, and thus have risen to the level of standards. In some areas, such as government computer security, these
standards are mandatory. A side effect of these has been that private industry has picked up on them as well.
One of the first standard attempts was the Trusted Computer System Evaluation Criteria, or TCSEC. It is also known
as the Orange Book, because of the bright orange cover in its original printing. The TCSEC was developed by the US

accepted by the International Standards Organization. Like the TCSEC, the Common Criteria has
seven assurance levels, labeled EAL1 up to EAL7. Each level has a rough counterpart in the
TCSEC. Currently, government agencies from Canada, France, Germany, the Netherlands, the
United Kingdom and the United States sponsor the project. The latest version has now been ratified
as ISO standard 15408.
The latest entry in the standards effort has come from the United Kingdom. The BS7799 standard
was developed in 1995 to provide a comprehensive set of controls comprising the best practices in
information security. It is intended to serve as a single reference point for identifying the range of
controls needed where information systems are used in industry and commerce. The latest revision
to BS7799 was published in 1999. Of all the international standards efforts, BS7799 seems to be
gaining the most support globally.
4
Information Security: The Big Picture - SANS GIAC
© 2000
4
Due Care
• Legalese
– Conducting business in a non-negligent
manner
– Doing what any “reasonable person” would
do under similar circumstances
– Usual and customary conduct
• English
– Doing what everyone else does that is
prudent and common to protect your
interests
In many aspects of security, you will meet up with the concept of due care. You can see some of the
legal definitions in the slide, but, in short, due care is the concept of implementing security measures
that are generally accepted to be prudent and common. If everybody is doing something, you should
be doing it, too.

many academic environments)? These answers will have a bearing on your overall stance and be reflected in
your policies.
Security policies also let people know what is expected of them. You can’t hold people responsible for
following the rules if they don’t know what those rules are. Clearly defined policies, when combined with an
effective awareness program, will go a long way toward enhancing your security efforts.
Security policies effectively define the rules of the road for your organization. First, they define who has
responsibility for what activities and who needs to take action based on those responsibilities. Second, they
define who has accountability for activities. Often, the people or groups responsible for executing a function are
acting on behalf of another group that has ultimate ownership and accountability for that activity. Your policies
should acknowledge this duality and account for it. Finally, the policies should explain the consequences for not
following the policies. These consequences may be monetary fines, disciplinary action, or even civil or criminal
penalties.
Your security policies should ultimately be a reflection of your organization, and you can learn a lot about an
organization by examining its security policies. You can tell what areas are important to the organization and
what areas they are less concerned about. You can learn if they are a permissive company or a restrictive one.
You can tell how they feel about Internet access, personal use of e-mail and computers, handling of sensitive
information, and a whole host of other organizational traits.
No matter how much effort you put into creating your security policies, and how complete you may feel they
are, you must leave room for change. Organizations change over time, and the way you feel about some aspects
of security may not be the way you feel a year or two from now. You need to leave room in your policies for
change. This change can come from within the security organization or it may come from your user or business
partner community. Whatever the source, you need to account for change in your policies.
6
Information Security: The Big Picture - SANS GIAC
© 2000
6
Security Through Obscurity
• Hiding security mechanisms in an
attempt to keep it secure
• Use trade secrets, patents, NDAs, etc.

7
Information Security: The Big Picture - SANS GIAC
© 2000
7
Business Continuity
Planning
• “What if something bad happens?”
• Business Continuity vs. Disaster
Recovery
• Multiple layers, multiple plans
• Y2K – The Ultimate BCP
An important part of your operational strategy should be the formulation of a business continuity plan. The business continuity plan
answers the question, “What if something bad happened to my business?” The “something bad” may vary. It can be as simple as a disk
crash or as serious as a large building fire, but it means some sort of interruption to your business, and you better be prepared.
My office building sits right next to a major interstate highway in New Jersey. Three or four times a year some clown driving a tanker
truck of dangerous chemicals decides to flip over his rig on the highway. Occasionally, we even have to evacuate the building until the
chemicals are cleared away. Does my facility have a business continuity plan? You bet! Would we be able to continue our operation in
the event we were not able to return to the building for a few days? Yes, we would. A well-planned business continuity plan enables you
to anticipate emergencies instead of just reacting to them.
You may often hear the terms “Business Continuity” and “Disaster Recovery” used interchangeably, and in many cases they mean virtually
the same thing. However, there is a slight difference between the two. The term “Business Continuity” refers to the activities required to
keep your organization running during a period of displacement or interruption of normal operations. Even if your building burns down,
your customers still need their orders filled and your creditors still want their money. You need to be able to get back into operation as
quickly as possible. That’s business continuity.
“Disaster Recovery” is the process of rebuilding your operation or infrastructure after the disaster has passed. It is linked to your business
continuity plan, but it is a separate and distinct process. Once you have enacted your business continuity plan to keep your business
running during and after the disaster, you enact your disaster recovery plan to begin the process of getting your business back into
“normal” operation.
Business continuity planning can be an extremely complex task. For one thing, there are often multiple layers of planning. Starting
simply, you may have a plan for a disk or tape failure in your data center. Next, you might plan for a major application to crash,

