24-26 (2).odt

Full Transcript

Overview of ISM and ISO27001 Information Security Management (ISM): Definition: "Defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities." (Wikipedia) Key Elements: Information Risk Management: Covered in the next week's lecture. Information Security Management System (ISMS): "A codified procedure for managing information security or InfoSec." Socio-technical system requiring management support, staff training, and continuous evaluation. Standards & Best Practices: ISO 27000 Series: Including ISO 27001, ISO 27002, and ISO 27035. Terminology: Asset: Something valuable to the organization (information, physical assets, software). Threat: A potential cause of an unwanted incident causing harm to a system or organization. Vulnerability: Weakness of an asset or control exploited by threats. Risk: The effect of uncertainty on objectives. Impact: Result of a security incident affecting assets. Controls: Activities to manage identified risks: Eliminate (risk avoidance) Reduce (risk reduction) Transfer (risk transfer) Accept (risk acceptance) Identity: Information distinguishing one entity from another. Authentication: Provision of assurance for the claimed identity. Authorization: Permission to access a system resource. Accountability: Ensuring actions of an entity can be traced. Audit: Review of a party's capacity to meet approval agreements. Compliance: Meeting/exceeding all applicable requirements. Information Security Management System (ISMS): "Part of the overall management system based on a business risk approach to establish, implement, operate, monitor, review, maintain and improve information security." Ensures policies, procedures, and objectives are created, implemented, communicated, and evaluated. Requires management support, training, awareness, and evaluation. ISO 27001 Standard: Definition: Specifies requirements for establishing, implementing, maintaining, and improving an ISMS. Generic and applicable to all organizations, regardless of type, size, or nature. Revised by ISO/IEC 27001:2022 but key principles remain the same. Concept of Information: Information exists in various forms: printed, electronic, visual, verbal, intangible. "Information should always be appropriately protected." Characteristics: Centred on Information Assets: Protects assets associated with information and processing facilities. Security Risk Management: Preservation of confidentiality, integrity, and availability. Risk analysis is the starting point for selecting and implementing controls. Security Management as a Process: Continuous and evolving. High-Level Overview: Scope: Defines the standard's applicability. Normative References: Additional applicable standards. Terms & Definitions: Key concepts. Context of the Organization: Understanding security requirements from different sources. Leadership: Support and direction from upper management. Planning: Identifying security objectives and planning actions. Support: Resources, awareness, and communication. Operation: Execution of planned actions. Performance Evaluation: Monitoring and measurement. Improvement: Continuous improvement of ISMS. Sources of Security Requirements: Derived from the nature of business, organization, laws, regulations, business needs, and expectations. Examples: Sensitivity of information assets. Business sector, data handled. Contractual obligations, best practices. Importance of ISO 27001 Certification: Foundational Standard: Applicable to all organizations and sectors. Specifies requirements for establishing, implementing, and documenting an ISMS. Structured Methodology: Internationally recognized for information security. Provides the basis for third-party recognition. Certification Benefits: Demonstrates conformance to the standard. ISO 27000 Series Document: COMP6644+8340 - Week24b - ISO27000 Series.pdf Family of Standards: The ISO 27000 series encompasses multiple standards for information security management. Focus on establishing, implementing, and continuously improving an ISMS. Relationship Between Standards: ISO 27001: ISMS requirements. ISO 27002: Comprehensive set of security control best practices. ISO 27004: Evaluates security performance and effectiveness. ISO 27005: Security risk management process. ISO 27002 Standard: Provides a comprehensive set of best practices for information security controls. 14 Security Control Clauses: Information Security Policies Organization of Information Security Human Resource Security Asset Management Access Control Cryptography Physical and Environmental Security Operations Security Communications Security System Acquisition, Development, and Maintenance Supplier Relationships Information Security Incident Management Information Security Aspects of Business Continuity Management Compliance Structure of Control Categories: Each clause contains one or more security categories. Example: Clause 9 (Access Control): Objective: Limit access to information and facilities. Controls: Access control policy, user responsibilities, system access control. Appendix A: Lists clauses, categories, and controls, with additional guidance in ISO 27002. ISO 27004 Standard: Focuses on measuring security performance and effectiveness of ISMS. Key Aspects: Information security performance. Effectiveness of ISMS processes and controls. Monitoring, Measurement, Analysis, & Evaluation Process: Establish measurement constructs. Use metrics like training statistics, incident data, and internal audits. Example Metrics: Mean Time to Detect (MTTD). Mean Time to Resolve (MTTR). Phishing attack success rates. Measurement Construct Example (ISO 27004 Annex B): Control 9.2.5: Review of user access rights. ISO 27005 Standard: Provides an asset-driven approach to security risk management. 