Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
.
1
Security and Risk Management
Chapter #1:
CIS 4550
Remember …
“If you think technology can solve your
security problems, then you don’t
understand the problems and you
don’t understand the technology.”Bruce Schneier
Security and Risk Management2
CIS 4550
Working on Security Risks
“One of the main cyber-risks is to think they don’t exist.
The other is to try to treat all potential risks.
Fix the basics, protect first what matters for your business and
be ready to react properly to pertinent threats. Think data,
but also business services integrity, awareness, customer
experience, compliance, and reputation.”
Stéphane Nappo
International Banking & Financial Services, Global Chief Information Security Officer & Board Advisor
Security and Risk Management3 CIS 4550
CISSP Exam
n International Information Systems Security Certification
Consortium
n Site
n Code of Ethics Canons
n Protect society, the common good, necessary public trust and
confidence, and the infrastructure.
n Act honorably, honestly, justly, responsibly, and legally.
n Provide diligent and competent service to principles.
n Advance and protect the profession.
Security and Risk Management4
.
2
CIS 4550
CISSP Exam Blueprint
Domain Description
I. Security and RiskManagement
This domain covers many of the foundational concepts of information systems security. Some of the topics covered include• The principles of availability, integrity, and confidentiality• Security governance and compliance• Legal and regulatory issues• Professional ethics• Personnel security policies• Risk management• Threat modeling
II. Asset Security This domain examines the protection of information assets throughout their life cycle. Some of the topics covered include• Information classification• Maintaining ownership• Privacy• Retention• Data security controls• Handling requirements
Security and Risk Management5 CIS 4550
CISSP Exam Blueprint
Domain Description
III. SecurityEngineering
This domain examines the development of information systems that remain secure in the face of a myriad of threats. Some of the topics covered include• Security design principles• Selection of effective controls• Mitigation of vulnerabilities• Cryptography• Secure site and facility design• Physical security
IV. Communicationand NetworkSecurity
This domain examines network architectures, communicationstechnologies, and network protocols with a goal of understanding how to secure them. Some of the topics covered include• Secure network architectures• Network components• Secure communications channels• Network attacks
Security and Risk Management6
CIS 4550
CISSP Exam Blueprint
Domain Description
V. Identity and Access Management
Identity and access management is one of the most important topics in information security. This domain covers the interactions between users and systems as well as between systems and other systems. Some of the topics covered include• Controlling physical and logical access• Identification and authentication• Identity as a Service• Third-party identity services• Authorization methods• Access control attacks
VI. SecurityAssessmentand Testing
This domain examines ways to verify the security of our information systems. Some of the topics covered include• Assessment and testing strategies• Testing security controls• Collecting security process data• Analyzing and reporting results• Conducting and facilitating audits
Security and Risk Management7 CIS 4550
CISSP Exam Blueprint
Domain Description
VII. SecurityOperations
This domain covers the many activities involved in the daily business of maintaining the security of our networks. Some of the topics covered include• Supporting investigations• Logging and monitoring• Secure provisioning of resources• Incident management• Preventative measures• Change management• Business continuity• Managing physical security
VIII. SoftwareDevelopmentSecurity
This domain examines the application of security principles to theacquisition and development of software systems. Some of the topics covered include• Security in the software development life cycle• Security controls in development activities• Assessing software security• Assessing the security implications of acquired software
Security and Risk Management8
.
3
CIS 4550
Outline
n Security terminology and principles
n Protection control types
n Security frameworks, models, standards, and best practices
n Computer laws and crimes
n Intellectual property
n Data breaches
Security and Risk Management9 CIS 4550
Outline
n Risk management
n Threat modeling
n Business continuity and disaster recovery
n Personnel security
n Security governance
Security and Risk Management10
CIS 4550
Balancing
Security and Risk Management11 CIS 4550
Balancing
n Organizations with different “business” goals
n None of them exist specifically to deploy firewalls, IDSs, or
maintain decryption devices
n They also have to comply with regulations and laws
n To meet those requirements they are required to practice a
wide range of security disciplines
Security and Risk Management12
.
4
CIS 4550
Security & Risk
n The essence of our work as security professionals is to
understanding of two key terms: security and risk.
Security and Risk Management13 CIS 4550
Fundamentals of Security
n CIA triad
n All security controls, mechanisms, and safeguards are
implemented to provide one or more of the protection
types, and all risks, threats, and vulnerabilities are
measured for their potential capability to compromise one
or all of the CIA principles.
Security and Risk Management14
CIS 4550
Confidentiality
n Confidentiality ensures that the necessary level of secrecy
is enforced at each junction of data processing and
prevents unauthorized disclosure
n Attackers can thwart confidentiality mechanisms by
network monitoring, shoulder surfing, stealing password
files, breaking encryption schemes, and social engineering
n Users can intentionally or accidentally disclose sensitive
information by not encrypting
Security and Risk Management15 CIS 4550
Integrity
n Integrity is upheld when the assurance of the accuracy and
reliability of information and systems is provided, and any
unauthorized modification is prevented
n When an attacker inserts a virus, logic bomb, or back door
into a system, the system’s integrity is compromised
n Strict access controls, intrusion detection, and hashing can
combat these threats
Security and Risk Management16
.
5
CIS 4550
Integrity
n Users usually affect a system or its data’s integrity by
mistake (although internal users may also commit
malicious deeds).
n For example, users unwittingly delete configuration files or
may insert incorrect values modifying
n Security should streamline users’ capabilities and give them
only certain choices and functionality, so errors become
less common and less devastating
Security and Risk Management17 CIS 4550
Availability
n Availability ensures reliability and timely access to data and
resources to authorized individuals
n Network devices, computers, and applications should provide
adequate functionality to perform in a predictable manner with an
acceptable level of performance
n They should be able to recover from disruptions in a secure and
quick fashion so productivity is not negatively affected
n Necessary protection mechanisms must be in place to protect
against threats that could affect the availability
Security and Risk Management18
CIS 4550
Availability
n Networks pieces (routers, switches, DNS servers, DHCP
servers, proxies, firewalls, and so on)
n Software has many components (operating system,
applications, antimalware software, and so forth)
n Environmental aspects (such as fire, flood, HVAC issues, or
electrical problems), natural disasters, and physical theft or
attacks
Security and Risk Management19 CIS 4550
Balanced Security
n Published standards for each of the services
n Integration with key change management processes so that
exceptions to standards can be identified and the associated risks
managed
n Continuous auditing of the entire IT environment to identify
exceptions to standards and to provide an ongoing mechanism to
uncover new areas of risk
n Skilled resources across multiple disciplines that can accurately
assess and articulate the risk of non-compliance with established
standards to other key stakeholders throughout the enterprise
Security and Risk Management20
.
