“If you think technology can solve your security problems ...rowdysites.msudenver.edu/~fustos/cis4550/pdf/chapter01.pdf · CIS 4550 Remember … “If you think technology can solve

.

1

Security and Risk Management

Chapter #1:

CIS 4550

Remember …

“If you think technology can solve your

security problems, then you don’t

understand the problems and you

don’t understand the technology.”Bruce Schneier

Security and Risk Management2

CIS 4550

Working on Security Risks

“One of the main cyber-risks is to think they don’t exist.

The other is to try to treat all potential risks.

Fix the basics, protect first what matters for your business and

be ready to react properly to pertinent threats. Think data,

but also business services integrity, awareness, customer

experience, compliance, and reputation.”

Stéphane Nappo

International Banking & Financial Services, Global Chief Information Security Officer & Board Advisor

Security and Risk Management3 CIS 4550

CISSP Exam

n International Information Systems Security Certification

Consortium

n Site

n Code of Ethics Canons

n Protect society, the common good, necessary public trust and

confidence, and the infrastructure.

n Act honorably, honestly, justly, responsibly, and legally.

n Provide diligent and competent service to principles.

n Advance and protect the profession.


.

2

CIS 4550

CISSP Exam Blueprint

Domain Description

I. Security and RiskManagement

This domain covers many of the foundational concepts of information systems security. Some of the topics covered include• The principles of availability, integrity, and confidentiality• Security governance and compliance• Legal and regulatory issues• Professional ethics• Personnel security policies• Risk management• Threat modeling

II. Asset Security This domain examines the protection of information assets throughout their life cycle. Some of the topics covered include• Information classification• Maintaining ownership• Privacy• Retention• Data security controls• Handling requirements



Domain Description

III. SecurityEngineering

This domain examines the development of information systems that remain secure in the face of a myriad of threats. Some of the topics covered include• Security design principles• Selection of effective controls• Mitigation of vulnerabilities• Cryptography• Secure site and facility design• Physical security

IV. Communicationand NetworkSecurity

This domain examines network architectures, communicationstechnologies, and network protocols with a goal of understanding how to secure them. Some of the topics covered include• Secure network architectures• Network components• Secure communications channels• Network attacks


CIS 4550


Domain Description

V. Identity and Access Management

Identity and access management is one of the most important topics in information security. This domain covers the interactions between users and systems as well as between systems and other systems. Some of the topics covered include• Controlling physical and logical access• Identification and authentication• Identity as a Service• Third-party identity services• Authorization methods• Access control attacks

VI. SecurityAssessmentand Testing

This domain examines ways to verify the security of our information systems. Some of the topics covered include• Assessment and testing strategies• Testing security controls• Collecting security process data• Analyzing and reporting results• Conducting and facilitating audits



Domain Description

VII. SecurityOperations

This domain covers the many activities involved in the daily business of maintaining the security of our networks. Some of the topics covered include• Supporting investigations• Logging and monitoring• Secure provisioning of resources• Incident management• Preventative measures• Change management• Business continuity• Managing physical security

VIII. SoftwareDevelopmentSecurity

This domain examines the application of security principles to theacquisition and development of software systems. Some of the topics covered include• Security in the software development life cycle• Security controls in development activities• Assessing software security• Assessing the security implications of acquired software


.

3

CIS 4550

Outline

n Security terminology and principles

n Protection control types

n Security frameworks, models, standards, and best practices

n Computer laws and crimes

n Intellectual property

n Data breaches


Outline

n Risk management

n Threat modeling

n Business continuity and disaster recovery

n Personnel security

n Security governance


CIS 4550

Balancing


Balancing

n Organizations with different “business” goals

n None of them exist specifically to deploy firewalls, IDSs, or

maintain decryption devices

n They also have to comply with regulations and laws

n To meet those requirements they are required to practice a

wide range of security disciplines


.

4

CIS 4550

Security & Risk

n The essence of our work as security professionals is to

understanding of two key terms: security and risk.


Fundamentals of Security

n CIA triad

n All security controls, mechanisms, and safeguards are

implemented to provide one or more of the protection

types, and all risks, threats, and vulnerabilities are

measured for their potential capability to compromise one

or all of the CIA principles.


CIS 4550

Confidentiality

n Confidentiality ensures that the necessary level of secrecy

is enforced at each junction of data processing and

prevents unauthorized disclosure

n Attackers can thwart confidentiality mechanisms by

network monitoring, shoulder surfing, stealing password

files, breaking encryption schemes, and social engineering

n Users can intentionally or accidentally disclose sensitive

information by not encrypting


Integrity

n Integrity is upheld when the assurance of the accuracy and

reliability of information and systems is provided, and any

unauthorized modification is prevented

n When an attacker inserts a virus, logic bomb, or back door

into a system, the system’s integrity is compromised

n Strict access controls, intrusion detection, and hashing can

combat these threats


.

