Information Security Management CISSP Topic 1

ISA 562 Summer 2008 1

Information Security Information Security ManagementManagement

CISSP Topic 1CISSP Topic 1

ISA 562ISA 562Internet Security Theory Internet Security Theory

and Practiceand Practice


Course OutlineCourse OutlineAn introductory course at the graduate An introductory course at the graduate

levellevel

It covers the topics of It covers the topics of The CISSP exam at varying depth

But is NOT a CISSP course

Textbooks:Textbooks: Matt Bishop: Computer Security Art and Science

Official ISC2 Guide to the CISSP CBK


ObjectivesObjectivesRoles and responsibilities of individuals in a Roles and responsibilities of individuals in a

security programsecurity program

Security planning in an organizationSecurity planning in an organization

Security awareness in the organization Security awareness in the organization

Differences between policies, standards, Differences between policies, standards, guidelines and proceduresguidelines and procedures

Risk Management practices and toolsRisk Management practices and tools

ISA 562 Summer 2008

Syllabus of the CourseSyllabus of the Course• Bishop’s book for the first part• Papers for some classes

• IC2 book for the second part

• Cover material relevant to the PhD qualifying examination in security

ISA 562 Summer 2008

IntroductionIntroduction• Purpose of information security:

– to protect an organization's information resources data, hardware, and software.

• To increase organizational success: IS are critical assets supporting its mission

ISA 562 Summer 2008

Information Security TRIADInformation Security TRIAD

• The Overhanging goals of information security are addressed through the AIC TRIAD.

ISA 562 Summer 2008

IT Security Requirements - IIT Security Requirements - ISecurity should be designed for two requirements:1. Functional: Define behavior of the control means

based on risk assessmentProperties:• should not depend on another control:• Why? fail safe by maintaining security during a system failure

2. Assurance: Provide confidence that security functions perform as expected.

• Internal/External Audit.• Third Party reviews• Compliance to best practices

Examples– Functional: a network Firewall to permit or deny traffic.– Assurance: logs are generated, monitored, and reviewed

ISA 562 Summer 2008

Organizational & Business Organizational & Business RequirementsRequirements

• Focus on organizational mission: – Business or goals driven

• Depends on type of organization:– Military , Government, or Commercial.

• Must be sensible and cost effective– Solution considers the mission and

environment Trade-off

ISA 562 Summer 2008

IT Security GovernanceIT Security Governance

Integral part of corporate governance: – Fully integrated into overall risk-based threat

analysis Ensure that IT infrastructure:

– Meets all requirements.– Supports the strategies and objectives of the

company.– Includes service level agreements [if

outsourced].

ISA 562 Summer 2008

Security Governance: Major Security Governance: Major partsparts

1. Leadership: • Security leaders must be part of the company

leadership -- where they can be heard.

2. Structure:• occurs at many levels and should use a layered

approach.

3. Processes: • follow internationally accepted “best practices”:• Job rotation , Separation of duties, least privilege, mandatory

vacations, …etc.• Examples of standards : ISO 17799 & ISO 27001:2005

ISA 562 Summer 2008

Security BlueprintsSecurity Blueprints

Provide a structure for organizing requirements and solutions.– Ensure that security is considered

holistically.

To identify and design security requirements

ISA 562 Summer 2008

Policy Overview Policy Overview 1. Operational environment is a web of laws,

regulations, requirements, and agreements or contracts with partners and competitors

2. Change frequently and interact with each other

3. Management must develop and publish security statements addressing policies and supporting elements, such as standards , baselines, and guidelines.