6
CIS 4550
Balanced Security
n Known risks tracked in a central repository available
to all functional leaders throughout the enterprise
n Known risks reviewed by appropriate levels of IT and
business leadership on a periodic basis for remediation,
acceptance or temporary exception
n Actionable metrics that can be used to communicate the
trend of both positive and negative changes to leading risk
indicators
Security and Risk Management21 CIS 4550
Balanced Security - Confidentiality
n Encryption for data at rest (whole disk, database
encryption)
n Encryption for data in transit (IPSec, TLS, PPTP, SSH)
n Access control (physical and technical)
Security and Risk Management22
CIS 4550
Balanced Security - Integrity
n Hashing (data integrity)
n Configuration management (system integrity)
n Change control (process integrity)
n Access control (physical and technical)
n Software digital signing
n Transmission cyclic redundancy check (CRC) functions
Security and Risk Management23 CIS 4550
Balanced Security - Availability
n Redundant array of independent disks (RAID)
n Clustering
n Load balancing
n Redundant data and power lines
n Software and data backups
n Disk shadowing
n Co-location and offsite facilities
n Rollback functions
n Failover configurations
Security and Risk Management24
.
7
CIS 4550
Security Definitions
n Vulnerability
n Threat
n Risk
n Exposure
Security and Risk Management25 CIS 4550
Security Definitions
Security and Risk Management26
n Vulnerability is a weakness in a system that allows a threat
source to compromise its security
n It can be a software, hardware, procedural, or human
weakness that can be exploited
n A vulnerability may be a service running on a server,
unpatched applications or operating systems, an
unrestricted wireless access point, an open port on a
firewall, lax physical security that allows anyone to enter a
server room, or unenforced password management
CIS 4550
Security Definitions
n A threat is any potential danger that is associated with the
exploitation of a vulnerability
n The entity that takes advantage of a vulnerability is
referred to as a threat agent. A threat agent could be an
intruder accessing the network through a port on the
firewall, a process accessing data in a way that violates the
security policy, or an employee circumventing controls in
order to copy files to a medium that could expose
confidential informationSecurity and Risk Management27 CIS 4550
Security Definitions
n A risk is the likelihood of a threat source exploiting a
vulnerability and the corresponding business impact
n firewall has several ports open -> higher likelihood that an intruder
will use one to access the network
n users are not educated on processes and procedures -> higher
likelihood that an employee will make an unintentional mistake
n an intrusion detection system (IDS) is not implemented on a network
-> higher likelihood an attack will go unnoticed
n Risk ties the vulnerability, threat, and likelihood of
exploitation to the resulting business impactSecurity and Risk Management28
.
8
CIS 4550
Security Definitions
n An exposure is an instance of being exposed to losses –
vulnerability exposes an organization to possible damages
n password management is lax and password rules are not
enforced -> the company is exposed to the possibility of
having users’ passwords compromised and used in an
unauthorized manner.
n company does not have its wiring inspected and does not put
proactive fire prevention steps into place -> it exposes itself to
potentially devastating fires
Security and Risk Management29 CIS 4550
Controls and Countermeasures
n A control, or countermeasure, is put into place to mitigate
(reduce) the potential risk.
n A countermeasure may be a software configuration, a
hardware device, or a procedure that eliminates a
vulnerability or that reduces the likelihood a threat agent
will be able to exploit a vulnerability
n Examples of countermeasures include strong password
management, firewalls, a security guard, access control
mechanisms, encryption, and security-awareness trainingSecurity and Risk Management30
CIS 4550
Relationship Between Security Concepts
Security and Risk Management31 CIS 4550
Control Types (Categories)
n Administrative controls are commonly referred to as “soft
controls” because they are more management oriented
n security documentation, risk management, personnel security, and
training.
n Technical controls (also called logical controls) are software or
hardware components, as in firewalls, IDS, encryption, and
identification and authentication mechanisms
n Physical controls are items put into place to protect facility,
personnel, and resources
n security guards, locks, fencing, and lighting
Security and Risk Management32
.
9
CIS 4550
Defense-In-Depth
Security and Risk Management33 CIS 4550
Defense-In-Depth
Security and Risk Management34
CIS 4550
Control Types (Functionalities)
n Preventive - intended to avoid an incident from occurring
n Detective - helps identify an incident’s activities and potentially an
intruder
n Corrective - fixes components or systems after an incident has
occurred
n Deterrent - intended to discourage a potential attacker
n Recovery - bring the environment back to regular operations
n Compensating - provide an alternative measure of control
Security and Risk Management35 CIS 4550
Examples of Preventive Controls
n Technical
n Passwords, biometrics, smart cards
n Encryption, secure protocols, call-back systems, database
views, constrained user interfaces
n Antimalware software, access control lists, firewalls, intrusion
prevention system
Security and Risk Management36
.
10
CIS 4550
Examples of Preventive Controls
n Physical
n Badges, swipe cards
n Guards, dogs
n Fences, locks, mantraps
Security and Risk Management37 CIS 4550
Examples of Preventive Controls
n Administrative
n Policies and procedures
n Effective hiring practices
n Pre-employment background checks
n Controlled termination processes
n Data classification and labeling
n Security awareness
Security and Risk Management38
CIS 4550
Control Types and Functionality
Security and Risk Management39 CIS 4550
Security Frameworks
n We know what we need to accomplish (availability,
integrity, confidentiality)
n We know how to talk about this issue (vulnerability, threat,
risk, control)
n We know the tools we can use (administrative, technical,
and physical controls)
Security and Risk Management40
.
