CH1-6 PDF - Information Technology Security Concepts
Document Details
Uploaded by Deleted User
Maitha
Tags
Summary
This document provides an overview of information technology and its security concepts. It details various aspects of security, including physical, operational, communication, cyber and network security. The document also introduces the CIA Triangle (confidentiality, integrity, and availability) and the CNSS Security model aspects. It emphasizes the importance of protecting information, and methods of doing so, via several strategies.
Full Transcript
CLO1 4 MCQ Maitha – H00412881 2 short answer CH1 Informa,on technology is the way th...
CLO1 4 MCQ Maitha – H00412881 2 short answer CH1 Informa,on technology is the way that stores and transports informa,on from one business unit to another What Is Security? - Security is “being free from danger.” To be secure is to be protected from the risk of loss, damage, unwanted change, or other risk - Security is achieved by means of several strategies undertaken all together or used in combina,on with one another. - The management ensures that security strategies are properly planned, organized, staffed, directed, and controlled. Areas/Layers of Security 1. Physical security 2. Opera;ons security 3. Communica;ons security 4. Cyber (or computer) security 5. Network security Informa;on security focuses on the protec;on of: - Informa;on - Characteris;cs that give it value, such as CIAA - Technology that stores and transfers that informa,on through a mul,ple of protec;on mechanisms such as policy, training and awareness programs, and technology. CIA Triangle and CNSS Model - C.I.A. triangle (confiden;ality, integrity, and availability) has expanded into 9 cri,cal characteris,cs of informa,on to protect - NSTISSI (or CNSS) Security Model provides a more detailed on security. This model has two weaknesses: § loss discussion of detailed guidelines and policies that direct the implementa,on of controls. § Limited approach to view it from a single perspec,ve. 1. Confiden;ality - Confiden;ality: means limi,ng access to informa,on only to authorized people. It protects from informa,on detec,on. To protect the confiden,ality of informa,on: o Informa,on classifica,on o Secure document (and data) storage o Applica,on of general security policies o Educa,on of informa,on guardians and end users o Cryptography (encryp,on) 2. Integrity - Integrity: only authorized people can change or delete the data. - Example, only the course teacher can change a student grade during the semester only. - Corrup;on can occur while informa,on is being entered, stored, or transmiTed. 3. Availability - Availability: informa,on is available when requested from authorized people only. - Example, a student can access her grade any ,me during her study with HCT. Privacy - Privacy: The right of people or groups to protect themselves and their informa,on from unauthorized access, providing confiden,ality. - The informa,on that is collected, used, and stored by an organiza,on is to be used only for the purposes stated to the data owner at the ,me it was collected. - Privacy does not mean freedom from observa,on; it means that the informa,on will be used only in ways approved by the person who provided it. Informa;on Aggrega;on - Informa;on Aggrega;on: summarize data from mul,ple sources - Many organiza,ons collect, swap, and sell personal informa,on as a commodity. - Today, it is possible to collect and combine personal informa,on from several sources (informa;on aggrega;on), which has resulted in databases that could be used in ways the original data owner hasn’t agreed to or even knows about. Iden;fica;on - Iden;fica;on: method of iden,fica,on to determine if person has permission to access - “the access control mechanism by which unverified en,,es who seek access to a resource provide a label by which they are known to the system”. - Iden,fica,on and authen,ca,on are important to establishing the level of access or authoriza,on people is granted. - performed by means of a username or other ID. Authen;ca;on - Authen;ca;on: the process of valida,ng the iden,ty of user before enabling access - “The access control mechanism that requires the valida,on and verifica,on of an unauthen,cated en,ty’s claimed iden,ty”. - It is the process by which a control establishes if a user (or system) has the iden,ty it claims to have. - Individual users may disclose a personal iden,fica,on number (PIN), a password, or a passphrase to authen,cate their iden,,es to a computer system. Authoriza;on - Authoriza;on: process of giving someone the ability to access - “the access control mechanism that represents the matching of an authen,cated en,ty to a list of informa,on assets and corresponding access levels”. - AYer the iden,ty of a user is authen,cated, authoriza,on defines what the user has been permiTed by the proper authority to do, such as access, modify, or delete the contents of an informa,on asset. Accountability - Accountability: an assurance that an individual or organiza,on is evaluated on its performance or behavior related to something for which it is responsible. - “the access control mechanism that ensures all ac,ons on a system—authorized or unauthorized—can be associated to an authen,cated iden,ty.” known as auditability” - Accountability of informa,on occurs when a control provides assurance that every ac,vity undertaken can be associated to a named person or automated process. - Accountability is most associated with system audit logs. To protect your organiza,on’s informa,on, you must: - know yourself; be familiar with the informa,on assets to be protected and the systems, mechanisms, and methods used to store, transport, process, and protect them - know the threats you face Threats and aTacks - A threat represents a possible risk to an informa,on asset, (theY, human error, soYware aTacks, technical hardware errors, technical soYware error) - A aNack represents an ongoing act against the asset that could lead to loss. (fire, floods, viruses, code problems, blackmail , destruc,on system) - Threat agents (actors, aTackers) damage or steal an organiza,on’s informa,on or physical assets by using exploits to take advantage of a vulnerability where controls are not present or no longer effec,ve. Intellectual Property (IP) - IP