ISA 562 Summer 2008

Policy overview Policy overview

ISA 562 Summer 2008

Functions of Security policy Functions of Security policy 1. Provide Management Goals and Objectives in

writing2. Ensure Document compliance 3. Create a security culture 4. Anticipate and protect others from surprises 5. Establish the security activity/function6. Hold individuals responsible and accountable7. Address foreseeable conflicts8. Make sure employees and contractors aware of

organizational policy and changes to it9. Require incident response plan10. Establish process for exception handling,

rewards, and discipline

ISA 562 Summer 2008

Policy InfrastructurePolicy Infrastructure1. High level policies interpreted

into functional policies.2. Functional polices derived

from overarching policy and create the foundation for procedures, standards, and baselines to accomplish the objectives

3. Polices gain credibility by top management buy-in.

ISA 562 Summer 2008

Examples of Functional PoliciesExamples of Functional Policies1. Data classification2. Certification and accreditation3. Access control4. Outsourcing 5. Remote access6. Acceptable mail and Internet usage7. Privacy8. Dissemination control9. Sharing control

ISA 562 Summer 2008

Policy Implementation Policy Implementation

• Standards, procedures, baselines, and guidelines turn management objectives and goals [functional policies] into enforceable actions for employees.

ISA 562 Summer 2008

Standards and procedureStandards and procedure1. Standards (local): Adoption of common

hardware and software mechanism and products throughout the enterprise.

Examples: Desktop, Anti-Virus, Firewall

2. Procedures: step by step actions that must be followed to accomplish a task.

3. Guidelines: recommendations for product implementations, procurement and planning, etc.

Examples: ISO17799, Common Criteria, ITIL

ISA 562 Summer 2008

Security BaselinesSecurity Baselines

Benchmarks: to ensure that a minimum level of security configuration is provided across implementations and systems.– establish consistent implementation of

security mechanisms.– Platform unique

Examples: • VPN Setup, • IDS Configuration, • Password rules

ISA 562 Summer 2008

Three Levels of security planningThree Levels of security planning 1. Strategic: long term• Focus on high-level, long-range organizational

requirements – Example: overall security policy

2. Tactical: medium-term• Focus on events that affect all the organization

– Example: functional plans

3. Operational: short-term• Fight fires at the keyboard level, directly affecting

how the organization accomplishes its objectives.

ISA 562 Summer 200821

Organizational roles and Organizational roles and responsibilities responsibilities

• Everyone has a role:– with responsibility clearly communicated

and understood

• Duties associated with the role must be assigned

• Examples: – Securing email– Reviewing violation reports – Attending awareness training

ISA 562 Summer 2008

Specific Roles and Specific Roles and Responsibilities (duties)Responsibilities (duties)

• Executive Management:– Publish and endorse security policy– Establish goals and objectives– State overall responsibility for asset protection.

• IS security professionals:– Security design, implementation, management, – Review of organization security policies.

• Owner:– Information classification – Set user access conditions– Decide on business continuity priorities

• Custodian:– Entrusted with the Security of the information

• IS Auditor:– Audit assurance guarantees.

• User:– Compliance with procedures and policies


Personnel Security: Hiring staffPersonnel Security: Hiring staff• Background check/Security clearance• Check references/Educational records• Sign Employment agreement

– Non-disclosure agreements– Non-compete agreements

• Low level Checks• Consult with HR Department• Termination/dismissal procedure

ISA 562 Summer 2008

Third party considerationsThird party considerations

Include:– Vendors/Suppliers– Contractors– Temporary Employees– Customers

Must established procedures for these groups.


Personnel good practicePersonnel good practice• Job description; roles and

responsibilities• Least privilege/Need to know• Compliance with need to share• Separation of duties / responsibilities• Job rotation• Mandatory vacations

ISA 562 Summer 2008

Security AwarenessSecurity Awareness

• Awareness training– Remind employees of security

responsibility– Motivate personnel to comply with them

– Videos– Newsletters– Posters– Key-chains

ISA 562 Summer 2008

Training and EducationTraining and EducationJob training

– Provide skills to perform security functions.• Focus on security-related job skills • Address security requirements of the

organization, etc.

Professional Education– Provide decision-making and security

management skills important for success of security program.