5

CIS 4550

Integrity

n Users usually affect a system or its data’s integrity by

mistake (although internal users may also commit

malicious deeds).

n For example, users unwittingly delete configuration files or

may insert incorrect values modifying

n Security should streamline users’ capabilities and give them

only certain choices and functionality, so errors become

less common and less devastating


Availability

n Availability ensures reliability and timely access to data and

resources to authorized individuals

n Network devices, computers, and applications should provide

adequate functionality to perform in a predictable manner with an

acceptable level of performance

n They should be able to recover from disruptions in a secure and

quick fashion so productivity is not negatively affected

n Necessary protection mechanisms must be in place to protect

against threats that could affect the availability


CIS 4550

Availability

n Networks pieces (routers, switches, DNS servers, DHCP

servers, proxies, firewalls, and so on)

n Software has many components (operating system,

applications, antimalware software, and so forth)

n Environmental aspects (such as fire, flood, HVAC issues, or

electrical problems), natural disasters, and physical theft or

attacks


Balanced Security

n Published standards for each of the services

n Integration with key change management processes so that

exceptions to standards can be identified and the associated risks

managed

n Continuous auditing of the entire IT environment to identify

exceptions to standards and to provide an ongoing mechanism to

uncover new areas of risk

n Skilled resources across multiple disciplines that can accurately

assess and articulate the risk of non-compliance with established

standards to other key stakeholders throughout the enterprise


.

6

CIS 4550

Balanced Security

n Known risks tracked in a central repository available

to all functional leaders throughout the enterprise

n Known risks reviewed by appropriate levels of IT and

business leadership on a periodic basis for remediation,

acceptance or temporary exception

n Actionable metrics that can be used to communicate the

trend of both positive and negative changes to leading risk

indicators


Balanced Security - Confidentiality

n Encryption for data at rest (whole disk, database

encryption)

n Encryption for data in transit (IPSec, TLS, PPTP, SSH)

n Access control (physical and technical)


CIS 4550

Balanced Security - Integrity

n Hashing (data integrity)

n Configuration management (system integrity)

n Change control (process integrity)

n Access control (physical and technical)

n Software digital signing

n Transmission cyclic redundancy check (CRC) functions


Balanced Security - Availability

n Redundant array of independent disks (RAID)

n Clustering

n Load balancing

n Redundant data and power lines

n Software and data backups

n Disk shadowing

n Co-location and offsite facilities

n Rollback functions

n Failover configurations


.

7

CIS 4550

Security Definitions

n Vulnerability

n Threat

n Risk

n Exposure




n Vulnerability is a weakness in a system that allows a threat

source to compromise its security

n It can be a software, hardware, procedural, or human

weakness that can be exploited

n A vulnerability may be a service running on a server,

unpatched applications or operating systems, an

unrestricted wireless access point, an open port on a

firewall, lax physical security that allows anyone to enter a

server room, or unenforced password management

CIS 4550


n A threat is any potential danger that is associated with the

exploitation of a vulnerability

n The entity that takes advantage of a vulnerability is

referred to as a threat agent. A threat agent could be an

intruder accessing the network through a port on the

firewall, a process accessing data in a way that violates the

security policy, or an employee circumventing controls in

order to copy files to a medium that could expose

confidential informationSecurity and Risk Management27 CIS 4550


n A risk is the likelihood of a threat source exploiting a

vulnerability and the corresponding business impact

n firewall has several ports open -> higher likelihood that an intruder

will use one to access the network

n users are not educated on processes and procedures -> higher

likelihood that an employee will make an unintentional mistake

n an intrusion detection system (IDS) is not implemented on a network

-> higher likelihood an attack will go unnoticed

n Risk ties the vulnerability, threat, and likelihood of

exploitation to the resulting business impactSecurity and Risk Management28

.

8

CIS 4550


n An exposure is an instance of being exposed to losses –

vulnerability exposes an organization to possible damages

n password management is lax and password rules are not

enforced -> the company is exposed to the possibility of

having users’ passwords compromised and used in an

unauthorized manner.

n company does not have its wiring inspected and does not put

proactive fire prevention steps into place -> it exposes itself to

potentially devastating fires


Controls and Countermeasures

n A control, or countermeasure, is put into place to mitigate

(reduce) the potential risk.

n A countermeasure may be a software configuration, a

hardware device, or a procedure that eliminates a

vulnerability or that reduces the likelihood a threat agent

will be able to exploit a vulnerability

n Examples of countermeasures include strong password

management, firewalls, a security guard, access control

mechanisms, encryption, and security-awareness trainingSecurity and Risk Management30

CIS 4550

Relationship Between Security Concepts


Control Types (Categories)

n Administrative controls are commonly referred to as “soft

controls” because they are more management oriented

n security documentation, risk management, personnel security, and

training.

n Technical controls (also called logical controls) are software or

hardware components, as in firewalls, IDS, encryption, and

identification and authentication mechanisms

n Physical controls are items put into place to protect facility,

personnel, and resources

n security guards, locks, fencing, and lighting


.

9

CIS 4550

Defense-In-Depth


Defense-In-Depth


CIS 4550

Control Types (Functionalities)

n Preventive - intended to avoid an incident from occurring

n Detective - helps identify an incident’s activities and potentially an

intruder

n Corrective - fixes components or systems after an incident has

occurred

n Deterrent - intended to discourage a potential attacker

n Recovery - bring the environment back to regular operations

n Compensating - provide an alternative measure of control


Examples of Preventive Controls

n Technical

n Passwords, biometrics, smart cards

n Encryption, secure protocols, call-back systems, database

views, constrained user interfaces

n Antimalware software, access control lists, firewalls, intrusion

prevention system


.