law is used to protect their hard-earned crea,ons, designs, and ideas from unfair compe,,on. - Patent: exclusive right granted for inven,on. ex, telephone, computer, Bluetooth. - Trademark: recognizable sign, design, or expression that iden,fies products or services. - Trade Secret: ex, Soda formulas, survey results. - Copyright: ex, music, computer soYware. Compromises to Intellectual Property - IP is protected by copyright and other laws, carries the expecta,on of proper credit to its source, and could requires get permission for its use. - unauthorized use of IP creates a threat to informa,on security. This category includes two primary areas: o SoYware piracy o Copyright protec,on and user registra,on Intellectual Property Protec;on - Educate employees about IP. - Secure your IP both physically and digitally. - Use data loss preven,on tools for tracking sensi,ve documents. Deadly Sins of SoOware Security 1- Cryptographic Sins o Use of Weak Password-Based Systems o Use weak Random Numbers o Use Wrong Cryptography 2- Networking Sins o Failure to Protect Network Traffic o Improper Use of PKI, Especially SSL o Trus,ng Network Name Resolu,on (use default secngs) What Is Management? - Management is the process of achieving objec,ves using a given set of resources. - Informa;onal role: collec,ng, processing, and using informa,on that can affect the achievement of the objec,ve. - Interpersonal role: interac,ng with superiors, subordinates, and outside stakeholders that influence or are influenced by the comple,on of the task. - Decisional role: selec,ng from among alterna,ve approaches, and resolving conflicts, dilemmas, or challenges. Governance - Governance: set of responsibili,es and prac,ces exercised by the execu,ve management with the goal of providing strategic direc,on, ensuring that objec,ves are achieved, and check that the enterprise’s resources are used responsibly - Governance emphasizes escala,ng the importance of InfoSec to the highest levels of the organiza,on and providing it with an appropriate level of management. Principles of Informa,on Security Management (six Ps) 1. Planning 2. Policy 3. Programs 4. Protec,on 5. People 6. Project Management 1- InfoSec Planning - Planning: ac,vi,es to support the design, crea,on, and implementa,on of informa,on security strategies. Several types of InfoSec plans exist: o Incident response planning (IRP) o Business con,nuity planning (BCP) o Disaster recovery planning (DRP) o Policy planning o Risk management planning o Security program planning including educa,on, training and awareness 2- Policy - Policy: set of organiza,onal guidelines that dictate certain behavior in the organiza,on three general categories of policy: o Enterprise informa;on security policy (EISP) § Strategic policy that becomes a blueprint for the other policies o Issue-specific security policy (ISSP) § Password policy; WiFi policy; Email policy o System-specific policies (SysSPs) § Standards and procedures to configure or maintain systems. ex: access control lists, configura,on rules 3- Programs - Program: InfoSec opera,ons that are specifically managed as separate en,,es. - Example of an en;ty: a security educa,on training and awareness (SETA) program. - Other programs that may emerge include a physical security program, physical access. 4- Protec;on - The protec,on func,on is executed via a set of risk management ac,vi,es, including risk assessment and risk control, as well as protec;on mechanisms, technologies and tools. - Each of these mechanisms represents some aspect of the management of specific controls in the overall informa,on security plan. 5- People - People: are the most cri,cal link in the informa,on security program. - This area of InfoSec includes security personnel as well as aspects of the SETA program. Projects - The applica,on of thorough project management discipline to all elements of the informa,on security program. - Project management involves iden,fying and controlling the resources applied to the project, as well as measuring progress and adjus,ng the process as progress is made toward the goal. 6- Project Management - Informa,on security is a process, not a project, however, each element of an informa,on security program must be managed as a project. - How can informa,on security be both a process and a project? It is chain of projects. - Some aspects of informa,on security are not project-based; rather, they are managed processes (opera,ons) and are ongoing: CLO2 3 MCQ CH2 1 short answer Risk Management 1 problem solving - Risk iden,fica,on - Risk assessment - Risk appe,te - Risk control InfoSec department to manage the risk to informa,on assets. Reducing risk - General management must structure the IT and InfoSec departments to successfully defend the organiza,on’s informa,on assets. - IT management must serve the IT needs of organiza,on and exploit special skills and visions of InfoSec department. - InfoSec management must lead the way with skill, professionalism, and flexibility and work with others to balance the constant trade-offs between u,lity and security. Risk Management - One who knows the enemy and knows himself will not be in danger - One who does not know the enemy but knows himself will some,mes win, some,mes lose. - One who does not know the enemy and does not know himself will be in danger Knowing Yourself - For any company, a specific amount of risk is always remained. - To manage risk properly, managers should understand how informa,on is collected, processed, stored, and transmiTed. - Knowing yourself requires knowing which informa,on assets are valuable to the organiza,on, iden,fying, categorizing, and classifying those assets, and understanding how they are being protected. - Armed with this knowledge, the organiza,on can then ini,ate an in-depth risk management program. Knowing the Enemy - Iden,fying, examining, and understanding the threats facing the organiza,on’s informa,on assets. - Managers must be prepared to fully iden,fy those threats that make risks to the organiza,on and the security of its informa,on assets. - Risk management is the process of discovering and assessing the risks to an organiza,on’s opera,ons and determining how those risks can be controlled or mi,gated. Accountability for Risk Management All Communi;es of Interest take responsibility