Good training practiceGood training practice

Address all the audience– Management– Data Owner and custodian– Operations personnel– User– Support personnel

ISA 562 Summer 2008

Risk in NIST SP 800-30Risk in NIST SP 800-30

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization

ISA 562 Summer 2008

Risk related DefinitionsRisk related Definitions• Vulnerability: A Flaw or weakness in

system procedures, design, implementation or internal controls that could be used breach or violate the system

• Likelihood: probability that a vulnerability may be used in the threat environment.

• Threat: the Potential for a mal-actor to exercise a vulnerability.

• Countermeasure: risk reduction method (technical, operational, manageriaal, or combination)

ISA 562 Summer 2008

Risk Management concept Risk Management concept flowflow


Risk Management DefinitionsRisk Management Definitions• Asset: something valued (to accomplish goals and objectives)

• Threat Agent: anything that can pose or cause a threat.

• Exposure: situation when a threat can cause loss.

• Vulnerability: weakness that could be exploited.

• Attack: Intentional action attempting to cause harm.

• Risk: probability that some event can occur

• Residual Risk: risk remaining after countermeasures and safeguards have been applied


Risk ManagementRisk Management

To identify possible problems before they occur so that risk-handling activities may be planned and invoked as needed during the life of the product or project


The Risk EquationThe Risk Equation


Risk ManagementRisk ManagementIdentify and reduce risks

– Mitigating controls [Safeguards & Countermeasures]

– Residual Risk when countermeasures exist but are not sufficient should be at acceptable level


Purpose of Risk AnalysisPurpose of Risk AnalysisIdentify and justify risk mitigation

– Assess threats to business processes and IS

– Justify use of countermeasures

Describe security based on risk to the organization


Benefits of Risk Analysis Benefits of Risk Analysis • Focus on policy and resources• Identify areas with specific risk

– good IT Governance, supporting– Business continuity– Insurance and liability decisions– Legitimize security awareness program


Emerging threatsEmerging threats• Risk Assessment must address new

threats– New technology– Change in culture of the organization– Unauthorized use of technology.

• May be discovered by periodic risk assessment


Sources of identity threatsSources of identity threats• Users

– System administrators– Security officers– Auditors

• Operations – Facility records– Community and government records

• Vendor/security provider alerts• Other threats:

– Natural disasters – flood, tornado, etc.– Environment -- overcrowding or poor morale– Facility -- physical security or location of

building


Risk analysis key factorsRisk analysis key factors• Obtain senior management support• Establish risk assessment team

• Define and approve purpose and scope• Select team members• State their authority and responsibility• Have management review findings and

recommendations

• Risk team members to include: IS System Security, IT & Operations Management, Internal Audit, Physical security, etc


Use of automated tools for risk Use of automated tools for risk managementmanagement

• Objective: to minimize manual effort• May be time consuming in setup• Perform calculations quickly

– Estimate future expected loss– Determine benefit of security measures


Preliminary security Preliminary security evaluation evaluation

Identify vulnerabilities

Review existing security measures

Document findings

Obtain management review and approval


Risk analysis typesRisk analysis typesTwo types

– Quantitative– Qualitative

• Both provide valuable metrics

• Both required for a full picture


Quantitative risk analysisQuantitative risk analysis

Determine monetary value• Fully quantitative if all elements are

quantified, but this is difficult to achieve. Requires much time and personnel effort


Determining Asset ValueDetermining Asset ValueCost to acquire, develop, and maintain• Value to owners, custodians, or users• Liability for protection• Recognize real world cost and value

– Price others are willing to pay for it – Value of intellectual property– Convertibility/negotiability


Quantitative analysis stepsQuantitative analysis steps1. Estimate potential single loss expectancy

SLE = Asset Value ($) * Exposure FactorExposure Factor=% of asset loss when threat succeedsTypes of loss

– Physical destruction, theft, Loss of data, etc

2. Conduct threat analysis ARO-Annual Rate of OccurrenceExpected number of exposures/incidents per yearLikelihood of unwanted event happening

