Upload
nightmonkey215
View
97
Download
1
Tags:
Embed Size (px)
DESCRIPTION
lecture notes
Citation preview
MSIS 4253 Systems Certification and Accreditation
Exam #1: Lecture Notes- Chapters 1-5
Chapter #1 Information Security Risk Management Imperatives and Opportunities
IT Risk Management Information loss is always rated in the top 5 of concerns for CEO/CIOs
Loss of Information Loss of productivity Loss of revenue
Vulnerabilities, Threats, Exploits, and Controls Risk: The expected loss. The aggregation of the possibilities, their probabilities, and the loss
associated with each possibility
Information Security Confidentiality – Can we keep communications private Integrity – Keeping the information from being manipulated Availability – Ex. Amazon Authentication and Non-repudiation (IA)
**RM Process Risk identification
Asset identification Ex. Expensive car 2014 Mustang?
Risk identification Risk assessment
Driving Ex. Weather, texting and driving Risk mitigation planning
Ex. Driving in Oklahoma- if you can, you should park under cover What insurance should I get to cover my car
Risk mitigation implementation Following through with the mitigation
Evaluation of RM effectiveness Did it work (car being restored by insurance)
Risk Identification Process of identifying threats, threat sources, vulnerabilities, and events
Malicious Someone coming trying to harm us. Take down are server, steal our data,
mess up our data Environmental
Weather Building’s power taken out by storm
Planned Things we know are risk (driving out on the road)
Random Hitting a Deer
Risk Assessment Calculating quantitatively the potential damage and/or monetary cost. Entails:
Quantifying the potential damage Quantifying the probability the damage will occur
Based on previous events, subject matter experts, and audits
Risk Mitigation Planning Controlling and mitigating IT risks Cost-Benefit Analysis
Cost/ benefit of you mitigating the risk? Sargent ex. Sometimes you have to figure out something else
Selection, Implementation, Test, and Evaluation of Security Safeguards Prioritizing
Look at all risk, threats and where should you spend your money to help your infrastructure
Considers effectiveness and efficiency Mission impact Constraints due to policy, regulation and laws (certain controls you cant put into
place because of laws) Impact on other systems (Biros added)
Risk Mitigation Implementation Deploying the risk mitigation techniques that were determined in risk mitigation planning Deployment decisions
Direct cutover Turn off old control and cut the other on
Parallel operation Keep both in place for a time and eventually cut over
Prioritizing Where certain controls go
Evaluation of Mitigation Effectiveness Monitoring environment
Pre/Post Measurement Is your intrusion detection system good?
Measuring effectiveness against previous set of threats, vulnerabilities, and events Test the effectiveness against the system
Determining new threats, vulnerabilities or events do to the modifications
Risk Management Models Authors’ model ISO 27002 NIST SP 800-30 Draft ISO/IEC 31000 AS/NZS 4360:2004 Microsoft approach Operationally Critical Threat Asset and Vulnerability Evaluation-OCTAVE) by CERT
Top Business Liabilities1. Loss or theft of customer data2. Business disruptions from IT failures and disruptions3. Lost of integrity for critical IT assets and information- don't know if right info is being
pushed out.o Biros Dissertation-Manipulated military data
4. E-Discovery issueso Hacking 101-Finding all data about your target
Orgs That Need a RM Program? Characteristics Has IT assets Data Proprietary information Keeps financial data, health data or PII Personally identifying information Requires formal documentation and policies Required to adhere to SOX, HIPPA, FERPA, FISMA and others Fiduciary responsibility to stockholders
Points to Ponder IS Security spending was $30 Bil in 2005; “reported” losses were at $15 Bil Systems don’t configure themselves; tools don’t run themselves
- Remember theres a huge human factor in this Technological and Procedural IS RM capabilities Ready-to-go human resources
- People who knows what’s expected from them 90% of all successful IS incidents could have been avoided had RM been accomplished
- If we had known the risks- Example: Hospitol back access door, keycard
RM Team member skills IT knowledge
o What it does what its capable of IS/IA knowledge
o What kind of threats are out there vulnerabilities Basic quantitative skills
o Cost benefit analysis single loss expectency Understanding of the operational needs of the organization
o Security can either enhance or inhibit operational needs Good presentation skills
o Oralo Written
Some Perspectives IS is 1/3 technical, 2/3s policy and procedures Security depends more on people than tech Employees are a greater threat than outsiders- not malicious, just ignorant Strong as the weakest link Degree of security depends on:
The Risk one is willing to tolerate Functionality of the system- some systems so old people don't know how to hack
them Cost one is prepared to pay
Security is not a snapshot, but an on-going process- this should never ends
Other thoughts: Security techniques have been around since the 1970s According to the Open Security Foundation’s DataLossDB, in 2008 there were 246 reported
incidents that could have been most likely avoided with encryption Majority of companies spend relatively little time on information security…
Yet… According to the Information Security Forum’s biennial status survey on average a business-
critical information resource will: Someone (Company) Suffers an IS incident almost every working day (225
incidents a year) Have a 58% chance of experiencing a major incident over the course of a year
So what’s the problem?