for risk management: - InfoSec: take a leadership role in addressing risk. - IT: help in building secure systems and ensure their safe opera,on. - Management and users: when properly trained and kept aware of the threats faced by the organiza,on, it will have early detec,on and response process. Members of this community also ensure that enough resources are allocated to the InfoSec and IT groups to meet the security needs of the organiza,on. Risk Iden,fica,on - The Risk Management project should be well organized and funded, with a clear champion, a statement of work, and all needed support. - Risk iden,fica,on begins with the process of self-examina;on. - Managers: o Iden,fy the organiza,on’s informa,on assets o Classify and categorize them into useful groups o Priori,ze them by overall importance Iden,fica,on and Priori,za,on of Informa,on Assets - The risk iden;fica;on process begins with the iden,fica,on of informa,on assets, including people, procedures, data and informa,on, soYware, hardware, and networking elements. Organiza,onal Assets Used in Systems Iden,fying Hardware, SoOware, and Network Assets - Many organiza,ons use asset inventory systems to keep track of their hardware, network, and soYware components. - Whether automated or manual, the inventory process requires a certain amount of planning. - Determine which aTributes of each of these informa,on assets should be tracked. - That will depend on the needs of the organiza,on and its risk management efforts. ATributes for Assets aTributes to track for each informa,on asset, the following list of poten,al aTributes: - Name - Asset tag - IP address - MAC address - Asset type - Serial number - Manufacturer name- Manufacturer’s model or part number - Physical loca,on- Logical loca,on - Controlling en,ty - SoYware version and update revision Iden,fying People, Procedures and Data Assets - Responsibility for iden,fying, describing, and evalua,ng these informa,on assets should be assigned to managers who possess the necessary knowledge, experience, and judgment. - As these assets are iden,fied, they should be recorded via a reliable data-handling process like the one used for hardware and soYware. Suggested ANributes for People, Procedures, and Data Assets - People: Posi,on name/number/ID - Supervisor name/number/ID - Security clearance level - Special skills - Procedures: Descrip,on - Intended purpose - SoYware/hardware/networking elements to which it is ,ed - Loca,on where it is stored for reference - Loca,on where it is stored for update purposes - Data: Classifica,on - Owner/creator/manager - Size of data structure - Data structure used - Online or offline - Loca,on - Backup procedures Classifying and Categorizing Informa,on Assets - Once the ini,al inventory is collected, determine whether its asset categories are important to risk management program. - Inventory should also reflect sensi,vity and security priority assigned to each informa,on asset. - A data classifica;on scheme categorizes these informa,on assets based on their sensi,vity and security needs. - Each of these categories defines the level of protec,on needed for a par,cular informa,on asset. Assessing Values of Informa,on Assets - As each informa,on asset is iden,fied, categorized, and classified, a rela,ve value must be assigned. - Rela;ve values are compara,ve judgments made to ensure that the most valuable informa,on (cri,cal) assets are given the highest priority, for example: o Which informa,on asset is most cri,cal to success of organiza,on? o Which informa,on asset generates the most revenue? o Which informa,on asset is the most expensive to protect? Priori,zing (Rank Ordering) Informa,on Assets - The final step in the risk iden;fica;on process is to priori,ze, or rank ordering, the assets. - by using a weighted table analysis (Weighted Factor Analysis Worksheet). - Threat Assessment - Threat assessment assess poten,al weaknesses in each informa,on asset. It is done aOer inventory classifica,on. - organiza,on faces a wide variety of threats, the project scope becomes too complex. To make the process less difficult, each step in the threat iden,fica,on and vulnerability iden,fica,on processes is managed separately and then coordinated at the end. Iden,fying Threats - Each threat presents a unique challenge to informa,on security and must be handled with specific controls. - Before threats can be assessed in the risk iden,fica,on process, each threat must be further examined to determine its poten,al (likelihood) to affect the targeted informa,on asset. - In general, this process is referred to as a threat assessment. Assessing Threats The following can help you understand the various threats and their poten,al effects - Which threats: - have the highest probability of success? - could result in the greatest loss if successful? - cost the most to protect against? - cost the most to recover from? Priori,zing Threats - the organiza,on should conduct a weighted table analysis with threats. - The organiza,on should list the categories of threats it faces, and then select categories that correspond to the ques,ons of interest. Vulnerability Assessment - Once the organiza,on has iden,fied and priori,zed both its informa,on assets and the threats facing those assets, it can begin to compare (map) informa,on asset to threats. - This review leads to the crea,on of a list of vulnerabili,es that remain poten,al risks to the organiza,on. - Vulnerabili,es are specific opportuni,es that threat agents can exploit to aTack an informa,on asset. - list should be created for each informa,on asset to document its vulnerability to each possible or likely aTack. TVA Worksheet - end of the risk iden;fica;on process, organiza,on should have o A priori,zed list of assets and their vulnerabili;es o A priori,zed list of threats facing the organiza,on - The priori,zed lists of assets and threats can be combined into a Threats- Vulnerabili;es-Assets (TVA) worksheet, in prepara,on for the addi,on of vulnerability and control informa,on during risk assessment. Clo3 2MCQ Ch3 2 Short answer Risk Components - Your job as a Risk Analyst is to educate the organiza,on about the top risk exposures and help them to set priori,es. ques,ons from a well-wriTen risk statement: o Who is the threat we are worried about? o Why is the