5 Phases of Risk Management: Preparation: Scope assessment, assumptions, regulations. Risk Identification: Identify assets, threats, and vulnerabilities. Risk Analysis: Qualitative/quantitative analysis of risks. Risk Treatment: Options, controls, residual risks. Risk Evaluation: Prioritize risks for treatment. Information Security Risk Management Process: Comprehensive overview of risk assessment. Treatment and evaluation activities. Potential Issues with ISO Standards: Criticisms: Perceived as a tick-box exercise. Can be scoped to only include a small office. Vagueness: Requirements are sometimes vague and subjective. Solutions: Take a comprehensive approach. Focus on the overall improvement of information security management. Summary ISM Overview: Defined and managed via standards like ISO 27001. Continuous, evolving process requiring management support. ISO 27000 Series: Provides a comprehensive framework for information security management. Includes detailed guidelines for security controls, measurement, and risk management. Business Continuity Management 1. Business Continuity Management (BCM) Overview Definition: BCM is "a holistic management programme that identifies potential events that threaten an organisation and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, the environment, reputation, brand and value-creating activities." Goals of BCM: Identifies events that threaten an organization. Develops resilience based on risk methodologies. 2. High-Level Goals of BCM Primary Objectives: Safeguard human life. Preserve the environment. Protect assets. Control business loss. Facilitate recovery. Maintain the organization's reputation. Points to Note: Priority of objectives may vary based on business type and stakeholder priorities. 3. Importance of BCM Case Study Example: Ransomware attack impacting business operations and forcing a decision on whether to pay the ransom. Key Reasons: Ensures rapid recovery from disruptions. Prevents significant financial losses. Helps maintain reputation and stakeholder confidence. 4. BCM Stages Development: a. Program Initiation b. Business Impact Analysis (BIA) c. Risk Assessment d. Strategy Development Implementation: e. Create strategies and plans aligned with identified risks. Maintenance: f. Training, testing, and updating strategies/plans. 5. BCM Development Process Phases: Program Initiation: Establishing the program and its objectives. Business Impact Analysis (BIA): Identifying critical business functions and assessing the impact of their loss. Risk Assessment: Identifying risks and vulnerabilities that could disrupt business functions. Strategy Development: Creating strategies to ensure resilience and continuity. 6. Business Impact Analysis (BIA) Definition: Determines the importance of an organization's activities by assessing the impact over time of their interruption and establishes continuity and recovery objectives. Common BIA Concepts: Resource: Asset used to conduct operations. Outage: Unavailability of a resource. Disruption: Interruption of operations. Impact: Effect of an event. BIA Objectives: Verify organizational priorities. Determine critical operations and dependencies. Establish recovery time objectives. Identify required resources. Provide information for recovery strategies. 7. Critical Operations/Deliverables Definition: Functions that must remain operational or be able to quickly recover after a disruption. Identification Criteria: Significance and time sensitivity of the operation. Examples: Financial transactions for a bank. Medical services in a hospital. Academic systems in a university. 8. Identifying Operational Dependencies Dependencies: Essential services that support critical operations. Single Point of Failure (SPOF): An operation that relies on a single resource. Mitigation strategies include redundancy and resilience measures. 9. Impact of Disruptions - BIA Worksheet Key Impact Factors: Loss of revenue. Decreased customer confidence. Regulatory fines and penalties. Increased recovery costs. 10. Recovery Objectives Recovery Time Objective (RTO): The maximum time allowed to resume an operation. Recovery Point Objective (RPO): The retrospective point in time to which data must be restored. 11. Identifying Resources Needed to Recover Types of Resources: Employees: Human resources required. Technology: Computers, peripherals, software. Records: Electronic and physical. Facilities: Buildings, equipment. Utilities: Power, water, internet. Third-Party Services: Outsourced functions. 12. BCM Implementation Strategy Development: General approaches to address a particular event. Align strategies with the Business Impact Analysis (BIA). Plans Development: Create Emergency Response and Business Continuity Plans. 13. BCM Maintenance Training and Awareness: Educate employees on how to respond to incidents. Testing and Exercises: Evaluate the effectiveness of plans through simulations. Maintenance and Updating: Regularly review and update plans to remain relevant. 