RM Problems Low awareness of RM activities in both the public and private sector
Most people don't know what it is. Absence of a “common language”
A lot of people don't understand the risk management language. Lack of surveys on existing methods, tools, and good practices
We don't know what works or what works well or not so well Limited or non existent interoperability of methods and integration with corporate
governance
Critical Components for Successful RM Top leadership support Well defined list of RM stakeholders
Understand who they are Org maturity in terms of RM-
Guy is just trying to make sure companies don't get hacked Open communication Spirit of teamwork Holistic view of the organization Authority throughout the process
In the end… It’s really about the protection of information in all forms:
Printed or written on paper Dumpster diving, shred it
Stored electronically Traditional storage - HD Removable storage – multi terabyte drives are more difficult to deal with Remnant security –
In transit Target- from the point of sale to the database
Shown on film Spoken
EEFI Etc
Its about the information stupid
Chapter 2: Information Security Risk Management Defined
Basic DefinitionsVulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
Basic DefinitionsThreat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.Threat-Source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability
Common Threat-Sources• Natural Threats—Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and
other such events.• Human Threats—Events that are either enabled by or caused by human beings, such as
unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information).
• Environmental Threats—Long-term power failure, pollution, chemicals, liquid leakage.
Basic Definitions• Controls: Means of managing risk, including policies, procedures, guidelines, practices, or
organizational structures, which could be administrative, management, technical, or legal in nature
Control Techniques• Preventive controls inhibit attempts to violate security policy and include such controls as
access control enforcement, encryption, and authentication.• Detective controls warn of violations or attempted violations of security policy and include such
controls as audit trails, intrusion detection methods, and checksums.
Basic Definitions• Risk: The mathematical combination of the likelihood of an event and the impact (expected
value of the loss)
• Risk Management: The on-going process whereby the threats, vulnerabilities, and potential impacts from the security incident are evaluated against the cost of safeguard implementation
Risk Management Sub-Process• Risk assessment• Risk analysis• Risk mitigation• Uncertainty analysis• Threats assessment• Vulnerability assessment• Probability Estimation• Internal control reviews• Audits• Rate of occurrence estimiation• Asset valuation• Adequate and appropriate protection of assets• Cost-Benefit Analysis• Application security reviews/audits• Verification reviews
Mathematical Definition of Risk• Risk = (probability of an event occurring) X (impact of the event)
• Often difficult to exactly calculate risk• Many orgs establish 3-5 levels of probability; low to high and establish p via historical
data, fiat, SMEs, or other means• Timeframes and other data may also be added
Financial Metrics• To adequately establish a risk value, financial metrics must be used:
• Monetary value of assets• List of significant threats• P of each threat occurring• Recommended safeguards, controls (and costs) and remediation/implementation
actions. Calculating Damage
• Overall value of the asset to the organization• Immediate financial impact of losing the asset• Indirect business impact of losing the asset
Calculating Damage cont’d• Exposure factor: percentage of lost that a single threat could have on a certain asset• Single Loss Expectancy (SLE): total amount of loss from a single occurrence of the risk• Annual Rate of Occurrence (ARO): Normalized rate at which the risk exposure resulting in
actual damage occurs during one year• Annual Loss Expectancy (ALE): Total amount of money that an organization will lose in one
year if nothing is done to mitigate the riskROSI
• Return On Security Investment (ROSI)ALE before control – ALE after control – Annual cost of control
• Simply put, the task is to 1) identify and prioritize assets to be protected, 2) identify relevant threats and the probability of their occurrence and 3) compare the expected loses with the cost of appropriate countermeasures.