vulnerability causing the exposure? o What is the poten,al impact on the organiza,on? - risk as a descrip;on of the consequences. To break down the risk to its components, we need to define: o Sensi;vity of the resource: importance or cri,cality to the organiza,on. o Threats, and threat countermeasures. o Vulnerabili;es, and vulnerability countermeasures. o Inherent Risk: amount of risk that exists in absence of controls. o Compensa;ng Controls: controls currently in place that reduce the exploitability. o Residual Risk: remaining risk aYer implemen,ng controls. - An informa,on security risk exposure should describe the outcome of a successful exploit of the vulnerability by the threat. differences between the risk terminologies is that: o Threat describes the “Who” o Vulnerability explains the “Why” o Risk represents the “What” consequences the business will experience. Imagine The Consequences Your risk descrip,on should answer: - What would the organiza,on lose upon a successful exploit? customer; money; reputa,on. - Would the organiza,on go out of business? This is an extreme scenario - Can the organiza,on recover from the breach? How easy and how fast? - Would the organiza,on need to inform customers? Ex: unauthorized disclosure of informa,on How to Describe A Risk As a result of , may occur, which would lead to/cause/require Example 1: As a result of a DDoS, a server shutdown may occur, which would cause disrup=on in all intranet services Example 2: As a result of insecure storage of backup tapes, unauthorized disclosure of customer data may occur, which would require no=fica=on to regulators and affected clients Threat Examples - External mass aTacks (viruses) - External targeted aTacks (aTackers) - Internal (disgruntled employee) - Accidental damage - Internal abuse - Infrastructure failure - Natural disaster Two approaches to measure and analyze risk: 1. Qualita;ve approaches o Simpler to use and visualize o Good when not enough historical data o Use a rela,ve scale (Low, Moderate, High) o Subjec,ve and can be inaccurate 2. Quan;ta;ve approaches o Focus on numbers and calcula,ons o Require accurate historical data o Vary from basic and simple to complex models Quan;ta;ve Risk Analysis - Quan;ta;ve analysis approaches focus on hard numbers and calcula,ons to determine the risk exposure. Risk Exposure = Sensi,vity × Severity x Likelihood Exposure Ra;ng = Severity2 x Threat Simple Quan,ta,ve Risk Calcula,on Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) × Average Rate of Occurrence (ARO) Qualita;ve Risk Analysis - We need to define sensi,vity of the resource, severity of the vulnerability, and likelihood of the threat. Risk Variables (Components) - Severity o degree of damage or how universal the exploit is. - Likelihood o probability that a specific risk occurs. probability of a successful exploit and frequency of exploit. - Sensi;vity: o the resource’s tolerance for risk exposures. Example: Disrup,on of connec,vity to the data center may result in revenue loss of 1,000,000 per hour Es,ma,ng Severity Some ques,ons that can help es,mate severity: - What is the scope aYer exploita,on (full, users, departments, etc.)? - How much data will be disclosed? - Will the breach allow for modifica,on or just viewing of data? Qualita,ve Severity Scale - Low o devia,on from recommended prac,ce or emerging standard. o Result lack a security governance process or ac,vity but have no direct exposure. - Moderate o indirectly contribute to unauthorized ac,vity or just have no known aTack vector. o Result in a degrada,on of service or no,ceable decrease in service performance. - High o allow limited access to or control of the applica,on, system, or communica,on, including all data and func,onality. o result in a short disrup,on or service and denial of service for part of the user community. - Cri;cal o allow full access to or control of the applica,on, system, or communica,on, including all data and func,onality. o result in a prolonged outage affect all users of the service. Defining Likelihood - Likelihood is a ra,ng of both the probability that a threat will successfully exploit a vulnerability as well as how oYen that might occur. - It depends on the following factors: o Size of the threat universe (scope) o Mo,va,on of threat actor o Sophis,ca,on of aTack or skill level required o Exis,ng controls Qualita,ve Likelihood Scale - Negligible o The threat source is part of a small and trusted group; controls prevent exploita,on without physical access to the target; significant inside knowledge is necessary, or purely theore,cal. - Low o The threat source lacks mo,va,on or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exploited. - Moderate o The threat source mo,vated and capable, but controls are in place that may impede the successful exploita,on of the vulnerability. - High o The threat source highly mo,vated and very capable, and controls to prevent the exploita,on of the vulnerability are ineffec,ve. - Very High o Exposure is apparent through casual use or with publicly available informa,on, and the weakness is accessible publicly on the internet. Es,ma,ng Likelihood Some ques,ons that can help es,mate likelihood: - What is the size of the popula,on? - What skill level is required for exploit? - Can the vulnerability be exploited anonymously? - How aTrac,ve is the target? Defining Risk Sensi,vity two ways to include the sensi,vity of the resource in qualita,ve assessment of risk exposure: - Sensi,vity factors can either be included in the defini,on of severity (difficult since we mix two independent condi,ons) - Mapping table can be expanded to include all three variables. CLO4 2 short answer Ch4 1 problem solving Risk Control Strategies 1. Defense: applying controls that eliminate or reduce the remaining uncontrolled risk. 2. Transference: shiYing risks to other areas or to outside en,,es. 3. Mi;ga;on: reducing the impact in case an aTacker successfully exploited a vulnerability. 4. Acceptance: understanding the consequences of leaving a risk uncontrolled and then properly acknowledging the remaining risk. 5. Termina;on: removing or discon,nuing the informa,on asset from the organiza,on’s opera,ng environment. 