10

CIS 4550


n Physical

n Badges, swipe cards

n Guards, dogs

n Fences, locks, mantraps



n Administrative

n Policies and procedures

n Effective hiring practices

n Pre-employment background checks

n Controlled termination processes

n Data classification and labeling

n Security awareness


CIS 4550

Control Types and Functionality


Security Frameworks

n We know what we need to accomplish (availability,

integrity, confidentiality)

n We know how to talk about this issue (vulnerability, threat,

risk, control)

n We know the tools we can use (administrative, technical,

and physical controls)


.

11

CIS 4550

What Not To Do!

n Security through obscurity is assuming that your enemies

are not as smart as you are and that they cannot figure out

something that you feel is very tricky


Security Frameworks

n ISO/IEC 27000 Series

n Enterprise Architecture Development

n Security Controls Development

n Process Management Development

n Functionality vs. Security


CIS 4550

Security FrameworksISO 27000


n International standards on how to develop and maintain an

ISMS developed by ISO and IEC




n ISO/IEC 27000 Overview and vocabulary

n ISO/IEC 27001 ISMS requirements

n ISO/IEC 27002 Code of practice for

information security management

n ISO/IEC 27003 ISMS implementation

n ISO/IEC 27004 ISMS measurement

n ISO/IEC 27005 Risk management

n ISO/IEC 27006 Certification body

requirements

n ISO/IEC 27007 ISMS auditing

n ISO/IEC 27008 Guidance for auditors

n ISO/IEC 27011 Telecom. organizations

n ISO/IEC 27014 Information security

governance

n ISO/IEC 27015 Financial sector

n ISO/IEC 27031 Business continuity

n ISO/IEC 27032 Cybersecurity

n ISO/IEC 27033 Network security

n ISO/IEC 27034 Application security

n ISO/IEC 27035 Incident management

n ISO/IEC 27037 Digital evidence collection and

preservation

n ISO/IEC 27799 Health organizations


.

12

CIS 4550




Security FrameworksEnterprise Architecture Development

n Organizations …

n can just toss in products here and there, which are referred to as

point solutions or stovepipe solutions, and hope the ad hoc

approach magically works in a manner that secures the

environment evenly and covers all of the organization’s

vulnerabilities; or

n can take the time to understand the environment, understand the

security requirements of the business and environment, and lay

out an overarching framework and strategy that maps the two

together


CIS 4550

Developing an Enterprise ArchitectureEnterprise Architecture Development

n Developing an architecture from scratch is not an easy task.

n It is a conceptual construct – and we can use a framework as a

guideline

n It expresses the enterprise structure (form) and behavior

(function)

n Stakeholders need to be identified

n Next, the views need to be developed, which is how the

information will be illustrated in the most useful manner


Enterprise Architecture FrameworkEnterprise Architecture Development


.

13

CIS 4550


n Enterprise Architecture Development

n Zachman Framework Model for the development of enterprise architectures

developed by John Zachman

n TOGAF Model and methodology for the development of enterprise architectures

developed by The Open Group

n DoDAF U.S. Department of Defense architecture framework that ensures

interoperability of systems to meet military mission goals

n MODAF Architecture framework used mainly in military support missions

developed by the British Ministry of Defence

n SABSA model Model and methodology for the development of information

security enterprise architectures



n Zachman Framework Model for the development of enterprise

architectures developed by John Zachman

n Is a two-dimensional model that uses six basic communication

n interrogatives (What, How, Where, Who, When, and Why)

intersecting with different perspectives (Executives, Business

Managers, System Architects, Engineers, Technicians, and

Enterprise-wide) to give a holistic understanding of the enterprise

n The goal of this framework is to be able to look at the same

organization from different viewpoints.


CIS 4550


n TOGAF Model and methodology for the development of enterprise

architectures developed by The Open Group

n It can be used to develop the following architecture types:

n Business architecture

n Data architecture

n Applications architecture

n Technology architecture

n It is an iterative and cyclic process that allows requirements to be

continuously reviewed and the individual architectures updated as

neededSecurity and Risk Management51 CIS 4550


n DoDAF U.S. Department of Defense architecture framework that

ensures interoperability of systems to meet military mission goals

n When the U.S. DoD purchases technology products and weapon

systems, enterprise architecture documents must be created

based upon DoDAF standards to illustrate how they will properly

integrate into the current infrastructures

n The focus of the architecture framework is on command, control,

communications, computers, intelligence, surveillance, and

reconnaissance systems and processes


.

14

CIS 4550


n MODAF Architecture framework used mainly in military support missions

developed by the British Ministry of Defence

n The focus of the framework is to be able to get data in the right format to

the right people as soon as possible


Security FrameworksEnterprise Security Architecture Development

n SABSA model Model and methodology for the development of

information security enterprise architectures

n Does security take place in silos throughout the organization?

n Is there a continual disconnect between senior management and

the security staff?

n Are redundant products purchased for different departments for

overlapping security needs?

n Is the security program made up of mainly policies without actual

implementation and enforcement?


CIS 4550


n When a new product is being rolled out, do unexpected

interoperability issues pop up that require more time and money to

fix?

n Do many “one-off” efforts take place instead of following standardized

procedures when security issues arise?

n Are the business unit managers unaware of their security

responsibilities and how their responsibilities map to legal and

regulatory requirements?

n Is “sensitive data” defined in a policy, but the necessary controls are

not fully implemented and monitored?



n Are stovepipe (point) solutions implemented instead of enterprise-

wide solutions?

n Are the same expensive mistakes continuing to take place?

n Is security governance currently unavailable because the enterprise is

not viewed or monitored in a standardized and holistic manner?

n Are business decisions being made without taking security into

account?

n Are security personnel usually putting out fires with no real time to

look at and develop strategic approaches?