3. Determine Annual Loss Expectancy (ALE)Magnitude of risk = Annual Loss ExpectancyPurpose to justify security countermeasuresALE=SLE * ARO


Qualitative Risk analysis Qualitative Risk analysis • Scenario oriented• Does not assign numeric values to risk

components• Qualitative risk analysis is possible• Qualitative risk analysis factors

– Rank seriousness of threats and sensitivity of assets

– Perform a reasoned risk assessment


Other risk analysis methodsOther risk analysis methodsFailure modes and effects analysis

– Potential failures of each part or module– Examine effects of failure at three levels

• Immediate (part or module)• Intermediate (process or package)• System-wide

Fault tree or spanning tree analysis– Create a “tree” of all possible threats and

faults• “Branches” are general categories [network threats,

physical threats, component failures, etc.]• Prune “branches” that do not apply• Concentrate on remaining threats.


Risk mitigation optionsRisk mitigation options• Risk Acceptance

• Risk Reduction

• Risk Transference

• Risk Avoidance


The right amount of securityThe right amount of security

• Cost/Benefit analysis- balance cost of protection versus asset value

• Need to assess:• Threats, Adversary, means , motives, and

opportunity.• Vulnerabilities and Resulting risk • Risk tolerance


Countermeasures Selection Countermeasures Selection PrinciplesPrinciples

• Based on cost/benefit analysis, cost of safeguard• Selection and acquisition• Construction and placement• Environment modification• Nontrivial operating cost• Maintenance, testing• Potential side effects

• Cost justified by potential loss• Accountability

– At least one person for each safeguard– Associate directly with performance review

• Absence of design secrecy


Countermeasures Selection Countermeasures Selection Principles (Cont.)Principles (Cont.)

Audit capability– Must be testable– Include auditors in design and implementation

Vendor Trustworthiness– Review past performance

Independence of control and subject– Safeguards control/constrain subjects– Controllers administer safeguards– Controllers and subject have different populations

Universal application – Impose safeguards uniformly– Minimize exceptions



• Compartmentalization and defense in depthRole of Safeguards– to improve security through layers

• Isolation, economy, and least common mechanism– Isolate from other safeguards– Simple design is cost effective and reliable, etc

• Acceptance and tolerance by personnel– Care taken to avoid implementing controls that pose

unreasonable constraints– Less intrusive controls more acceptable

• Minimize human intervention– Reduce possibility of errors and “exceptions” by

reducing reliance on administrative staff to maintain control



• Sustainability• Reaction and recovery

Countermeasures, when activated, should:• Avoids asset destruction and stop further damage• Prevent disclosure of sensitive information through a covert

channel• Maintain confidence in system security• Capture information related to the attack and attacker

• Override and fail-safe defaults • Residual and reset


Basis and Origin of EthicsBasis and Origin of Ethics• Religion, law, tradition, culture• National interest• Individual rights• Enlightened self interest • Common good/interest• Professional ethics/practices• Standards of good practice


EthicsEthics• Formal ethical theories

– Teleology: Ethics in terms of goals, purposes, or ends– Deontology: Ethical behavior is duty

• Common ethical fallacies– Computers are a game– Law-abiding citizen, Gentlemanly conduct, Free

information– Shatterproof– Candy-from-a-baby– Hackers

• Difficult to define– Start with senior management


ProfessionalProfessional Codes of ethics Codes of ethicsInternet Activities Board (IAB)

– Any activity is unethical & unacceptable that purposely:• Seeks to gain unauthorized access to the internet resources• Disrupts the intended use of the internet• Wastes resources through such actions• Destroys the integrity of computer-based information• Compromises the privacy of users• Involves negligence in the conduct of internet-wide experiments

ACM and IEEE (look them up)(ISC)2

– Protect society, the commonwealth, and the infrastructure – Provide diligent and competent services to principals, etc

Auditors

Professional codes may have legal importance

Documents

Information Security Management CISSP Topic 1