Minimum IT RM• ID software vulnerabilities and patching• Data confidentiality controls• Data integrity controls• System integrity controls (availability)
Basic Threat Checklist• See Table 2.4, pages 59-60 of text• What are the likelihood and impacts of each?• Note the broad range of threats• See Table 2.5 page 61 for a partial list of tools to mitigate some of the threats
Enterprise Architecture (EA) Creates a map for the IT assets and business processes, along with a set of governance
principles that drive an on-going discussion about business strategy and how it can be expressed through IT.
The EA seeks to create a unified IT environment (standardize hardware and software) across a firm or all of the firm’s business units, with tight symbiotic links to the business side of the organization and its strategy.
Productivity Paradox…RM Paradox Chapter 2 Appendices Read and review the Chapter 2 Appendices 2A.1 thru 2A.5 for a more complete list of:
o IS Threatso IS Vulnerabilitieso IS Impactso IS Risk Eventso IS Controls
You will be responsible for those appendices
Chapter 3: Information Security Risk Management Standards
Whats a Standard
Something set up and established by an authority as a rule for the measure of quantity, weight, extent, value, or quality
A commonly accepted way of performing a task or doing something
Why Have Standards
Provides for a common language Reduces costs Assures quality and integrity Demonstrates accomplishment of legal, regulatory, or policy obligations Demonstrates a level of performance
Common Standard Making Bodies (International and US)
International Standards Organization (ISO) Internet Engineering Task Force (IETF) American National Standards Institute (ANSI) National Institute of Standards and Technology (NIST)
Legal Requirements
Federal Information Security Management Act of 2002 Family Education Rights and Privacy Act (FERPA) Heath Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (SOX)
Recall the Risk Management Processes
Ongoing ID of threats, vulnerabilities, and events Risk assessment (probability of event happening x impact) Risk mitigation planning (i.e., ROSI) Risk mitigation implementation Evaluation of mitigation effectiveness
ISO/ IEC Standards
ISO/IEC 13335-1:2004: IT Security Techniques ISO/IEC 27000 Series: Family of standards; all things information security ISO/IEC 27001:2005: IS Management System requirements ISO/IEC 18028:2006: Network Security ISO/IEC 18044:2004: Incident Management ISO/IEC 31000: Risk Management Series
ISO/IEC 13335-3: 1998
Identification of assets Valuation of assets and establishment of dependencies between assets Threat and vulnerability assessment ID of existing or planned safeguards Assessment of risk exposure
ISO/IEC 27000 Series
Provides generally accepted best practices and guidance on establishing, operating, monitoring, reviewing, maintaining and improving a documented ISMS
The ISMS is a security governance/management process that is or can be used by an organization to handle information security and risk management
Describes the fundamentals and vocabulary
ISO/IEC 27001:2005
Defines the requirements for an ISMS An ISMS is a management system for dealing with information security risks exposures
o Provides a framework for policies; procedures; physical, legal, and technical controls security controls forming the organization’s overall risk management process
o Incorporates the Deming “Plan, Do, Check, Act” cycle
PDCA
Plan : Define requirements, access risks, decide controls Do : Implement and operate the ISMS Check : Monitor and review the ISMS Act : Maintain and Continuously improve the ISMS
Why 27000?