.

15

CIS 4550


n SABSA model Model and methodology for the development of

information security enterprise architectures

n The Sherwood Applied Business Security Architecture (SABSA) is similar to

the Zachman Framework



n What are you trying to do at this layer? The assets to be protected by your

security architecture.

n Why are you doing it? The motivation for wanting to apply security, expressed

in the terms of this layer.

n How are you trying to do it? The process needed to achieve security at this

layer.

n Who is involved? The people and organizational aspects of security at this layer.

n Where are you doing it? The locations where you apply your security, relevant

to this layer.

n When are you doing it? The time-related aspects of security relevant to this

layer.


CIS 4550




n It is a framework, this means it provides a structure for individual

architectures to be built from

n It is also a methodology also, this means it provides the processes to

follow to build and maintain this architecture

n SABSA provides a life-cycle model so that the architecture can be

constantly monitored and improved upon over time

n Corner points: strategic alignment, business enablement, process

enhancement, and security effectiveness


.

16

CIS 4550

Security FrameworksISMS vs. Enterprise Security Architecture

n The ISMS specifies the pieces and parts that need to be put

into place to provide a holistic security program for the

organization overall and how to properly take care of those

pieces and parts

n The enterprise security architecture illustrates how these

components are to be integrated into the different layers of

the current business environment


Security FrameworksSecurity Controls Development

n Security Controls Development

n COBIT 5 A business framework to allow for IT enterprise management and

governance that was developed by Information Systems Audit and Control

Association (ISACA)

n NIST SP 800-53 Set of controls to protect U.S. federal systems developed

by the National Institute of Standards and Technology

n COSO Internal Control—Integrated Framework Set of internal

corporate controls to help reduce the risk of financial fraud developed by

the Committee of Sponsoring Organizations (COSO) of the Treadway

Commission


CIS 4550


n COBIT 5 principles:

1. Meeting stakeholder needs

2. Covering the enterprise end to end

3. Applying a single integrated framework

4. Enabling a holistic approach

5. Separating governance from management

n COBIT specifies 17 enterprise and 17 IT-related goals

n It defines 37 processes to manage and govern IT

Security and Risk Management63 CIS 4550 Security and Risk Management64


.

17

CIS 4550


n NIST SP 800-53 Set of controls to protect U.S. federal systems

developed by the National Institute of Standards and Technology

n “Security and Privacy Controls for Federal Information Systems and

Organizations,” which outlines controls that agencies need to put into

place to be compliant with the Federal Information Security

Management Act of 2002 (FISMA)

n The control categories (families) are the management, operational,

and technical controls prescribed for an information system to protect

the availability, integrity, and confidentiality of the system and its

information.

Security and Risk Management65 CIS 4550 Security and Risk Management66


CIS 4550


n COSO Internal Control—Integrated Framework Set of

internal corporate controls to help reduce the risk of financial

fraud developed by the Committee of Sponsoring Organizations

(COSO) of the Treadway Commission (1985)

n 17 controls in five components:

n Control Environment

n Risk Assessment

n Control Activities

n Information and Communication

n Monitoring Activities


Security FrameworksProcess Management Development

n Process Management Development

n ITIL Processes to allow for IT service management developed

by the United Kingdom’s Office of Government Commerce

n Six Sigma Business management strategy that can be used to

carry out process improvement

n Capability Maturity Model Integration (CMMI)

Organizational development for process improvement

developed by Carnegie Mellon University

n Functionality vs. Security Security and Risk Management68

.

18

CIS 4550

n ITIL

n Six Sigma TQM-type approach by Motorola




n Capability Maturity Model Integration (CMMI)

n CMU for DoD


CIS 4550

Security Programs

n Top-down approach

n Life cycle:

n Plan and organize

n Implement

n Operate and maintain

n Monitor and evaluate


Security Programs


.

19

CIS 4550

Complexities in Cybercrime

n Hacking

n Cracking

n Attacking

n Identification is hard – spoofing addresses, services

n Zombies, bots, botnets

n C&C servers (IBM)


Economic Loss

n Loss of reputation

n Business interruption

n Damages to be paid due to loss of customer data

n Loss of intellectual property/trade secrets

n Subsequent requirement from regulatory bodies

n Website downtime

n Notification costs

n Extortion

n Other


CIS 4550


n Electronic Assets

n previously organizations only had to worry about tangible

assets (equipment, building, manufacturing tools, inventory)

n now we have data: product blueprints, SSN, medical

information, credit card numbers, personal information, trade

secrets, military deployments and strategies etc.

n Too many entry points into the organization

n What is the definition of sensitive data? Where to keep it?


The Evolution of Attacks

n People who just enjoyed the thrill of hacking

n Virus writers created viruses that replicated or carried out

some benign activity

n Script-kiddies were noisy – scanned lots of sites

n Organized criminals have appeared

n They are after specific targets for specific reasons, usually

profit oriented


.