1- Defense - defense risk control strategy aNempts to prevent the exploita,on of the vulnerability. - This the preferred approach and is accomplished by means of countering threats, removing vulnerabili,es in assets, limi,ng access to assets, and adding protec,ve safeguards. - This approach is some,mes referred to as “avoidance”. - Three methods of risk defense: o Applica,on of policy o Applica,on of training and educa,on o Implementa,on of technology 2- Transference - transference risk control strategy aNempts to shiY risk to another en,ty. - This goal may be accomplished by outsourcing to other organiza,ons, purchasing insurance, or implemen,ng service contracts with providers. - When an organiza,on does not have adequate security management and administra,on experience, it should hire individuals or firms that provide exper,se in those areas (outsourcing). Service Level Agreement - The key to an effec,ve transference risk control strategy is the implementa,on of an effec,ve service level agreement (SLA). - In some cases, an SLA is only guarantee that an external organiza,on implement the level of security the client organiza,on wants. - steps to create a successful SLA: o Determining objec,ves o Defining requirements o Secng measurements o Establishing accountability 3- Mi;ga;on - aNempts to reduce, by planning and prepara,on the damage caused by a realized incident. - includes three types of plans: 1. Incident response (IR) plan 2. Disaster recovery (DR) plan 3. Business con;nuity (BC) plan - Mi,ga,on depends on the ability to detect and respond to aTack as quickly as possible. - 4- Acceptance - The decision is to do nothing to protect informa,on asset from risk, and to accept the outcome from any resul,ng exploita,on. - It may or may not be a conscious business decision. - Unconscious acceptance of risk is not a valid approach to risk control. - Organiza,on that decides on acceptance as a strategy for every iden,fied risk of loss may be is unable to do proac,ve security ac,vi,es. - Acceptance is a valid strategy only when the organiza,on has: o Determined the level of risk posed to the informa,on asset. o Assessed the probability of aTack and the likelihood of a successful exploita,on of a vulnerability. o Es,mated the possible damage or loss that result from aTacks. o Evaluated possible controls using each appropriate type of feasibility. o Performed a thorough risk assessment, including a financial analysis (CBA). 5- Termina;on - It is based on the organiza,on’s need or choice not to protect an asset: o The organiza,on does not wish the informa,on asset to remain at risk and so removes it from the environment that represents risk. - The cost of protec,ng asset may outweigh its value, or, it may be too difficult or expensive to protect an asset, compared to the value that asset offers the company. Pros and cons of each strategy - Pros o Defense: Preferred all round approach o Transferal: Easy and effec,ve o Mi;ga;on: Effec,ve when all else fails o Acceptance: Cheap and easy o Termina;on: Rela,vely cheap and safe - Cons o Defense: Expensive and laborious o Transferal: Dependence on external en,,es o Mi;ga;on: Guarantees company loss o Acceptance: Rarely appropriate, unsafe o Termina;on: Rarely appropriate, requires company loss Managing Risk - Risk appe;te (risk tolerance) is the quan,ty and nature of risk that organiza,ons are willing to accept, as they evaluate the trade-offs between perfect security and unlimited accessibility. - Reasoned approach to risk is one that balances the expense against the possible losses if exploited. - Residual risk is the amount of risk that remains aYer the organiza,on has implemented policy, educa,on and training, and technical controls and safeguards. (remaining risk that has not been completely removed) - The goal of informa;on security is not to bring residual risk to zero; rather it is to bring it in line with an organiza,on’s risk appe,te. Rules of Thumb for Selec,ng a Strategy - When a vulnerability exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being exploited. - When a vulnerability can be exploited, apply layered protec,ons, architectural designs, and administra,ve controls to minimize the risk or prevent the occurrence of an aTack. - When the aTacker’s poten,al gain is greater than the costs of aTack, apply protec,ons to increase the aTacker’s cost or reduce the aTacker’s gain by using technical or managerial controls. Risk Management - Once a control strategy has been selected and implemented, controls should be monitored and measured on an ongoing basis to determine their effec,veness and to maintain an ongoing es,mate of the remaining risk. Standard Approaches to Risk Management - U.S CERT’s Opera,onally Cri,cal Threat Assessment Vulnerability Evalua,on (OCTAVE) - ISO 27005 Standard for InfoSec Risk Management - NIST Risk Management Model - MicrosoY Risk Management Approach - Jack A. Jones’ Factor Analysis of Informa,on Risk (FAIR) - Delphi Technique Feasibility and Cost Benefit Analysis - Before deciding on the strategy for a specific asset-vulnerability-threat combina,on, all readily accessible informa,on about the consequences of the vulnerability must be explored - While the advantages of a specific strategy can be iden,fied, the primary way is to determine the value of the informa,on assets it is designed to protect. - Cost avoidance is the money saved by using the defense strategy via the implementa,on of a control, then reducing the financial consequences of an incident. Cost Benefit Analysis (CBA) - The criterion most commonly used when evalua,ng a project that implements InfoSec controls (safeguards) is economic feasibility. - begin this type of economic feasibility analysis by valuing the informa,on assets and determining the loss in value if those informa,on assets became compromised. - This decision-making process is called a cost benefit analysis or an economic feasibility study. Cost - Just as it is difficult to determine the value of informa,on, it is difficult to determine the cost of safeguarding it. - items that affect the cost of a control or safeguard include: o Cost of development or acquisi,on of hardware, soYware, and services o Training fees o Cost of implementa,on o Service costs o Cost of maintenance Benefit - Benefit is the value to the organiza,on of using controls to prevent (reduce) losses associated with a specific vulnerability. - The benefit is