Certification against an accepted standard is increasingly being demanded by business partners
Engenders rigor and formality into the process Certification bodies around the world recognize the standard Still growing as a recognized standard (50 million corporations/institution in the world)
ISO/ IEC 27001:2005 Specifications for an ISMS
Formulate security requirements and objectives Ensure security risks are effectively managed Ensure compliance with laws and regulations Framework for implementing controls Incorporate new security processes Identify and clarify existing security processes Status of information security process Used by auditors to demonstrate IS policy Provides information security information to customers
ISO 27002: 2005 Security Controls
Identifies a set of 133 controls, under 33 security objectives to address IS risk exposure Controls not mandatory Organizations can choose those that are applicable Code of practices, not a formal specification Provides a listing of best practices
Overarching 27002 Security Tenets
Security Policy A high-level policy statement defining key directives and mandates of the organization A comprehensive apparatus of specific organizational security policies and instructions Provides a clear statement of the organizations posture on issues such as:
o Computer and Network Securityo Acceptable Useo Trainingo Incident Responseo Certification and Accreditation
27002 Tenet: Organization of Information Security
Considers security controls for internal and external partieso Internal: Roles and responsibilities, confidentiality agreements, contracts and
special interest groupso External: Deals with 3rd party risk exposures such as contractors, service providers,
suppliers, and customers
27002 Tenet Asset Management
Inventory of information assets Inventory of IT assets
o Hardwareo Softwareo Datao Systemso Storage medialo Supporting systems (HVAC, UPS)
Should include security priority classification and acceptable use policies
27002 Tenet: Human Resource Security
Controls for “joiners, movers, and leavers” Recruiting best practices IS education and training of employees Disciplinary process for breaches in security Return of corporate assets, removal of access rights Changes in rights and data access privileges for those who move within the organization
27002 Tenet: Physical and Environmental Security
Physical protection from malicious or accidental damageo Overheatingo Loss of powero Emanationso Cabling
Fires, floods, storms, sabotage
27002 Tenet: Communications and Operations Management
Operational and procedural responsibilities (separation of operational and development systems)
Third-party service delivery management System planning and acceptance Protection against malicious code and mobile code Back up Network management Media handling Exchange of information Electronic commerce services Network monitoring
27002 Tenet: Access Control
Codified in access control policy User access management
o Authenticationo Rights and privilegeso Periodic review of rights
User responsibilities Network access controls Operating System controls Application and information access controls Mobile computing and telework
27002 Tenet: Information Systems Acquisition, Development and Maintenance
Security requirements for IT systems Correct processing in application systems Cryptographic controls Security of system files Security in development and support processes Technical vulnerability management
27002 Tenet: IS Incident Management
Responsibilities Procedures CERT Handling of evidence Reporting to public Reconstitution of systems and information
27002 Tenets: Others
Business Continuity Managemento Disaster recoveryo Continuity managemento Contingency planning
Complianceo Legal Requirementso Security Policy and Standardso Information system audit considerations
ISO/IEC 27003
Provides implementation guidance for ISMS Sections
o Obtain management approval for the ISMSo Defining scope and policyo Conducting business analysiso Conducting risk assessmentso Designing ISMSo Implementation
ISO/IEC 27004
Security Techniques and Measurements In second final committee draft
o Provides guidance toward selecting measurements for evaluating the effectiveness of the ISMS
o Usually related to controlso Measurements can take years to adequately develop
ISO/IEC 31000
Provides the first international standard for “risk management” 27000 series focuses on the ISMS Part of the ISMS is risk management Note that it is for all RM in all domains, not just information systems
ISO.IEC 31000: Principles
RM should create value RM should be an integral part of organizational processes RM should be a part of decision making RM should explicitly express uncertainty RM should be systematic and structured RM should be based on the best available information RM should be tailored (to the org’s risk tolerance) RM should take into account human factors RM should be transparent and inclusive RM should be dynamic, iterative, and responsive to change RM should be capable of continuous improvement and enhancement
NIST Standards
Provides a series of special publications (SPs) to support information security and risk management
Covers vulnerabilities, threats, exploits, controls and measurement For this class, the focus is on specific information systems Will be coved in detail during the latter half of the class
AS/NZS 4360
Will not be covered in this class Students are not responsible for its content
Chapter 4 Information Security Risk Management Methods and Tools
RM Method
Well defined process (a series of activities) based on a published standard (Chapter 3) RM Phases
o ID threats, vulnerabilities and eventso Risk assessmento Risk mitigation planningo Risk mitigation implementationo Evaluation of mitigation effectiveness
RM Tools
A plethora of tools (Table 4.1) Can be based on standards National International (ISO 27000) De facto (OCTAVE) Sector based [industry] Individual organization Adoption of a similar system standard
Which tool to use?