20

CIS 4550

Value of a Hacked PC


APT

n Group of attackers who combine knowledge and abilities

n Focused and motivated to aggressively and successfully penetrate a network with

variously different attack methods

n Hide presence while achieving a well-developed, multilevel foothold in the

environment

n The “advanced” aspect pertains to the expansive knowledge, capabilities, and skill

base

n The “persistent” component has to do with the fact that the group will wait for the

most beneficial moment and attack vector to ensure that its activities go unnoticed

n This type of attack is coordinated by human involvement

n The APT has specific objectives and goals and is commonly highly organized and well

funded, which makes it the biggest threat of all.


CIS 4550

APT Implementation


n Malicious code that is built specifically for its target

n Has multiple ways of hiding itself once it infiltrates the

environment

n May be able to polymorph itself when replicating and has

several different “anchors” so it is difficult to discover

n Once the code is installed, it commonly sets up a covert

back channel for remote control gaining continuous access

to critical assets

CIS 4550

Types of Internet Crimes

n Auction fraud

n Counterfeit cashier’s check

n Debt elimination

n Parcel courier e-mail scheme

n Employment/business opportunities

n Escrow services fraud

n Investment fraud

n Lotteries

n Nigerian letter, or “419”

n Ponzi/pyramid

n Reshipping

n Third-party receiver of fundsSecurity and Risk Management80

.

21

CIS 4550


n International Issues

n different countries have different legal systems

n some countries have no laws pertaining to computer crime

n jurisdiction

n Council of Europe (CoE) Convention on Cybercrime

n address computer crimes by coordinating national laws and

improving investigative techniques and international

cooperation


OECD

n Organisation for Economic Co-operation and Development

n Guidelines on the Protection of Privacy and Transborder Flows

of Personal Data.


CIS 4550

OECD Principles

n Collection Limitation Principle

n Data Quality Principle

n Purpose Specification Principle

n Use Limitation Principle

n Security Safeguards Principle

n Openness Principle

n Individual Participation Principle

n Accountability Principle


EU

n EU has strict laws pertaining to data that is considered

private – based on the European Union Principles on Privacy

n US developed Safe Harbor Privacy Principles

n Notice

n Choice

n Onward Transfer

n Security


n Data Integrity

n Access

n Enforcement

.

22

CIS 4550

EU

n European Union Court of Justice ruled in early October 2015

that the Safe Harbor pact violates privacy because U.S.

intelligence services could get their hands on European

citizens’ data


GDPR

Key changes:

n Increased Territorial Scope

n Penalties

n Consent


Data Subject Rights:

n Breach Notification

n Right to Access

n Right to be Forgotten

n Data Portability

n Privacy by Design

n Data Protection Officers

CIS 4550


n Types of Legal Systems

n Civil (Code) Law System - rule-based law not precedence based

n Common Law System - judges would decide based their laws on custom

and precedent

n Criminal - based on common law, statutory law, or a combination of both

n Customary Law System - deals mainly with personal conduct and

patterns of behavior based on traditions and customs

n Religious Law System - based on religious beliefs of the region

n Mixed Law System - two or more legal systems are used together and

apply cumulatively or interactively


Intellectual Property Laws

n IP can be protected by several different laws, depending

upon the type of resource it is

n Trade Secret - is something that is proprietary to a

company and important for its survival and profitability

n Many companies require their employees to sign a

nondisclosure agreement (NDA)

n It gives the company the right to fire the employee or bring

charges if the employee discloses a trade secret


.

23

CIS 4550


n Copyright - protects the right of the creator of an original

work - it protects the expression of the idea of the resource

n Categories of work: pictorial, graphic, musical, dramatic,

literary, pantomime, motion picture, sculptural, sound

recording, and architectural

n The protection does not extend to any method of

operations, process, concept, or procedure, but it does

protect against unauthorized copying and distribution of a

protected work.Security and Risk Management89 CIS 4550

Software

n Software and manual are protected under the Federal Copyright

Act

n Software can be protected under literary work

n Law protects both the source code and the compiled binary code

n It is weaker than patent but longer – it can be for life + 50 years

n It can be an operating system, application, or database -

copyright deals with how that invention is represented

n In some instances, the law can protect not only the code, but also

the structure, sequence, and organization – including the interface


CIS 4550


n Trademark - is slightly different from a copyright in that it

is used to protect a word, name, symbol, sound, shape,

color, or combination of these

n International trademark law efforts and international

registration are overseen by the World Intellectual Property

Organization (WIPO), an agency of the United Nations



n Patents are given to individuals or companies to grant them

legal ownership of, and enable them to exclude others from

using or copying, the invention covered by the patent

n The invention must be novel, useful, and not obvious

n Patent grants a limited property right to exclude others

from making, using, or selling the invention for a specific

period of time (usually 20 years)

n Patent infringement is huge within the technology world

todaySecurity and Risk Management92

.

24

CIS 4550

Mobile Patents – Who’s Suing Who?


Internal Protection of IP

n Ensuring that specific resources are protected by the

previously mentioned laws is very important

n Other measures must be taken internally to make sure the

resources that are confidential in nature are properly

identified and protected.