14. Business Continuity Planning Process Process Outline: Conduct BIA. Develop strategies and plans. Train and educate employees. Test and validate plans. Update and improve plans. 15. Reference Materials and Links Books and Articles: "Business Continuity and Risk Management: Essentials of Organizational Resilience" by Kurt J. Engemann, Douglas M. Henderson. Government Resources: Ready.gov Business Continuity Implementation Guide. Standards: ISO 22301 Business Continuity Management Standard Security Risk Management 1. Security Risk Management Overview Definition: "A comprehensive process that requires organizations to frame risk, assess risk, respond to risk, and monitor risk on an ongoing basis." 2. Link to Business Continuity Management (BCM) Together, BCM and Risk Management form a comprehensive approach to contingency planning. Risk Management: Preventative approach. BCM: Focuses on consequences and quick recovery. Business Impact Analysis (BIA): Determines the importance of activities and resources. Risk Assessment: Identifies events and evaluates causes, probability, and consequences. 3. Key Definitions Asset: Something of value to the organization. Vulnerability: Weakness in the system, originating from design, implementation, or context. Threat (Event): Circumstances/events potentially leading to harm. Attack: Attempt to exploit a vulnerability. Impact/Harm: Negative consequences, e.g., data exposure, service unavailability. Attack Probability: Likelihood of an attack occurring. Security Control: Measures to remove/limit vulnerabilities. 4. Understanding Risk General Definition: The possibility of loss, injury, or other adverse outcomes. Elements Constituting Risk: Assets. Threats. Vulnerabilities. Impact. 5. Security Risk Management - Definitions and Guides Mathematical Probability: Probability of occurrence of a threatening event. Qualitative Evaluation: Combination of threat, vulnerability, and impact. Preferred Definition (NIST SP800-30 R1): "A measure of the extent to which an entity is threatened by a potential circumstance or event, typically a function of: (i) adverse impacts if the event occurs, and (ii) likelihood of occurrence." Guides: NIST SP800-30 R1: Conducting Risk Assessments. NIST SP800-39: Managing Information Security Risk. 6. Security Risk Management Lifecycle Phases: Identify: Identify assets, threats, and vulnerabilities. Analyze: Determine the probability and impact of risks. Treat: Implement security controls and mitigation strategies. Monitor: Continuously monitor risk environment. 7. Risk Identification Assets Identification: Examples: Money, data, facilities, reputation. Most critical assets depend on organization type. Threats and Vulnerabilities: Identify vulnerabilities in critical assets. Define threat-vulnerability pairs to characterize risks. 8. Identifying Vulnerabilities Sources: CVE Details: Vulnerability Types. NVD (National Vulnerability Database): List of vulnerabilities. OWASP: Vulnerability categories. 9. Risk Assessment Frameworks NIST Special Publication 800-30 R1: Guide for conducting risk assessments. ISO 27005: Information security risk management process. 10. Security Risk Statement Definition: Method of presenting information in the expression of a security risk. Components: Asset: Value at risk. Threat: Circumstances potentially causing Security Risk Management Outline: Security Risk Management Process Risk Identification Risk Analysis Risk Treatment Risk Monitoring Challenges facing risk management Security Risk Management Lifecycle Identify: Recognize potential security risks and their sources. Analyze: Assess the identified risks to understand their impact and likelihood. Treat: Implement measures to mitigate identified risks. Monitor: Continuously evaluate and manage risk aspects. Risk Identification and Analysis Analysing Security Risks For each identified risk: Define the impact/harm/loss to the related asset(s). Determine the probability of occurrence. Combine probability and impact/harm/loss to determine the risk rating. Risk Assessment Report Structure: Risk Identification: Threat Agents, Vulnerabilities, Vulnerability Targets, Policies Violated, Assets Exposed. Risk Analysis: Potential Impact, Probability/Likelihood, Risk Level. Example: Risk Assessment Report Structure Threat Agent: Hacker Vulnerability: Known vulnerability (e.g., command injection) Vulnerability Target: Users and Posts Databases Policy Violated: Confidentiality Policy Asset Exposed: Users' Profiles and Posts Impact: Loss of Confidentiality and Integrity Probability: High Risk Level: High Impact Valuation Factors Loss of Confidentiality/Integrity: Legal or personal implications, e.g., General Data Protection Regulation (GDPR). Loss of competitiveness, e.g., proprietary formula. Unavailability of Systems/Services: Costs of lost work. Recovery costs. Indirect Harm (Impact on Intangibles): Brand or reputation damage. From Impact to Cyber-Harm Taxonomy of Cyber-Harms (Agrafiotis et al., 2018): Defines impacts of cyber-attacks and how they propagate. Harm Trees (Erola et al., 2022): Example: Ashley Madison Data Breach Impact: Data Exposure, Financial Loss, Brand Damage Attack Probability Factors Organizational Experience: Insights from past incidents. Published Reports: Resources like CERT, NIST, ENISA. System Visibility: High visibility = High frequency of attacks. Estimated Cost of Attack: Expensive attacks (e.g., brute-force on encryption) are less likely. Target