Varies from organization to organization An industry based approach
o Allows for certification against a methodologyo Give stakeholders and trading partners some assuranceo Due diligence
Each tool has trade offs Many tools are now automated
Review of Selected RM Methods
Large number of tools Often country based Many follow ISO standards and follow the same basic steps Use both quantitative and qualitative methods Our focus will be limited to US methods However, knowledge of the existence of other countries’ methods could be helpful
o Mergerso Trading partnerso Global/International expectations
FAIR
Factor Analysis of Information Risk Framework for understanding, analyzing, and measuring information risk Can work with other tools such as COBIT and OCTAVE (Chapter 5) Provides a
o Taxonomy of the factors that make up risko Method for measuring risko Computational engine to understand relationships between measured factors
o Simulation model for building risk scenarios
An Example: Terrorist Threat
Motive : ideology Primary intent : damage/destroy Sponsorship : unofficial Preferred general target characteristics : entities or people who clearly represent a
conflicting ideology Preferred specific target characteristics : high profile, high visibility Preferred targets : human, infrastructure Capability : varies by attack vector Personal risk tolerance : high Concern for collateral damage : low
Points to ponder
If the previous example would be a record in a database, what could be derived:o Other threats with like characteristicso Mitigation strategies targeted to those characteristicso Effectiveness of mitigation strategies and controls against multiple threatso Prioritization of mitigation strategies and controlso Comparison to other organizations
FIRM
Fundamental Information Risk Management Developed by the Information Security Forum (ISF) Scalable to organizations of all sizes Has supporting products and modules for risk identification, analysis, and evaluation
o Standard of good practice for information securityo FIRM and the revised FIRM scorecardo Information Security Status Surveyo Information Risk Analysis Methodologies (IRAM) projecto Simple to apply risk analysis (SARA)o Simplified process of risk evaluation (SPRINT)
SPRINT
Can help identify the vulnerabilities of existing systems and the safeguards need to protect them
Can define the security requirements for systems under development and define the controls needed to satisfy them
o Secure SA&Do Baked-in vs. Bolted-on
FMEA
Failure Modes and Effects Analysis Examines potential ways a system might fail and cause adverse effects
o Lists assets under consideration and their intended useo Collects security related requirements for assetso Elaborates threats and applies them to systems to determine vulnerabilitieso Scores the riskso Proposes and implements mitigation strategies
Helps prioritize requirements by analyzing likelihood levels with severity levels (sound familiar?)