11
CIS 4550
What Not To Do!
n Security through obscurity is assuming that your enemies
are not as smart as you are and that they cannot figure out
something that you feel is very tricky
Security and Risk Management41 CIS 4550
Security Frameworks
n ISO/IEC 27000 Series
n Enterprise Architecture Development
n Security Controls Development
n Process Management Development
n Functionality vs. Security
Security and Risk Management42
CIS 4550
Security FrameworksISO 27000
n ISO/IEC 27000 Series
n International standards on how to develop and maintain an
ISMS developed by ISO and IEC
Security and Risk Management43 CIS 4550
n ISO/IEC 2700 Series
Security and Risk Management44
n ISO/IEC 27000 Overview and vocabulary
n ISO/IEC 27001 ISMS requirements
n ISO/IEC 27002 Code of practice for
information security management
n ISO/IEC 27003 ISMS implementation
n ISO/IEC 27004 ISMS measurement
n ISO/IEC 27005 Risk management
n ISO/IEC 27006 Certification body
requirements
n ISO/IEC 27007 ISMS auditing
n ISO/IEC 27008 Guidance for auditors
n ISO/IEC 27011 Telecom. organizations
n ISO/IEC 27014 Information security
governance
n ISO/IEC 27015 Financial sector
n ISO/IEC 27031 Business continuity
n ISO/IEC 27032 Cybersecurity
n ISO/IEC 27033 Network security
n ISO/IEC 27034 Application security
n ISO/IEC 27035 Incident management
n ISO/IEC 27037 Digital evidence collection and
preservation
n ISO/IEC 27799 Health organizations
Security FrameworksISO 27000
.
12
CIS 4550
Security FrameworksISO 27000
n ISO/IEC 2700 Series
Security and Risk Management45 CIS 4550
Security FrameworksEnterprise Architecture Development
n Organizations …
n can just toss in products here and there, which are referred to as
point solutions or stovepipe solutions, and hope the ad hoc
approach magically works in a manner that secures the
environment evenly and covers all of the organization’s
vulnerabilities; or
n can take the time to understand the environment, understand the
security requirements of the business and environment, and lay
out an overarching framework and strategy that maps the two
together
Security and Risk Management46
CIS 4550
Developing an Enterprise ArchitectureEnterprise Architecture Development
n Developing an architecture from scratch is not an easy task.
n It is a conceptual construct – and we can use a framework as a
guideline
n It expresses the enterprise structure (form) and behavior
(function)
n Stakeholders need to be identified
n Next, the views need to be developed, which is how the
information will be illustrated in the most useful manner
Security and Risk Management47 CIS 4550
Enterprise Architecture FrameworkEnterprise Architecture Development
Security and Risk Management48
.
13
CIS 4550
Security FrameworksEnterprise Architecture Development
n Enterprise Architecture Development
n Zachman Framework Model for the development of enterprise architectures
developed by John Zachman
n TOGAF Model and methodology for the development of enterprise architectures
developed by The Open Group
n DoDAF U.S. Department of Defense architecture framework that ensures
interoperability of systems to meet military mission goals
n MODAF Architecture framework used mainly in military support missions
developed by the British Ministry of Defence
n SABSA model Model and methodology for the development of information
security enterprise architectures
Security and Risk Management49 CIS 4550
Security FrameworksEnterprise Architecture Development
n Zachman Framework Model for the development of enterprise
architectures developed by John Zachman
n Is a two-dimensional model that uses six basic communication
n interrogatives (What, How, Where, Who, When, and Why)
intersecting with different perspectives (Executives, Business
Managers, System Architects, Engineers, Technicians, and
Enterprise-wide) to give a holistic understanding of the enterprise
n The goal of this framework is to be able to look at the same
organization from different viewpoints.
Security and Risk Management50
CIS 4550
Security FrameworksEnterprise Architecture Development
n TOGAF Model and methodology for the development of enterprise
architectures developed by The Open Group
n It can be used to develop the following architecture types:
n Business architecture
n Data architecture
n Applications architecture
n Technology architecture
n It is an iterative and cyclic process that allows requirements to be
continuously reviewed and the individual architectures updated as
neededSecurity and Risk Management51 CIS 4550
Security FrameworksEnterprise Architecture Development
n DoDAF U.S. Department of Defense architecture framework that
ensures interoperability of systems to meet military mission goals
n When the U.S. DoD purchases technology products and weapon
systems, enterprise architecture documents must be created
based upon DoDAF standards to illustrate how they will properly
integrate into the current infrastructures
n The focus of the architecture framework is on command, control,
communications, computers, intelligence, surveillance, and
reconnaissance systems and processes
Security and Risk Management52
.
14
CIS 4550
Security FrameworksEnterprise Architecture Development
n MODAF Architecture framework used mainly in military support missions
developed by the British Ministry of Defence
n The focus of the framework is to be able to get data in the right format to
the right people as soon as possible
Security and Risk Management53 CIS 4550
Security FrameworksEnterprise Security Architecture Development
n SABSA model Model and methodology for the development of
information security enterprise architectures
n Does security take place in silos throughout the organization?
n Is there a continual disconnect between senior management and
the security staff?
n Are redundant products purchased for different departments for
overlapping security needs?
n Is the security program made up of mainly policies without actual
implementation and enforcement?
Security and Risk Management54
CIS 4550
Security FrameworksEnterprise Security Architecture Development
n When a new product is being rolled out, do unexpected
interoperability issues pop up that require more time and money to
fix?
n Do many “one-off” efforts take place instead of following standardized
procedures when security issues arise?
n Are the business unit managers unaware of their security
responsibilities and how their responsibilities map to legal and
regulatory requirements?
n Is “sensitive data” defined in a policy, but the necessary controls are
not fully implemented and monitored?