usually determined by valuing the informa,on asset exposed by the vulnerability and then determining how much of that value is at risk and how much risk there is for the asset. - This is expressed as the annualized loss expectancy (ALE). Asset Valua,on - Asset valua;on is the process of assigning financial value or worth to each informa,on asset. - value of informa,on differs within and between organiza,ons. - Asset valua,on involves the es,ma,on of real and perceived costs, which can be selected from those associated with the design, development, installa,on, maintenance, protec,on, recovery, and defense against loss or legal ac,ons. Asset Valua,on Components - Value retained from the cost of crea,ng the informa,on asset. - Value retained from past maintenance of the informa,on asset. - Value implied by the cost of replacing/providing the informa,on. - Value acquired from the cost of protec,ng the informa,on. - Loss of produc,vity and revenue while the informa,on assets are unavailable. Asset Valua,on Approaches - Once an organiza,on has es,mated the worth of various assets, it can begin to calculate the poten,al loss from the successful exploita,on of vulnerability; this calcula,on produces an es,mate of poten,al loss per risk. - The ques,ons that must be asked include: o What damage could occur, and what financial impact? o What would it cost to recover from the aTack, and financial impact of damage? o What is the single loss expectancy for each risk? Cost Benefit Analysis (CBA) Formula - CBA determines whether the benefit from a control alterna,ve is worth the associated cost of implemen,ng and maintaining the control - CBA may be performed before implemen,ng a control, or they can be performed aYer controls have been in place for a while CBA = ALE(precontrol) – ALE(postcontrol) – ACS o ALE (precontrol) is the annualized loss expectancy of the risk before the implementa,on of the control o ALE (postcontrol) is the ALE examined aOer the control has been in place for a period of ,me o ACS is the annual cost of the safeguard Other Methods of Establishing Feasibility - Organiza;onal feasibility analysis examines how well the proposed informa,on security alterna,ves will contribute to efficiency, effec,veness, and overall opera,on of an organiza,on. - Opera;onal feasibility refers to user acceptance and support, management acceptance and support, and the system’s compa,bility with the requirements of the organiza,on’s stakeholders o User acceptance and support can be by communica,on, educa,on, involvement. - Technical feasibility determines whether or not the organiza,on has or can acquire the technology and exper,se to implement, support and manage the new safeguards. - Poli;cal feasibility defines what can and cannot occur based on the consensus and rela,onships between the communi,es of interest, especially given that the budget alloca,on decisions can be poli,cally charged. Alterna,ves to Feasibility Analysis - Benchmarking - Due care and due diligence o Due care is ac,ng responsible. Due diligence is verifying those responsible ac,ons are sufficient and that they work. - Best business prac,ces - Gold standard - Government recommenda,ons and best prac,ces - Baseline CLO5 2 short answer Ch5 There is a need for a new reference model to guide security architects, who are tasked with performing risk assessments of soYware, systems, and networks. - Tradi;onal approach o Security perimeter: protect the internal (safe) from external (unsafe) o Point solu,ons and ad hoc implementa,ons o Lack of consistency - Modern approach (Enterprise Informa,on Security Architecture) o Defense in depth o Separate por,ons of the internal environment based on sensi,vity o Common security framework unifying vision and methods Purpose of EISA - To help establish the strategy for how and when to protect sensi,ve data and cri,cal resources. - EISA must: o Improve security in the organiza,on o Establish basic security principles and standards o Facilitate security policy and process o Provide guidance for security-related projects Developing EISA - EISA must be driven by business requirements for assuring required levels of CIAA based on risk ra,ngs of that business. - EISA should be based on following security principles: o Should be in alignment with security policies o Security policies should drive the selec,on and implementa,on of security controls o Should be risk-based EISA Requirements - Business requirements and security policies, not the technology itself, should drive the choice of security controls. - Security levels applied to data and resources shall, at a minimum, be equal to their business value and enough to reduce risk to an acceptable level. - Security architecture shall be based on industry-wide and open standards. - Risk in the Development Lifecycle - A very important element of informa,on systems is the development of soYware applica,ons. - The SoYware Development Lifecycle (SDLC) is the formal process adopted by organiza,ons to build soYware. - Achieving secure applica,on development requires three components: o Architectural risk analysis (oYen neglected!) o Code review o Penetra,on tes,ng EISA and System Lifecycle Several points in a system’s lifecycle require guidance from the EISA, including the following: - Design stage: aYer a new system is proposed. - Evalua;on stage: aYer a system is implemented, but before it goes “live”. - Re-evalua;on stage: a significant change is made to the system’s risk profile, or on a regularly scheduled basis. - Audit stage: whenever an audit is performed on a system. Security Zones - Security zone is a physical or logical grouping of resources; which share the same risk profile and business func,on. - The boundaries between zones are implemented using security controls, which are meant to filter inbound or outbound communica,ons, and control access to sensi,ve resources. - Example: o Business func,ons (e.g., HR, Finance, etc.) o Loca,on (e.g., Abu Dhabi office, internal vs external) o Informa,on systems (e.g., HRMS, Academic Services system) Separa,on by Risk Profile - Since resources in the same zone oYen share the same risk profile, we can group resources based on zones. - The EISA should provide guidance and tools for determining the proper placement of security zone boundaries and controls. Placing