Attractiveness: High publicity or criminal value. Vulnerability Exposure: Accessibility and likelihood of system weaknesses. Risk Level: Qualitative vs. Quantitative Qualitative Analysis: Non-numerical categories (e.g., very low, low, moderate, high, very high). Pros: Easier implementation, communication. Cons: Subjective, imprecise. Quantitative Analysis: Numerical assessment (historical data). Pros: Financial prioritization, objective evaluation. Cons: Complex calculations, intangible loss estimation. Single Loss Expectancy (SLE): Expected monetary loss per security risk occurrence. Example: SLE = 25% * £100,000 = £25,000 Risk Treatment and Controls Risk Treatment Approaches Avoid: Stop engaging in the activity. Mitigate: Limit probability/impact. Transfer: Shift responsibility to a 3rd party (e.g., insurance). Accept: Live with the risk. Guiding Principle: Controls should match the risk they protect against. Security Controls Types Preventive: Stop threats before they occur. Detective: Identify threats in progress. Reactive: Address threats post-incident. Corrective: Actively reduce impact. Recovery: Restore asset post-impact. Examples: Preventive: Firewalls, MFA. Detective: IDS/IPS, SIEM. Reactive: Incident Response, Patching. Corrective: Backup Restoration. Recovery: Disaster Recovery Plans. CIS Controls Safeguards Implementation Groups Examples: Inventory and Control of Hardware/Software Assets. Continuous Vulnerability Management. Secure Configuration. Links: CIS Controls List Risk Monitoring and Audit Monitoring and Audit Aspects Network Activity Logs: Maintain situational awareness. Threat Trends: Monitor evolving threat landscape. Attack Surface & Vulnerability Posture: Identify and prioritize vulnerabilities. Example: Target Data Breach Missed alarms due to lack of situational awareness. Challenges in Security Risk Management Valuation of Assets: How to accurately value data, software, and intangibles? Likelihood of Impact/Harm: Relevance of past data for future probabilities. Unpredictable nature of future attacks. Resulting Risk Assessment: If data is uncertain, how accurate is the assessment? How does risk assessment relate to new technology like IoT or AI? Subjectivity in Risk Treatment: Which risks to treat or accept? Optimal control selection. What Did We Cover? Main Processes of Security Risk Management: Risk Identification Risk Analysis Risk Treatment Risk Monitoring Challenges in Security Risk Management Example: Risk Assessment Report IoT Security Risk Management Outline: IoT Security Risk Management What is IoT? Where traditional risk assessments fail within the IoT context. Understanding the Internet of Things (IoT) Definition of IoT IoT: Network of physical objects ("things") embedded with electronics, software, sensors, and connectivity to enable data exchange between objects and other devices or systems. How Does IoT Work? Connectivity between devices through various network protocols. Data exchange between devices, applications, and users. Diagram Example: Dynamics of the IoT (Vermesan et al., 2011) Scale Variability: From small, individual devices to large, interconnected systems. Connectivity and Relationships: Dynamic and temporal connections between devices. Coupling of internal and external systems. Heterogeneity of Actors: Variable trust relationships between devices, people, systems. Logical Glue: Logical connections that bind systems, defining how they operate. Core Challenges of IoT Security Risk Management Challenge 1: Periodic Assessment Inapplicability Traditional Process: Periodic assessment (e.g., every 3 months) involving system definition, assessment, and risk treatment. Problem in IoT: Systems change rapidly (minutes, hours, days). Periodic assessment assumptions don't hold due to variability in scale, dynamism, and coupling. Example: Fluid manufacturing sector (smart factories using RFID tags). Challenge 2: Third-Party System Risks Problem: Organization B may not know details of systems at Organization A or C. Yet, these third-party systems can pose significant security risks. Example: British Airways Data Breach Attack exploited vulnerabilities in third-party software providers. Challenge 3: Assets as Attack Platforms Problem: IoT devices can serve as attack platforms. Most organizations lack full understanding of their assets. Example: Mirai Botnet Attack IoT devices compromised and used in DDoS attacks. Challenge 4: Assessing the Glue Problem: Difficulty understanding and assessing logical links between systems. Traditional assessments focus on systems and connections but ignore the logical glue. Example: Seemingly innocuous output from one system may harm another. Addressing the Challenges Current Developments Legislation and Standards: Product Security and Telecommunications Infrastructure Bill (UK) Code of Practice for Consumer IoT Security ETSI Standards (EN 303 645) Research and Publications: Hariri, Giannelos, & Arief (2019): "Selective Forwarding Attack on IoT Home Security Kits" Nurse et al. (2018): "If you can't understand it, you can't properly assess it!" McDermott et al. (2018): "Towards Situational Awareness of Botnet Activity in the IoT" Summary and Looking Ahead Key Points Covered Internet of Things (IoT): Definition, dynamics, and applications. Where Traditional Assessments Fail: Periodic assessment challenges. Third-party system risks. Assets as attack platforms. Assessing logical glue.