Security and Risk Management55 CIS 4550
Security FrameworksEnterprise Security Architecture Development
n Are stovepipe (point) solutions implemented instead of enterprise-
wide solutions?
n Are the same expensive mistakes continuing to take place?
n Is security governance currently unavailable because the enterprise is
not viewed or monitored in a standardized and holistic manner?
n Are business decisions being made without taking security into
account?
n Are security personnel usually putting out fires with no real time to
look at and develop strategic approaches?
Security and Risk Management56
.
15
CIS 4550
Security FrameworksEnterprise Security Architecture Development
n SABSA model Model and methodology for the development of
information security enterprise architectures
n The Sherwood Applied Business Security Architecture (SABSA) is similar to
the Zachman Framework
Security and Risk Management57 CIS 4550
Security FrameworksEnterprise Security Architecture Development
n What are you trying to do at this layer? The assets to be protected by your
security architecture.
n Why are you doing it? The motivation for wanting to apply security, expressed
in the terms of this layer.
n How are you trying to do it? The process needed to achieve security at this
layer.
n Who is involved? The people and organizational aspects of security at this layer.
n Where are you doing it? The locations where you apply your security, relevant
to this layer.
n When are you doing it? The time-related aspects of security relevant to this
layer.
Security and Risk Management58
CIS 4550
Security FrameworksEnterprise Security Architecture Development
Security and Risk Management59 CIS 4550
Security FrameworksEnterprise Security Architecture Development
n It is a framework, this means it provides a structure for individual
architectures to be built from
n It is also a methodology also, this means it provides the processes to
follow to build and maintain this architecture
n SABSA provides a life-cycle model so that the architecture can be
constantly monitored and improved upon over time
n Corner points: strategic alignment, business enablement, process
enhancement, and security effectiveness
Security and Risk Management60
.
16
CIS 4550
Security FrameworksISMS vs. Enterprise Security Architecture
n The ISMS specifies the pieces and parts that need to be put
into place to provide a holistic security program for the
organization overall and how to properly take care of those
pieces and parts
n The enterprise security architecture illustrates how these
components are to be integrated into the different layers of
the current business environment
Security and Risk Management61 CIS 4550
Security FrameworksSecurity Controls Development
n Security Controls Development
n COBIT 5 A business framework to allow for IT enterprise management and
governance that was developed by Information Systems Audit and Control
Association (ISACA)
n NIST SP 800-53 Set of controls to protect U.S. federal systems developed
by the National Institute of Standards and Technology
n COSO Internal Control—Integrated Framework Set of internal
corporate controls to help reduce the risk of financial fraud developed by
the Committee of Sponsoring Organizations (COSO) of the Treadway
Commission
Security and Risk Management62
CIS 4550
Security FrameworksSecurity Controls Development
n COBIT 5 principles:
1. Meeting stakeholder needs
2. Covering the enterprise end to end
3. Applying a single integrated framework
4. Enabling a holistic approach
5. Separating governance from management
n COBIT specifies 17 enterprise and 17 IT-related goals
n It defines 37 processes to manage and govern IT
Security and Risk Management63 CIS 4550 Security and Risk Management64
Security FrameworksSecurity Controls Development
.
17
CIS 4550
Security FrameworksSecurity Controls Development
n NIST SP 800-53 Set of controls to protect U.S. federal systems
developed by the National Institute of Standards and Technology
n “Security and Privacy Controls for Federal Information Systems and
Organizations,” which outlines controls that agencies need to put into
place to be compliant with the Federal Information Security
Management Act of 2002 (FISMA)
n The control categories (families) are the management, operational,
and technical controls prescribed for an information system to protect
the availability, integrity, and confidentiality of the system and its
information.
Security and Risk Management65 CIS 4550 Security and Risk Management66
Security FrameworksSecurity Controls Development
CIS 4550
Security FrameworksSecurity Controls Development
n COSO Internal Control—Integrated Framework Set of
internal corporate controls to help reduce the risk of financial
fraud developed by the Committee of Sponsoring Organizations
(COSO) of the Treadway Commission (1985)
n 17 controls in five components:
n Control Environment
n Risk Assessment
n Control Activities
n Information and Communication
n Monitoring Activities
Security and Risk Management67 CIS 4550
Security FrameworksProcess Management Development
n Process Management Development
n ITIL Processes to allow for IT service management developed
by the United Kingdom’s Office of Government Commerce
n Six Sigma Business management strategy that can be used to
carry out process improvement
n Capability Maturity Model Integration (CMMI)
Organizational development for process improvement
developed by Carnegie Mellon University
n Functionality vs. Security Security and Risk Management68
.
18
CIS 4550
n ITIL
n Six Sigma TQM-type approach by Motorola
Security FrameworksProcess Management Development
Security and Risk Management69 CIS 4550
Security FrameworksProcess Management Development
n Capability Maturity Model Integration (CMMI)
n CMU for DoD
Security and Risk Management70
CIS 4550
Security Programs
n Top-down approach
n Life cycle:
n Plan and organize
n Implement
n Operate and maintain
n Monitor and evaluate
Security and Risk Management71 CIS 4550
Security Programs
Security and Risk Management72
.
19
CIS 4550
Complexities in Cybercrime
n Hacking
n Cracking
n Attacking
n Identification is hard – spoofing addresses, services
n Zombies, bots, botnets
n C&C servers (IBM)
Security and Risk Management73 CIS 4550
Economic Loss
n Loss of reputation
n Business interruption
n Damages to be paid due to loss of customer data
n Loss of intellectual property/trade secrets
n Subsequent requirement from regulatory bodies
n Website downtime
n Notification costs
n Extortion
n Other
Security and Risk Management74
CIS 4550
Complexities in Cybercrime
n Electronic Assets
n previously organizations only had to worry about tangible
assets (equipment, building, manufacturing tools, inventory)
n now we have data: product blueprints, SSN, medical
information, credit card numbers, personal information, trade
secrets, military deployments and strategies etc.
n Too many entry points into the organization
n What is the definition of sensitive data? Where to keep it?