Resources in Zones The decision to place a resource, component, applica,on, or service into a zone is determined by the following factors: - The need to avoid exposure to risk. - The need to avoid imposing risk on other resources, components, applica,ons, or services. - The need to meet business requirements that can only be sa,sfied by a dedicated environment. Rules of Data Movement Between Security Zones - Rule 1: Data may only pass between resources or components via a security control or service, even if they remain within the same security zone. o Example: MicrosoY’s Least-Privileged User Account. For instance, you installed a new applica,on that tries to make changes to your system. Although the applica,on is within the “local” Windows zone, you are prompted to authorize this change. - Rule 2: If a security zone boundary is traversed, security controls must be used to ensure the data’s C-I-A-A needs are preserved. o Example: A bank website’s oYen sends confiden,al financial data from the backend zone to the client’s computer (external zone). To ensure the confiden,ality of the data, the bank’s SSL control encrypts all outgoing data. Also, to ensure integrity, the bank signs its page with digital cer,ficates (another control). - Rule 3: Both the ini,ator of a communica,on and the recipient may impose security constraints on the other party. o Example: A website may impose secure communica,on (i.e. via HTTPs) on the client’s browser. The browser, on the other hand, checks the creden,als of the website and aTempts to retrieve and verify its digital cer,ficate from the CA. Trust Rela,onships The flow of informa,on may present a threat to a certain resource based on the following aspects: 1. Type of flow ini,ator (human or automated) 2. Endpoint/Medium (internal vs. external) and (inter-zone vs. intra-zone) 3. Privilege Level (basic, privileged, management) - PaTerns and Baselines - In general, paTerns represent a recurring theme, while baselines provide a minimum star,ng point. - Together, paTerns and baselines, help guide risk architecture decisions. - Examples: o Service (Payload) Traffic ß (Common paTerns) o External versus Internal Traffic ß (Established baselines) o Transi,ve Risk Considera,ons ß (Established baselines) Data Traffic PaTerns - Services (Payload) Traffic: data and communica,on between a service and its intended clients, directly related to sa,sfying service business purpose. o Examples: Login creden,als are considered service traffic for the “authen,ca,on” service - Two known subsets: 1. Management Traffic: any service that makes direct contact to another asset (which becomes the “managed resource”), mainly for management, monitoring, or backup o Example: an applica,on replica,ng the database 2. Infrastructure Common Services: services used by mul,ple en,,es o Example: LDAP directory services Architectural Risk Baselines The following concepts have been established as risk baselines: - External vs. Internal Traffic: no longer just a “physical” concept, but rather a logical control one. - Transi;ve Risk: the risk from a neighboring (or related) resource o Even resources in a shared zone may have different risk characteris,cs à use least privilege o Services may have different interfaces to the outside world, and therefore different risk exposures à use defense in depth Traversing Risk Sensi,vity Boundaries - In an enterprise environment, systems of differing risk sensi,vity levels communicate with each other. - In these cases, there are two things to consider: o The sensi,vity of the “flowing” data o The sensi,vity of the system/resource affected by this flow - Therefore, proper controls should be put in place to protect the data, as well as both par,es involved. Addi,onal Considera,ons - Mul;;er Systems: systems distributed across several physical assets. o Example: Web applica,ons with Front-End Tier (client), Middle Tier (server), and Back-End Tier (data) - Public-Facing Resources: available to external en,,es either Anonymously or Restricted: o A common control is the use of a DMZ CLO4 2 short answer CH6 1 problem solving Fundamentals of Con,ngency Planning - Con;ngency planning (CP): overall planning for unexpected adverse events. - The main goal of CP is to restore normal modes of opera,on with minimum cost and min disrup,on to normal business ac,vi,es aYer unexpected adverse event. CP consists of four major components: - Business impact analysis (BIA) - Incident response plan (IR plan) - Disaster recovery plan (DR plan) - Business con,nuity plan (BC plan) NIST CP Methodology (CPMT) begins developing a CP document using the following steps: 1. Develop the CP policy statement: develop an effec,ve con,ngency plan. 2. Conduct the BIA: helps iden,fy and priori,ze the cri,cal assets to support organiza,on’s objec,ves. 3. Iden;fy preven;ve controls: increase system’s availability and reduce con,ngency life cycle costs. 4. Create con;ngency strategies: recovery strategies to ensure that system will be recovered quickly and effec,vely. 5. Develop a con;ngency plan: guidance and procedures for restoring damaged organiza,onal facili,es. 6. Ensure plan tes;ng, training, and exercises: tes,ng validates recovery capabili,es. Training prepares recovery personnel for plan ac,va,on. Exercising the plan to iden,fy any planning gaps. 7. Ensure plan maintenance: regular update to CP documents. Con,ngency Planning Management Team (CPMT) includes: - Champion - Project Manager - Team Members o Business managers o Informa,on technology managers o Informa,on security managers - IR Team - DR Team - BC Team Components of CP - con,ngency planning - business impact analysis - incident response planning - disaster recovery planning - business con,nuity planning Business Impact Analysis (BIA) - risk management focuses on iden,fying the threats, vulnerabili,es, and aTacks to determine which controls can protect the informa,on. - The BIA assumes that these controls have been bypassed/failed (the aTack succeeded), so how we can reduce the damage. - The BIA begins with the priori;zed list of threats and vulnerabili,es iden,fied in the risk management process and enhances the list by adding the informa,on needed to respond to the adversity. - BIA in three stages: 1. Determine business processes and recovery cri;cality 2. Iden;fy resource