CIS 4550

Intellectual Property Laws - SW

n When a vendor develops an application, it usually licenses the

program rather than sell it outright

n There are four categories of software licensing:

n freeware is software that is publicly available free of charge and can be

used, copied, studied, modified, and redistributed

n shareware, or trialware, is used by vendors to market their software

n commercial software is software that is sold for or serves commercial

purposes

n academic software is software that is provided for academic purposes at

a reduced cost - it can be open source, freeware, or commercial software


Intellectual Property Laws - SW

n EULA – license terms Win10

n Software Piracy

n Federation Against Software Theft (FAST) and the Business

Software Alliance (BSA)

n Digital Millennium Copyright Act (DMCA) makes it illegal to

create products that circumvent copyright protection

mechanisms – it is a copyright law

n The European Union passed a similar law called the

Copyright DirectiveSecurity and Risk Management96

.

25

CIS 4550

Privacy - PII

n Full name (if not common)

n National identification number

n IP address (in some cases)

n Vehicle registration plate number

n Driver’s license number

n Face, fingerprints, or handwriting

n Credit card numbers

n Digital identity

n Birthday

n Birthplace

n Genetic information


The Increasing Need for Privacy Laws

n Data aggregation and retrieval technologies advancement

n Large data warehouses are continually being created full of

private information

n Loss of borders (globalization)

n Private data flows from country to country for many different

reasons

n Business globalization

n Convergent technologies advancements

n Gathering, mining, and distributing sensitive information


CIS 4550

Privacy - Laws, Directives, and Regulations

n Federal Privacy Act of 1974

n Federal Information Security Management Act of 2002

n Dept. of VA Information Security Protection Act of 2006

n Health Insurance Portability and Accountability Act

n Health Information Technology for Economic and Clinical Health

(HITECH) Act

n USA PATRIOT Act of 2001

n Gramm-Leach-Bliley Act of 1999

n PCI DSS


Privacy

n Employee Privacy Issues

n reasonable expectation of privacy – 4th amendment

n each state and country may have different privacy laws

n monitoring must be announced, must be work related, must

be consistent, needs to be documented

n Metro’s Email and Communication Security Policy


.

26

CIS 4550

Data Breaches

n U.S. Laws Pertaining to Data Breaches

n HIPPA

n HITECH

n GLBA

n Economic Espionage Act of 1996

n State laws

n Other Nations’ Laws Pertaining to Data Breaches

n EU

n 12 countries no notification requirementsSecurity and Risk Management101 CIS 4550

Security Regulations

n Security Policy

n Standards

n Baselines

n Guidelines

n Procedures

n Implementation


CIS 4550

Security Policy

n Security policy is an overall general statement produced by senior

management

n A security policy can be (a) an organizational policy, (b) an issue-

specific policy, or (c) a system-specific policy:

a) management establishes how a security program will be set up, lays

out the program’s goals, assigns responsibilities, considers laws, risks

b) addresses specific security issues that management feels need more

detailed explanation (e.g. e-mail)

c) are specific to the actual computers, networks, and applications

n A policy needs to be technology and solution independent


Standards

n Standards refer to mandatory activities, actions, or rules

n Standards can give a policy its support and reinforcement

in direction

n They can also be used to indicate expected user behavior

n They must be enforced


.

27

CIS 4550

Baselines

n Baseline refers to a point in time that is used as a

comparison for future changes

n Can also define the minimum level of protection required

n Baselines that are not technology oriented should be

created and enforced within organizations as well


Guidelines

n Guidelines are recommended actions and operational

guides to users

n They can also be used as a recommended way to achieve

specific standards

n Guidelines are general approaches that provide the

necessary flexibility


CIS 4550

Procedures

n Procedures are detailed step-by-step tasks that should be

performed to achieve a certain goal

n They are considered the lowest level in the documentation

chain because they are closest to the computers and users


Security Structure

n A security policy indicates that confidential information should be

properly protected (in broad and general terms)

n A supporting standard mandates that all information must be

encrypted with AES) algorithm

n Procedures explain exactly how to implement the AES and IPSec

technologies

n Guidelines cover how to handle cases when data is accidentally

corrupted or compromised

n Once systems are properly configured this is considered the

baseline that must always be maintainedSecurity and Risk Management108

.

28

CIS 4550

Implementation

n Security policies, standards, procedures, baselines, and

guidelines need to be shared, explained, used,

implemented, and enforced – they need visibility

n Awareness training, manuals, presentations, newsletters,

and screen banners can achieve this

n Employees must understand what is expected of them in

their actions, behaviors, accountability, and performance


Risk Management

n Physical damage - fire, water, vandalism, power loss, and natural

disasters

n Human interaction - accidental or intentional action or inaction that can

disrupt productivity

n Equipment malfunction - failure of systems and/or devices

n Inside and outside attacks - hacking, cracking, and attacking

n Misuse of data - trade secrets, fraud, espionage, theft

n Loss of data - intentional or unintentional loss of information

n Application error - computation errors, input errors, and buffer

overflows


CIS 4550

Holistic Risk Management

n NIST SP 800-39 defines three tiers to risk management:

n Organizational tier - concerned with risk to the business as a

whole and sets important parameters such as the risk

tolerance level

n Business process tier - deals with the risk to the major

functions of the organization

n Information systems tier - addresses risk from an information

systems perspective


IS Risk Management Policy

n ISRM policy provides the foundation and direction for the

organization’s security risk management processes and

procedures, and should address all issues of information

security

n It should provide direction on how the ISRM team

communicates information on company risks to senior

management and how to properly execute management’s

decisions on risk mitigation tasks


.