Security and Risk Management75 CIS 4550
The Evolution of Attacks
n People who just enjoyed the thrill of hacking
n Virus writers created viruses that replicated or carried out
some benign activity
n Script-kiddies were noisy – scanned lots of sites
n Organized criminals have appeared
n They are after specific targets for specific reasons, usually
profit oriented
Security and Risk Management76
.
20
CIS 4550
Value of a Hacked PC
Security and Risk Management77 CIS 4550
APT
n Group of attackers who combine knowledge and abilities
n Focused and motivated to aggressively and successfully penetrate a network with
variously different attack methods
n Hide presence while achieving a well-developed, multilevel foothold in the
environment
n The “advanced” aspect pertains to the expansive knowledge, capabilities, and skill
base
n The “persistent” component has to do with the fact that the group will wait for the
most beneficial moment and attack vector to ensure that its activities go unnoticed
n This type of attack is coordinated by human involvement
n The APT has specific objectives and goals and is commonly highly organized and well
funded, which makes it the biggest threat of all.
Security and Risk Management78
CIS 4550
APT Implementation
Security and Risk Management79
n Malicious code that is built specifically for its target
n Has multiple ways of hiding itself once it infiltrates the
environment
n May be able to polymorph itself when replicating and has
several different “anchors” so it is difficult to discover
n Once the code is installed, it commonly sets up a covert
back channel for remote control gaining continuous access
to critical assets
CIS 4550
Types of Internet Crimes
n Auction fraud
n Counterfeit cashier’s check
n Debt elimination
n Parcel courier e-mail scheme
n Employment/business opportunities
n Escrow services fraud
n Investment fraud
n Lotteries
n Nigerian letter, or “419”
n Ponzi/pyramid
n Reshipping
n Third-party receiver of fundsSecurity and Risk Management80
.
21
CIS 4550
Complexities in Cybercrime
n International Issues
n different countries have different legal systems
n some countries have no laws pertaining to computer crime
n jurisdiction
n Council of Europe (CoE) Convention on Cybercrime
n address computer crimes by coordinating national laws and
improving investigative techniques and international
cooperation
Security and Risk Management81 CIS 4550
OECD
n Organisation for Economic Co-operation and Development
n Guidelines on the Protection of Privacy and Transborder Flows
of Personal Data.
Security and Risk Management82
CIS 4550
OECD Principles
n Collection Limitation Principle
n Data Quality Principle
n Purpose Specification Principle
n Use Limitation Principle
n Security Safeguards Principle
n Openness Principle
n Individual Participation Principle
n Accountability Principle
Security and Risk Management83 CIS 4550
EU
n EU has strict laws pertaining to data that is considered
private – based on the European Union Principles on Privacy
n US developed Safe Harbor Privacy Principles
n Notice
n Choice
n Onward Transfer
n Security
Security and Risk Management84
n Data Integrity
n Access
n Enforcement
.
22
CIS 4550
EU
n European Union Court of Justice ruled in early October 2015
that the Safe Harbor pact violates privacy because U.S.
intelligence services could get their hands on European
citizens’ data
Security and Risk Management85 CIS 4550
GDPR
Key changes:
n Increased Territorial Scope
n Penalties
n Consent
Security and Risk Management86
Data Subject Rights:
n Breach Notification
n Right to Access
n Right to be Forgotten
n Data Portability
n Privacy by Design
n Data Protection Officers
CIS 4550
Complexities in Cybercrime
n Types of Legal Systems
n Civil (Code) Law System - rule-based law not precedence based
n Common Law System - judges would decide based their laws on custom
and precedent
n Criminal - based on common law, statutory law, or a combination of both
n Customary Law System - deals mainly with personal conduct and
patterns of behavior based on traditions and customs
n Religious Law System - based on religious beliefs of the region
n Mixed Law System - two or more legal systems are used together and
apply cumulatively or interactively
Security and Risk Management87 CIS 4550
Intellectual Property Laws
n IP can be protected by several different laws, depending
upon the type of resource it is
n Trade Secret - is something that is proprietary to a
company and important for its survival and profitability
n Many companies require their employees to sign a
nondisclosure agreement (NDA)
n It gives the company the right to fire the employee or bring
charges if the employee discloses a trade secret
Security and Risk Management88
.
23
CIS 4550
Intellectual Property Laws
n Copyright - protects the right of the creator of an original
work - it protects the expression of the idea of the resource
n Categories of work: pictorial, graphic, musical, dramatic,
literary, pantomime, motion picture, sculptural, sound
recording, and architectural
n The protection does not extend to any method of
operations, process, concept, or procedure, but it does
protect against unauthorized copying and distribution of a
protected work.Security and Risk Management89 CIS 4550
Software
n Software and manual are protected under the Federal Copyright
Act
n Software can be protected under literary work
n Law protects both the source code and the compiled binary code
n It is weaker than patent but longer – it can be for life + 50 years
n It can be an operating system, application, or database -
copyright deals with how that invention is represented
n In some instances, the law can protect not only the code, but also
the structure, sequence, and organization – including the interface
Security and Risk Management90
CIS 4550
Intellectual Property Laws
n Trademark - is slightly different from a copyright in that it
is used to protect a word, name, symbol, sound, shape,
color, or combination of these
n International trademark law efforts and international
registration are overseen by the World Intellectual Property
Organization (WIPO), an agency of the United Nations
Security and Risk Management91 CIS 4550
Intellectual Property Laws
n Patents are given to individuals or companies to grant them
legal ownership of, and enable them to exclude others from
using or copying, the invention covered by the patent
n The invention must be novel, useful, and not obvious
n Patent grants a limited property right to exclude others
from making, using, or selling the invention for a specific
period of time (usually 20 years)
n Patent infringement is huge within the technology world
todaySecurity and Risk Management92
.
24
CIS 4550
Mobile Patents – Who’s Suing Who?