Use’s high, medium, low scores for both axis of the matrix Acceptable risk scores are decided by the organization Goal is to develop measures that will best reduce risk to acceptable levels
FRAP
Facilitated Risk Analysis Process A qualitative approach to RA
o Identifies threatso Establishes probability that threat will occuro Determines the impact of the threato Can adjust risk levelso Identifies mitigating controls and safeguardso Helps to develop implementation action plan
Facilitator led process Establishes the:
o Assessment scopeo Assessment definitionso Process for prioritizing threats
Business driven process Helps an organization to select the appropriate methodology for assessing risk
ISAMM
Information Security Assessment Monitoring Method Helps an organization define the ISMS for obtaining ISO 27001 certification Quantitative approach using the formula:
o Annual loss expectancy = Probability X Average Impact Planner can show and simulate the effect on the risk ALE with each improvement measure
and compare it to the cost of the investment Can show this in a number of visual formats Like most other tools ISAMM helps
o ID Assets and threatso Vulnerability level and threat prob and impacto Representation of risks and prob and impacto DS for acceptability of riskso DS for selection of safeguardso Graphic representations and reports
ISAMM RM has 4 partso Scopingo Assessment of compliance and threatso Validation of compliance and threatso Result – calculation and reporting
ISO 31000 Methodology
Step 1: Understanding the organization and the environment Step 2: Define the RM policy Step 3: Achieve integration in organizational policy Step 4: Define accountability Step 5: Identify resources Step 6: Establish internal communications and reporting measures Step 8: Develop a plan for implementation Step 9: Implementing the framework for managing risk Step 10: Implementing the process
o 10.1: Communication and Consultationo 10.2: Establishing the contexto 10.3: Developing risk criteriao 10.4: Risk assessmento 10.5: Preparing and Implementing treatment planso 10.6: Recording the RM processo 10.7: Monitoring and review
Step 11: Monitoring and review of the framework Step 12: Continual Improvement of the framework Ultimate goals is to achieve ISO 31000 certification
Other tools include
IT – Grundschutz (IT Baseline Protection Manual) MAGERIT (Methodology for IS Risk Analysis and Management MEHARI (Harmonized Risk Analysis Method Microsoft’s Security Risk Management Guide MIGRA NIST NSA IAM/IEM/IA-CMM Open source approach
Commonality among approaches
Follow a similar structure: Identify, Analyze Risk, Prioritize, Select and Implement Controls Provides documentation to prove an RM was accomplished Many tools now offer a database of risks and controls to conduct “what-if?” analysis Tool vendors will help…for a price
Selecting a tool
Standards-based or not Quantitative or qualitative Cost and value of tool (ROI) Maimtainability and support Usability Scaleability
Chapter 5: COBIT and OCTAVE
COBIT
Control Objectives for Information and Related Technologyo Links IT to business requirementso Organizes IT into a generally accepted process modelo Indentifies the major IT resource to be leveragedo Defines management control objective
RM is a part of COBIT
Information Criteria
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability
IT Resources Considered
Application Information Infrastructure People
Process-Oriented Approach
Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate
IT and Application Control
IT Controlso Systems Developmento Change Managemento Securityo Computer Operation
Application Controlso Completenesso Accuracyo Validityo Authorizationo Segregation of duties
Support Maturity Models
What are our industry peers doing and how are we placed in relation to them? What is acceptable industry good practice and how are we placed with regard to these
practices Based on these comparisons, can we be said to be doing enough How do we identify what is required to be done to reach an adequate level of management
and control over our IT process?
COBIT Points to ponder
RM and Security are subsets of COBIT However, if using COBIT for other purposes it can do a lot to help prepare a Risk Analysis or
C&Ao Can help avoid redundancies of efforto Can help when new systems are developedo Can help with configuration control
OCTAVE
Operationally Critical Threat, Asset and Vulnerability Evaluation Series of workshops by team’s of organization’s personnel
o ID critical assetso ID vulnerabilities and threatso Develop protection strategy and risk mitigation plans
OCTAVE Method
Keys to successo Senior Management Sponsorshipo Select Analysis Teamo Scope OCTAVEo Select Participants
Phaseso Build Asset-Based Threat Profileso Indentify Infrastructure Vulnerabilitieso Develop Security Strategy and Plans
Build Asset-Based Threat Profiles
Process 1: Identify Senior Management Team Process 2: Identify Operation Area Management Knowledge Process 3: Identify Staff Knowledge Process 4: Create Threat Profiles
Identify Infrastructure Vulnerabilities
Process 5: Identify Key Components Process 6: Evaluated Selected Components
Develop Security Strategy and Plans
Process 7: Conduct Risk Analysis Process 8: Develop Protection Strategy
OCTAVE Points to Ponder
Assumes much of this hasn’t already been doneo Not necessarily a blank slate
Assumes top management team is available for support Somewhat of a precursor for true Risk Management and C & A