29

CIS 4550

Risk Management Team

They need:

n An established risk acceptance level provided by senior management

n Documented risk assessment processes and procedures

n Procedures for identifying and mitigating risks

n Appropriate resource and fund allocation from senior management

n Security-awareness training for all staff members associated with information assets

n The ability to establish improvement (or risk mitigation) teams in specific areas when necessary

n The mapping of legal and regulation compliancy requirements to control and implement

requirements

n The development of metrics and performance indicators so as to measure and manage various

types of risks

n The ability to identify and assess new risks as the environment and company change

n The integration of ISRM and the organization’s change control process to ensure that changes do

not introduce new vulnerabilities


Risk Management Process

n Frame risk - defines the context where all other risk

activities take place

n Assess risk - before we can take any action to mitigate risk,

we have to assess it - perhaps the most critical aspect

n Respond to risk - a matter of matching our limited

resources with our prioritized set of controls

n Monitor risk - we need to continuously monitor the

effectiveness of our controls against the risks


CIS 4550

Threat Modeling

n Process of describing feasible adverse effects on our assets

caused by threat sources

n Inventorying and categorizing our information systems is a

critical early step in the process

n We are interested in the vulnerabilities inherent in our

systems that could lead to the compromise of their

confidentiality, integrity, or availability


Vulnerabilities

n Information

n Data at rest: data is copied to a thumb drive and given to

unauthorized parties compromising its confidentiality.

n Data in motion: data is modified by an external actor

intercepting, altering, and compromising its integrity

n Data in use: data is deleted by a malicious process

compromising its availability


.

30

CIS 4550

Vulnerabilities

n Processes

n Business

n Software


Vulnerabilities

n People

n Social engineering - this is the process of getting a person to violate a

security procedure or policy

n Social networks - provide potential attackers with a wealth of

information that can be leveraged directly (e.g., blackmail) or

indirectly (e.g., crafting an e-mail with a link that is likely to be

clicked) to exploit people.

n Passwords - weak passwords can be cracked in milliseconds using

rainbow tables and are very susceptible to dictionary or bruteforce

attacks. Even strong passwords are vulnerable if they are reused

across sites and systemsSecurity and Risk Management118

CIS 4550

Threat

n ISO/IEC standard 27000 defines a threat as a “potential

cause of an unwanted incident, which may result in harm to

a system or organization.”

n malicious attacker

n insider

n nonhuman threat source (e.g. nature)


Attacks

n Attack tree


.

31

CIS 4550

Reduction Analysis

n Two aspects of reduction analysis in the context of threat

modeling:

n reduce the number of attacks we have to consider, and

n reduce the threat posed by the attacks

n Identification of ways to mitigate or negate the attacks

we’ve identified

n Closer you are to the root when you implement a mitigation

technique, the more leaf conditions you will defeat with that

one controlSecurity and Risk Management121 CIS 4550

Risk Assessment and Analysis

n Risk Analysis Team

n team members may be any key personnel from key areas of

the organization

n must also include people who understand the processes that

are part of their individual departments,

n The Value of Information and Assets

n You do not know how much is in danger of being lost if you

don’t know what you have and what it is worth


CIS 4550

Costs That Make Up the Value

n Cost to acquire or develop the asset

n Cost to maintain and protect the asset

n Value of the asset to owners and users

n Value of the asset to adversaries

n Price others are willing to pay for the asset

n Cost to replace the asset if lost

n Operational and production activities affected if the asset is unavailable

n Liability issues if the asset is compromised

n Usefulness and role of the asset in the organization


Value of Asset Assessment

It helps …

n to perform effective cost/benefit analyses

n to select specific countermeasures and safeguards

n to determine the level of insurance coverage to purchase

n to understand what exactly is at risk

n to comply with legal and regulatory requirements


.

32

CIS 4550

Identifying Vulnerabilities and Threats


Methodologies for Risk Assessment

n NIST SP 800-30, Revision 1 - a guide for conducting risk assessments

1. Prepare for the assessment.

2. Conduct the assessment:

a. Identify threat sources and events.

b. Identify vulnerabilities and predisposing conditions.

c. Determine likelihood of occurrence.

d. Determine magnitude of impact.

e. Determine risk.

3. Communicate results.

4. Maintain assessment.


CIS 4550


n FRAP, which stands for Facilitated Risk Analysis Process

n Qualitative methodology is to focus only on the systems that really need

assessing, to reduce costs and time obligations

n Prescreening activities –risk assessment steps are only carried out on the

item(s)

n that needs it the most

n Analyze one system, application, or business process at a time

n Priority list based upon their criticality – no probabilities or loss expectancy

n Team documents the controls that need to be put into place to reduce the

identified risks along with action plans for control implementation efforts



n OCTAVE (Operationally Critical Threat, Asset, and Vulnerability

Evaluation) was created by Carnegie Mellon University’s

Software Engineering Institute

n Cases where people manage and direct the risk evaluation for

information security

n rounds of facilitated workshops to understand and identify

vulnerabilities and threats – self-directed team approach

n Wide scope to assess all systems, applications, and processes


.