Security and Risk Management93 CIS 4550
Internal Protection of IP
n Ensuring that specific resources are protected by the
previously mentioned laws is very important
n Other measures must be taken internally to make sure the
resources that are confidential in nature are properly
identified and protected.
Security and Risk Management94
CIS 4550
Intellectual Property Laws - SW
n When a vendor develops an application, it usually licenses the
program rather than sell it outright
n There are four categories of software licensing:
n freeware is software that is publicly available free of charge and can be
used, copied, studied, modified, and redistributed
n shareware, or trialware, is used by vendors to market their software
n commercial software is software that is sold for or serves commercial
purposes
n academic software is software that is provided for academic purposes at
a reduced cost - it can be open source, freeware, or commercial software
Security and Risk Management95 CIS 4550
Intellectual Property Laws - SW
n EULA – license terms Win10
n Software Piracy
n Federation Against Software Theft (FAST) and the Business
Software Alliance (BSA)
n Digital Millennium Copyright Act (DMCA) makes it illegal to
create products that circumvent copyright protection
mechanisms – it is a copyright law
n The European Union passed a similar law called the
Copyright DirectiveSecurity and Risk Management96
.
25
CIS 4550
Privacy - PII
n Full name (if not common)
n National identification number
n IP address (in some cases)
n Vehicle registration plate number
n Driver’s license number
n Face, fingerprints, or handwriting
n Credit card numbers
n Digital identity
n Birthday
n Birthplace
n Genetic information
Security and Risk Management97 CIS 4550
The Increasing Need for Privacy Laws
n Data aggregation and retrieval technologies advancement
n Large data warehouses are continually being created full of
private information
n Loss of borders (globalization)
n Private data flows from country to country for many different
reasons
n Business globalization
n Convergent technologies advancements
n Gathering, mining, and distributing sensitive information
Security and Risk Management98
CIS 4550
Privacy - Laws, Directives, and Regulations
n Federal Privacy Act of 1974
n Federal Information Security Management Act of 2002
n Dept. of VA Information Security Protection Act of 2006
n Health Insurance Portability and Accountability Act
n Health Information Technology for Economic and Clinical Health
(HITECH) Act
n USA PATRIOT Act of 2001
n Gramm-Leach-Bliley Act of 1999
n PCI DSS
Security and Risk Management99 CIS 4550
Privacy
n Employee Privacy Issues
n reasonable expectation of privacy – 4th amendment
n each state and country may have different privacy laws
n monitoring must be announced, must be work related, must
be consistent, needs to be documented
n Metro’s Email and Communication Security Policy
Security and Risk Management100
.
26
CIS 4550
Data Breaches
n U.S. Laws Pertaining to Data Breaches
n HIPPA
n HITECH
n GLBA
n Economic Espionage Act of 1996
n State laws
n Other Nations’ Laws Pertaining to Data Breaches
n EU
n 12 countries no notification requirementsSecurity and Risk Management101 CIS 4550
Security Regulations
n Security Policy
n Standards
n Baselines
n Guidelines
n Procedures
n Implementation
Security and Risk Management102
CIS 4550
Security Policy
n Security policy is an overall general statement produced by senior
management
n A security policy can be (a) an organizational policy, (b) an issue-
specific policy, or (c) a system-specific policy:
a) management establishes how a security program will be set up, lays
out the program’s goals, assigns responsibilities, considers laws, risks
b) addresses specific security issues that management feels need more
detailed explanation (e.g. e-mail)
c) are specific to the actual computers, networks, and applications
n A policy needs to be technology and solution independent
Security and Risk Management103 CIS 4550
Standards
n Standards refer to mandatory activities, actions, or rules
n Standards can give a policy its support and reinforcement
in direction
n They can also be used to indicate expected user behavior
n They must be enforced
Security and Risk Management104
.
27
CIS 4550
Baselines
n Baseline refers to a point in time that is used as a
comparison for future changes
n Can also define the minimum level of protection required
n Baselines that are not technology oriented should be
created and enforced within organizations as well
Security and Risk Management105 CIS 4550
Guidelines
n Guidelines are recommended actions and operational
guides to users
n They can also be used as a recommended way to achieve
specific standards
n Guidelines are general approaches that provide the
necessary flexibility
Security and Risk Management106
CIS 4550
Procedures
n Procedures are detailed step-by-step tasks that should be
performed to achieve a certain goal
n They are considered the lowest level in the documentation
chain because they are closest to the computers and users
Security and Risk Management107 CIS 4550
Security Structure
n A security policy indicates that confidential information should be
properly protected (in broad and general terms)
n A supporting standard mandates that all information must be
encrypted with AES) algorithm
n Procedures explain exactly how to implement the AES and IPSec
technologies
n Guidelines cover how to handle cases when data is accidentally
corrupted or compromised
n Once systems are properly configured this is considered the
baseline that must always be maintainedSecurity and Risk Management108
.
28
CIS 4550
Implementation
n Security policies, standards, procedures, baselines, and
guidelines need to be shared, explained, used,
implemented, and enforced – they need visibility
n Awareness training, manuals, presentations, newsletters,
and screen banners can achieve this
n Employees must understand what is expected of them in
their actions, behaviors, accountability, and performance
Security and Risk Management109 CIS 4550
Risk Management
n Physical damage - fire, water, vandalism, power loss, and natural
disasters
n Human interaction - accidental or intentional action or inaction that can
disrupt productivity
n Equipment malfunction - failure of systems and/or devices
n Inside and outside attacks - hacking, cracking, and attacking
n Misuse of data - trade secrets, fraud, espionage, theft
n Loss of data - intentional or unintentional loss of information
n Application error - computation errors, input errors, and buffer
overflows
Security and Risk Management110
CIS 4550
Holistic Risk Management
n NIST SP 800-39 defines three tiers to risk management:
n Organizational tier - concerned with risk to the business as a
whole and sets important parameters such as the risk
tolerance level
n Business process tier - deals with the risk to the major
functions of the organization
n Information systems tier - addresses risk from an information
systems perspective
Security and Risk Management111 CIS 4550
IS Risk Management Policy
n ISRM policy provides the foundation and direction for the
organization’s security risk management processes and
procedures, and should address all issues of information
security
n It should provide direction on how the ISRM team
communicates information on company risks to senior
management and how to properly execute management’s
decisions on risk mitigation tasks
Security and Risk Management112
.