have a good idea how much effort you need to put into business continuity plans for the target area as well as the areas of dependent
operations.
Next you need to define your recovery strategy. This is the statement of overall intent with respect to business continuity. Do you
intend to recover fully or just write-off the lost part of the business? Do you want to use fully-redundant systems or just a few cold
spares? These issues define how you will approach your BCP and DR efforts.
Next you will develop the actual business continuity plan. This is the tactical, step by step process for enabling your business to
continue during an emergency. In the plan you will define who is responsible for what activities, when those activities should take
place, and how they should operate. The plan should be clear enough that anyone can pick it up and begin implementing it.
Next, you need to implement the plan. No, this doesn’t mean creating an actual disaster to see if your plan works, but it does mean
putting everything in place to make sure you are ready. Make sure people know what their responsibilities are and make sure all the
resources and equipment you need to enact the plan are in place before you need them. When the disaster hits it is too late.
Next, you need to test the plan. Again, you don’t need to create a real disaster, but you can simulate one well enough to see if your
plan works. Test if the right people are in the right place at the right time, and make sure they have all the resources they need to get
the job done. Testing the plan is the only way to ensure all will work well when an actual disaster strikes.
Once you test the plan you will undoubtedly find things that did not go strictly according to plan. Or, you may find that some
conditions have changed since the plan was originally developed. For these reasons you need to continuously modify the plan,
keeping up to date with whatever changes need to be accounted for.
By following these simple steps, you will be well on the way toward creating a robust business continuity plan.
9
Information Security: The Big Picture - SANS GIAC
© 2000
9
User and Role Based
Security (1)
• User Based – Access is assigned per
user
– Easy to understand
– Good for small groups of users & objects
• Role Based – Access is assigned by
“roles”

• As people change jobs, “roles” change
• As people enter and leave organization,
roles are assigned and removed
• As objects and applications change,
roles can be re-assigned accordingly
One of the big advantages of role-based security is that by assigning someone to a particular group,
access permissions to objects can be automatically assigned without changing any of the permissions
on the objects themselves. If a file is permitted to be viewed only by the Accountant group, by
assigning a user to the Accountant group you are automatically giving them permission to that file.
The better you determine and assign your roles, the better you can control access to your resources.
Second, as people change jobs and roles in your organization their access changes automatically.
When the secretary gets promoted to the Accounting department, by changing their role from
Secretary to Accountant, you automatically give them access to a completely different set of objects
quickly and easily.
Third, as people enter and leave the organization, their role in the access control mechanism will be
fairly straightforward and clear. Depending on the job they are doing, you assign them a role and off
they go. There is no need to determine what resources they need to access, that has already been
predetermined.
Finally, as objects and applications change, you can change the user roles that are allowed to access
those objects and applications. If you decide that the Engineers no longer need access to an object,
you don’t need to figure out what users are Engineers, you just remove access to the Engineer role.
Role-based security is not the last word in access control, but when used effectively it can be a
valuable tool in controlling access to resources on your network.
11
Information Security: The Big Picture - SANS GIAC
© 2000
11
Security Organizations
• Computer Security Institute (CSI) – www.gocsi.com
• System Administration, Networking, and Security

practices and share a wealth of experience and expertise. Funded by a substantial membership fee, the Forum helps to ensure that members can adopt
leading edge security practices - without incurring the expense of developing individual solutions. ISF can be found at www.securityforum.org.
The CERT Coordination Center is part of the Survivable Systems Initiative at the Software Engineering Institute at Carnegie Mellon University. It was
started by DARPA (the Defense Applied Research Projects Agency, part of the U.S. Department of Defense) in December 1988 after the Morris Worm
incident crippled approximately 10% of all computers connected to the Internet. Originally, their work was almost exclusively incident response. Since
then, they have worked to help start other incident response teams, coordinate the efforts of teams when responding to large-scale incidents, provide
training to incident response professionals, and research the causes of security vulnerabilities, prevention of vulnerabilities, system security improvement,
and survivability of large-scale networks. CERT can be found at www.cert.org.
The Computer Incident Advisory Capability (CIAC) provides on-call technical assistance and information to Department of Energy (DOE) sites faced
with computer security incidents. CIAC also provides awareness, training, and education; trend, threat, vulnerability data collection and analysis; and
technology watch. CIAC was established in 1989 to serve the DOE Community. CIAC is one of two oldest response teams and is recognized nationally
and internationally for its contributions to the Internet community.
There are also many other organizations, associations and clubs that one can join to learn more about computer, network and information security.
12
Information Security: The Big Picture - SANS GIAC
© 2000
12
CISSP Certification
• Certified Information Systems Security
Professional
• Demonstrates basic competency in
information system security
• Based on the Common Body of
Knowledge
• Must pass exam to qualify
• Continuing education requirements
One way to demonstrate your knowledge of information security practices is by becoming a Certified Information
Systems Security Professional, or CISSP for short. The CISSP certification is a designation given to those security
practitioners that demonstrate a basic competency in various topics related to information security. The exam and the
certification program is administered by the International Information System Security Certification Consortium, or

• Based on class learning and practical
experience
Another certification track is the Global Incident Analysis Center (GIAC) Certification Program. The
program was established by the SANS Institute to serve the people who are or will be responsible for
managing and protecting important information systems and networks. GIAC consists of a number of
courses, offered both in person and on-line, examinations, and practical experience.
Unlike the CISSP exam, in which candidates need only pass an examination to obtain certification,
GIAC candidates must also demonstrate applied knowledge before obtaining certification. GIAC
candidates create portfolios of materials proving that they have actually done many of the important
tasks that will be required of them on the job.
Like CISSP and other certifications, GIAC training and certification provides a value both to
professionals and their employers. For security and system professionals, GIAC offers added
confidence that they know what tasks need to be done first to protect their systems and that they have
the knowledge and skills needed to do those tasks. GIAC offers them continuous access to updated
information so they can keep their skills and knowledge current.