requirements 3. Iden;fy recovery priori;es for system resources 1. Determine Mission/Business Processes And Recovery Cri;cality - The analysis and priori,za,on of business processes/departments in the organiza,on, based on their rela,onship to the organiza,on’s mission. - weighted factor analysis table can be useful in resolving the issue of what business func,on is the most cri,cal. - BIA ques;onnaire: useful tool in iden,fying and collec,ng informa,on about business func,ons. Business Process and Recovery Cri,cality - Recovery ;me objec;ve (RTO): maximum amount of ,me that a system resource can remain unavailable before there is an unacceptable impact on other system resources and business processes. - Recovery point objec;ve (RPO): point in ,me, prior to a disrup,on or system outage, to which mission/business process data can be recovered (given the most recent backup copy of the data) aYer an outage. - Maximum Tolerable Down;me (MTD): total amount of ,me the system owner official is willing to accept for a business process outage and includes all impact considera,ons. - Work Recovery Time (WRT): amount of effort (elapsed ,me) that is necessary to get the business func,on opera,onal aYer the technology element is recovered. Informa,on Asset Priori,za,on - As the CPMT conducts the BIA, it will be assessing priori,es and rela,ve values on mission/business processes. - It needs to understand the informa,on assets used by those processes. - The organiza,on should iden,fy, classify, priori,ze its informa,on assets, and place classifica,on labels to beTer understand its value and to priori,ze its protec,on. 2. Iden;fy Recovery Requirements - Once the organiza,on has created a priori,zed list of its business processes, it needs to determine what resources would be required to recover those cri,cal processes and the assets associated with them. - For each process (and informa,on asset) iden,fied in the previous BIA stage, organiza;on should iden,fy and describe relevant resources needed to provide or support that process. - simplified method for organizing this informa;on is to put it into a resource/component table. 3. Iden;fy Recovery Priori;es for System Resources - The last stage of the BIA is priori,zing the resources associated with the business processes, which provides a beTer understanding of what must be recovered first. - Using informa,on from previous steps, organiza,on can create addi,onal weighted tables of the resources needed to support the individual processes. - a simple valua,on and classifica,on scale, such as Cri;cal/Very Important /Important/Rou;ne to provide quicker method to valua,ng the suppor,ng resources. Con,ngency Planning Policies - Prior to development of CP documents, the CP team should to develop the policy environment that will enable the BIA process and should provide specific policy guidance toward authorizing the crea,on of each of the planning components (IR, DR, BC). - These policies provide guidance on the structure of the subordinate teams and philosophy of organiza,on and assist in structuring of the plan. Business Con,nuity - Business con;nuity (BC): when a disaster prevents normal opera,ons at the primary site. The organiza,on temporarily establishes cri,cal opera,ons at an alternate site un,l it can resume opera,ons at the primary site or select and occupy a new primary site. - Business con;nuity plan (BC plan): shows the organiza,on's intended efforts to con,nue cri,cal func,ons when opera,ons at the primary site are not possible. - Business con;nuity planning (BCP): ac,ons taken by senior management to develop and implement the BC policy, plan, and con,nuity teams. - While the BC plan reestablishes cri,cal business func,ons at an alternate site, the DR plan team focuses on the reestablishment of the technical infrastructure and business opera,ons at the primary site. - Some small companies may be able simply to cease opera,ons un,l the primary facili,es are restored (no need for DR plan). Con,nuity Strategies - Cold site: facility that provides only basic services, with no computer hardware. - Hot site: fully configured compu,ng facility that includes all services, communica,ons links, and physical opera,ons. - Warm site: facility that provides many of the same services and op,ons as a hot site, but without installed and configured soYware applica,ons. - Rolling mobile site: contrac,ng with organiza,on to provide specialized facili,es configured in the payload area of a tractor-trailer. - Mutual agreement: two organiza,ons sign a contract to assist the other in a disaster by providing BC facili,es, resources, and services un,l organiza,on in need recovers from disaster. - Service bureau: organiza,on contracts with a service agency to provide a BC facility for a fee. - Timeshare: organiza,on co-leases facili,es with a business partner. A ,meshare allows the organiza,on to have a BC op,on while reducing its overall costs. Business Con,nuity Management - BCM means ensuring the con,nuity delivery of opera,ons and services. Business Con,nuity Management is an on-going process with several but complementary elements. - Planning for business con;nuity is a comprehensive process that includes disaster recovery, business recovery, business resump,on, and con,ngency planning. - A strategic and opera,onal framework to review the way an organiza,on provides its products and services while increasing its resilience to disrup,on, interrup,on, or loss. - BCM is a comprehensive process to ensure the con,nua,on and improvement of business in the face of whatever challenges your firm may face. - Con,nuity planning requires that these many processes be used together, to create a complete con,nuity plan. The plan must be maintained and updated as business processes change. Con,nuity plans must be tested. BCM describes an integrated and enterprise-wide process that should include: - Accident preven,on Business impact analysis - Business recovery Business resump,on planning - Command centers Computer security - Con,ngency planning Disaster recovery - Event management Exercising and training - Informa,on security Mi,ga,on planning - Risk control Risk financing and insurance - Risk management Safety and security - SoYware management - Emergency management and response - Project management and quality control