29
CIS 4550
Risk Management Team
They need:
n An established risk acceptance level provided by senior management
n Documented risk assessment processes and procedures
n Procedures for identifying and mitigating risks
n Appropriate resource and fund allocation from senior management
n Security-awareness training for all staff members associated with information assets
n The ability to establish improvement (or risk mitigation) teams in specific areas when necessary
n The mapping of legal and regulation compliancy requirements to control and implement
requirements
n The development of metrics and performance indicators so as to measure and manage various
types of risks
n The ability to identify and assess new risks as the environment and company change
n The integration of ISRM and the organization’s change control process to ensure that changes do
not introduce new vulnerabilities
Security and Risk Management113 CIS 4550
Risk Management Process
n Frame risk - defines the context where all other risk
activities take place
n Assess risk - before we can take any action to mitigate risk,
we have to assess it - perhaps the most critical aspect
n Respond to risk - a matter of matching our limited
resources with our prioritized set of controls
n Monitor risk - we need to continuously monitor the
effectiveness of our controls against the risks
Security and Risk Management114
CIS 4550
Threat Modeling
n Process of describing feasible adverse effects on our assets
caused by threat sources
n Inventorying and categorizing our information systems is a
critical early step in the process
n We are interested in the vulnerabilities inherent in our
systems that could lead to the compromise of their
confidentiality, integrity, or availability
Security and Risk Management115 CIS 4550
Vulnerabilities
n Information
n Data at rest: data is copied to a thumb drive and given to
unauthorized parties compromising its confidentiality.
n Data in motion: data is modified by an external actor
intercepting, altering, and compromising its integrity
n Data in use: data is deleted by a malicious process
compromising its availability
Security and Risk Management116
.
30
CIS 4550
Vulnerabilities
n Processes
n Business
n Software
Security and Risk Management117 CIS 4550
Vulnerabilities
n People
n Social engineering - this is the process of getting a person to violate a
security procedure or policy
n Social networks - provide potential attackers with a wealth of
information that can be leveraged directly (e.g., blackmail) or
indirectly (e.g., crafting an e-mail with a link that is likely to be
clicked) to exploit people.
n Passwords - weak passwords can be cracked in milliseconds using
rainbow tables and are very susceptible to dictionary or bruteforce
attacks. Even strong passwords are vulnerable if they are reused
across sites and systemsSecurity and Risk Management118
CIS 4550
Threat
n ISO/IEC standard 27000 defines a threat as a “potential
cause of an unwanted incident, which may result in harm to
a system or organization.”
n malicious attacker
n insider
n nonhuman threat source (e.g. nature)
Security and Risk Management119 CIS 4550
Attacks
n Attack tree
Security and Risk Management120
.
31
CIS 4550
Reduction Analysis
n Two aspects of reduction analysis in the context of threat
modeling:
n reduce the number of attacks we have to consider, and
n reduce the threat posed by the attacks
n Identification of ways to mitigate or negate the attacks
we’ve identified
n Closer you are to the root when you implement a mitigation
technique, the more leaf conditions you will defeat with that
one controlSecurity and Risk Management121 CIS 4550
Risk Assessment and Analysis
n Risk Analysis Team
n team members may be any key personnel from key areas of
the organization
n must also include people who understand the processes that
are part of their individual departments,
n The Value of Information and Assets
n You do not know how much is in danger of being lost if you
don’t know what you have and what it is worth
Security and Risk Management122
CIS 4550
Costs That Make Up the Value
n Cost to acquire or develop the asset
n Cost to maintain and protect the asset
n Value of the asset to owners and users
n Value of the asset to adversaries
n Price others are willing to pay for the asset
n Cost to replace the asset if lost
n Operational and production activities affected if the asset is unavailable
n Liability issues if the asset is compromised
n Usefulness and role of the asset in the organization
Security and Risk Management123 CIS 4550
Value of Asset Assessment
It helps …
n to perform effective cost/benefit analyses
n to select specific countermeasures and safeguards
n to determine the level of insurance coverage to purchase
n to understand what exactly is at risk
n to comply with legal and regulatory requirements
Security and Risk Management124
.
32
CIS 4550
Identifying Vulnerabilities and Threats
Security and Risk Management125 CIS 4550
Methodologies for Risk Assessment
n NIST SP 800-30, Revision 1 - a guide for conducting risk assessments
1. Prepare for the assessment.
2. Conduct the assessment:
a. Identify threat sources and events.
b. Identify vulnerabilities and predisposing conditions.
c. Determine likelihood of occurrence.
d. Determine magnitude of impact.
e. Determine risk.
3. Communicate results.
4. Maintain assessment.
Security and Risk Management126
CIS 4550
Methodologies for Risk Assessment
n FRAP, which stands for Facilitated Risk Analysis Process
n Qualitative methodology is to focus only on the systems that really need
assessing, to reduce costs and time obligations
n Prescreening activities –risk assessment steps are only carried out on the
item(s)
n that needs it the most
n Analyze one system, application, or business process at a time
n Priority list based upon their criticality – no probabilities or loss expectancy
n Team documents the controls that need to be put into place to reduce the
identified risks along with action plans for control implementation efforts
Security and Risk Management127 CIS 4550
Methodologies for Risk Assessment
n OCTAVE (Operationally Critical Threat, Asset, and Vulnerability
Evaluation) was created by Carnegie Mellon University’s
Software Engineering Institute
n Cases where people manage and direct the risk evaluation for
information security
n rounds of facilitated workshops to understand and identify
vulnerabilities and threats – self-directed team approach
n Wide scope to assess all systems, applications, and processes
Security and Risk Management128
.