33

CIS 4550


n AS/NZS 4360 takes a much broader approach to risk

management

n This Australian and New Zealand methodology can be used

to understand a company’s financial, capital, human safety,

and business decisions risks

n It can be used to analyze security risks, it was not created

specifically for this purpose.



n ISO/IEC 27005 is an international standard for how risk

management should be carried out in the framework of an

information security management system (ISMS)

n It deals with IT and the softer security issues (documentation,

personnel security, training, etc.)

n This methodology is to be integrated into an organizational

security program that addresses all of the security threats an

organization could be faced with.


CIS 4550


n Failure Modes and Effect Analysis (FMEA) is a method for

determining functions, identifying functional failures, and

assessing the causes of failure and their failure effects

through a structured process

n FMEA is commonly used in product development and

operational environments


Risk Analysis Approaches

n Quantitative risk analysis is used to assign monetary and

numeric values to all elements of the risk analysis process

n Each element within the analysis (asset value, threat

frequency, severity of vulnerability, impact damage,

safeguard costs, safeguard effectiveness, uncertainty, and

probability items) is quantified and entered into equations

to determine total and residual risks

n It is more of a scientific or mathematical approach to risk

analysis compared to qualitativeSecurity and Risk Management132

.

34

CIS 4550

Risk Analysis Approaches

n A qualitative risk analysis uses a “softer” approach to the

data elements of a risk analysis

n It does not quantify data and does not assign numeric

values to the data so that it can be used in equations

n Quantitative and qualitative approaches have their own

pros and cons, and each applies more appropriately to

some situations than others


Quantitative Results

n Monetary values assigned to assets

n Comprehensive list of all possible and significant threats

n Probability of the occurrence rate of each threat

n Loss potential the company can endure per threat in a 12-

month time span

n Recommended controls

n Asset Value x Exposure Factor (EF) = SLE

n SLE x Annualized Rate of Occurrence (ARO) = ALE


CIS 4550

Qualitative Results

n Qualitative analysis techniques include judgment, best

practices, intuition, and experience

n Techniques to gather data are Delphi, brainstorming,

storyboarding, focus groups, surveys, questionnaires,

checklists, one-on-one meetings, and interviews

n The risk analysis team will determine the best technique for

the threats that need to be assessed, as well as the culture

of the company and individuals involved with the analysis


Control Selection

n Cost/benefit analysis

(ALE before implementing safeguard) – (ALE after

implementing safeguard) – (annual cost of safeguard) = value

of safeguard to the company (what we not loose)


.

35

CIS 4550

Costs to Consider

n Product costs

n Design/planning costs

n Implementation costs

n Environment modifications

n Compatibility with other countermeasures

n Maintenance requirements

n Testing requirements

n Repair, replacement, or update costs

n Operating and support costs

n Effects on productivity

n Subscription costs

n Extra man-hours for monitoring and responding to alertsSecurity and Risk Management137 CIS 4550

Handling Risk

n Transfer the risk to an insurance company

n If a company decides to terminate the activity that is

introducing the risk, this is known as risk avoidance

n Risk mitigation, where the risk is reduced to a level

considered acceptable enough to continue conducting

business

n Accept the risk, which means the company understands the

level of risk it is faced with, as well as the potential cost of

damage, and decides to just live with itSecurity and Risk Management138

CIS 4550

Outsourcing

n Hosting companies to maintain websites and e-mail

servers; service providers for various telecommunication

connections; disaster recovery companies for co-location

capabilities, cloud computing providers for infrastructure or

application services, developers for software creation, and

security companies to carry out vulnerability management


Risk Management Frameworks

n NIST RMF (SP 800-37r1) U.S. federal government

agencies are required to implement the provisions of this

document.

n It takes a systems life-cycle approach to risk management

and focuses on certification and accreditation of information

systems.

n Many public and corporate organizations have adopted it

directly, or with some modifications.


.

36

CIS 4550


n ISO 31000:2009 international standard takes a very

unique tack on risk management by focusing on uncertainty

that leads to unanticipated effects

n This standard acknowledges that there are things outside of

our control and that these can have negative (e.g., financial

loss) or positive (e.g., business opportunity) consequences

n It is not focused on information systems, but can be applied

more broadly to an organization.



n ISACA Risk IT framework, developed by ISACA in

collaboration with a working group of academic and

corporate risk professionals, aims at bridging the gap

between generic frameworks such as ISO 31000 and IT-

centric ones such as NIST’s

n It is very well integrated with COBIT


CIS 4550


n COSO Enterprise Risk Management—Integrated

Framework is currently undergoing a full review

n It is a generic (i.e., not IT-centric) framework used by

management and therefore takes a decidedly top-down

approach


Business Continuity and Disaster Recovery

n Standards and Best Practices

n Making BCM Part of the Enterprise Security Program

n BCP Project Components


.

37

CIS 4550

Business Continuity and Disaster Recovery

n Standards and Best Practices

n Making BCM Part of the Enterprise Security Program

n BCP Project Components


Personnel Security

n Hiring Practices

n Termination

n Security-Awareness Training

n Degree or Certification?


CIS 4550

Security Governance

n Metrics


Ethics

n The Computer Ethics Institute

n The Internet Architecture Board

n Corporate Ethics Programs


.

38

Stay Alert!

The task we must set for ourselves is not to feel

secure, but to be able to tolerate insecurity.Eric Fromm

Documents

“If you think technology can solve your security problems ...rowdysites.msudenver.edu/~fustos/cis4550/pdf/chapter01.pdf · CIS 4550 Remember … “If you think technology can solve