33
CIS 4550
Methodologies for Risk Assessment
n AS/NZS 4360 takes a much broader approach to risk
management
n This Australian and New Zealand methodology can be used
to understand a company’s financial, capital, human safety,
and business decisions risks
n It can be used to analyze security risks, it was not created
specifically for this purpose.
Security and Risk Management129 CIS 4550
Methodologies for Risk Assessment
n ISO/IEC 27005 is an international standard for how risk
management should be carried out in the framework of an
information security management system (ISMS)
n It deals with IT and the softer security issues (documentation,
personnel security, training, etc.)
n This methodology is to be integrated into an organizational
security program that addresses all of the security threats an
organization could be faced with.
Security and Risk Management130
CIS 4550
Methodologies for Risk Assessment
n Failure Modes and Effect Analysis (FMEA) is a method for
determining functions, identifying functional failures, and
assessing the causes of failure and their failure effects
through a structured process
n FMEA is commonly used in product development and
operational environments
Security and Risk Management131 CIS 4550
Risk Analysis Approaches
n Quantitative risk analysis is used to assign monetary and
numeric values to all elements of the risk analysis process
n Each element within the analysis (asset value, threat
frequency, severity of vulnerability, impact damage,
safeguard costs, safeguard effectiveness, uncertainty, and
probability items) is quantified and entered into equations
to determine total and residual risks
n It is more of a scientific or mathematical approach to risk
analysis compared to qualitativeSecurity and Risk Management132
.
34
CIS 4550
Risk Analysis Approaches
n A qualitative risk analysis uses a “softer” approach to the
data elements of a risk analysis
n It does not quantify data and does not assign numeric
values to the data so that it can be used in equations
n Quantitative and qualitative approaches have their own
pros and cons, and each applies more appropriately to
some situations than others
Security and Risk Management133 CIS 4550
Quantitative Results
n Monetary values assigned to assets
n Comprehensive list of all possible and significant threats
n Probability of the occurrence rate of each threat
n Loss potential the company can endure per threat in a 12-
month time span
n Recommended controls
n Asset Value x Exposure Factor (EF) = SLE
n SLE x Annualized Rate of Occurrence (ARO) = ALE
Security and Risk Management134
CIS 4550
Qualitative Results
n Qualitative analysis techniques include judgment, best
practices, intuition, and experience
n Techniques to gather data are Delphi, brainstorming,
storyboarding, focus groups, surveys, questionnaires,
checklists, one-on-one meetings, and interviews
n The risk analysis team will determine the best technique for
the threats that need to be assessed, as well as the culture
of the company and individuals involved with the analysis
Security and Risk Management135 CIS 4550
Control Selection
n Cost/benefit analysis
(ALE before implementing safeguard) – (ALE after
implementing safeguard) – (annual cost of safeguard) = value
of safeguard to the company (what we not loose)
Security and Risk Management136
.
35
CIS 4550
Costs to Consider
n Product costs
n Design/planning costs
n Implementation costs
n Environment modifications
n Compatibility with other countermeasures
n Maintenance requirements
n Testing requirements
n Repair, replacement, or update costs
n Operating and support costs
n Effects on productivity
n Subscription costs
n Extra man-hours for monitoring and responding to alertsSecurity and Risk Management137 CIS 4550
Handling Risk
n Transfer the risk to an insurance company
n If a company decides to terminate the activity that is
introducing the risk, this is known as risk avoidance
n Risk mitigation, where the risk is reduced to a level
considered acceptable enough to continue conducting
business
n Accept the risk, which means the company understands the
level of risk it is faced with, as well as the potential cost of
damage, and decides to just live with itSecurity and Risk Management138
CIS 4550
Outsourcing
n Hosting companies to maintain websites and e-mail
servers; service providers for various telecommunication
connections; disaster recovery companies for co-location
capabilities, cloud computing providers for infrastructure or
application services, developers for software creation, and
security companies to carry out vulnerability management
Security and Risk Management139 CIS 4550
Risk Management Frameworks
n NIST RMF (SP 800-37r1) U.S. federal government
agencies are required to implement the provisions of this
document.
n It takes a systems life-cycle approach to risk management
and focuses on certification and accreditation of information
systems.
n Many public and corporate organizations have adopted it
directly, or with some modifications.
Security and Risk Management140
.
36
CIS 4550
Risk Management Frameworks
n ISO 31000:2009 international standard takes a very
unique tack on risk management by focusing on uncertainty
that leads to unanticipated effects
n This standard acknowledges that there are things outside of
our control and that these can have negative (e.g., financial
loss) or positive (e.g., business opportunity) consequences
n It is not focused on information systems, but can be applied
more broadly to an organization.
Security and Risk Management141 CIS 4550
Risk Management Frameworks
n ISACA Risk IT framework, developed by ISACA in
collaboration with a working group of academic and
corporate risk professionals, aims at bridging the gap
between generic frameworks such as ISO 31000 and IT-
centric ones such as NIST’s
n It is very well integrated with COBIT
Security and Risk Management142
CIS 4550
Risk Management Frameworks
n COSO Enterprise Risk Management—Integrated
Framework is currently undergoing a full review
n It is a generic (i.e., not IT-centric) framework used by
management and therefore takes a decidedly top-down
approach
Security and Risk Management143 CIS 4550
Business Continuity and Disaster Recovery
n Standards and Best Practices
n Making BCM Part of the Enterprise Security Program
n BCP Project Components
Security and Risk Management144
.
37
CIS 4550
Business Continuity and Disaster Recovery
n Standards and Best Practices
n Making BCM Part of the Enterprise Security Program
n BCP Project Components
Security and Risk Management145 CIS 4550
Personnel Security
n Hiring Practices
n Termination
n Security-Awareness Training
n Degree or Certification?
Security and Risk Management146
CIS 4550
Security Governance
n Metrics
Security and Risk Management147 CIS 4550
Ethics
n The Computer Ethics Institute
n The Internet Architecture Board
n Corporate Ethics Programs
Security and Risk Management148
.
38
Stay Alert!
The task we must set for ourselves is not to feel
secure, but to be able to tolerate insecurity.Eric Fromm