Lecture_1_2___Copy_10_12_2023_22_16_.pptx
Document Details
Uploaded by LuxuryWalrus
Al Ain University of Science and Technology
Full Transcript
RISK BASED INFORMATION SECURITY Chapter 1 & 2 Risk Analysis and Management Edited by: Dr. Muath AlShaikh BRAIN STORMING What is information? Where information reside? Why information is important? Digital Era! Information at Risk? Privacy and Security Recommendat...
RISK BASED INFORMATION SECURITY Chapter 1 & 2 Risk Analysis and Management Edited by: Dr. Muath AlShaikh BRAIN STORMING What is information? Where information reside? Why information is important? Digital Era! Information at Risk? Privacy and Security Recommendations: Slide 2- 2 HORRIFYING NEWS WhatsApp is in the middle of a storm after its new privacy policy update, which suggests further data sharing with its parent company Facebook. Users have to accept the terms and service of this new policy by February 8, 2021, or delete their accounts. This change in privacy Slide 2- 3 policy has also sparked an https://indianexpress.com/article/technology/social/ exodus of sorts to apps like whatsapp-privacy-fake-claims-misinformation-busted- do-not-believe-these-false-myths-7140889/ Signal and Telegram. Slide 2- 4 THE MAIN PLAYERS Eve? Alice Bob DEFINITIONS DEFINITIONS Computer security deals with computer-related assets that are subject to a variety of threats and for which various measures are taken to protect those assets. Three fundamental questions: 1. What assets do we need to protect? 2. How are those assets threatened (vulnerable)? 3. What can we do to counter those threats? Definition of Computer Security (The NIST Computer Security Handbook [NIST95] ): The protection afforded to an automated information system in order to attain the applicable objectives of preserving (protecting) the integrity, availability, and confidentiality of information system resources (includes hardware, software, information/data, and telecommunications). DEFINITIONS Network Security - measures to protect data during their transmission. Network security is term that describes that the policies and procedures implemented by a network administrator to avoid and keep track of unauthorized access, exploitation, modification, or denial of the network and network resources. Internet Security - measures to protect data during their transmission over a collection of interconnected networks. Internet security is a branch of computer security that deals specifically with Internet-based threats. These include hacking, where unauthorized users gain access to computer systems, email accounts or websites; viruses and other malicious software (malware), which can damage data or make systems vulnerable to other threats. The field of network and Internet security consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information. That is a broad statement that covers a host of possibilities. INFORMATION SECURITY Information security is defined as “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction,” according to US law.1 In other words, you want to protect your data and systems from those who seek to misuse them, intentionally or unintentionally, or those who should not have access to them at all. Information systems security-refers to the processes and methodologies involved with keeping information confidential, available, integrity, and accountability (CIAA triad) Slide 2- 9 OSI (OPEN SYSTEM INTERCONNECT) SECURITY ARCHITECTURE SERVICES, MECHANISMS, ATTACKS We consider three aspects of information security: Security attack: Any action that compromises the security of information owned by an organization. Or an assault (attack) on system security that develops from an intelligent threat; a planned attempt to evade (escape, avoid) security services and violate security policy of a system. information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems a wide range of attacks can focus of generic types of attacks : Passive, active Security mechanism: A process (or a device incorporating such a process) that is designed to prevent, detect, or recover from a security attack. no single mechanism can support all functions required however one particular element underlies many of the security mechanisms in use: cryptographic techniques SECURITY SERVICE Security Service is a service that enhances the security of the data processing systems and the information transfers of an organization intended to counter security attacks make use of one or more security mechanisms to provide the service replicate functions normally associated with physical documents Examples; have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed INTRODUCTION Information Security Viewed from a business context Information security Risk: The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems Decisions A threat is ahave to be “potential” risk based violation of security Attack: The actual violation of security A vulnerability: is a weakness that allows threat to be realized that have bad effect on Asset. Asset: any item that has value to an organisation or a person. INTRODUCTION Change in Security Decision making Cook Book Approach: (Decision is based on Checklists Best Practices One-Size-Fits-All Risk Based Security Decisions Study the context in the organization and apply appropriate risk analysis techniques. Example: Security Standard states that sensitive data need to be encrypted whenever it is stored. What would you do if you found data not encrypted in an organization ? Security controls need to provide business value and shouldn’t be applied without first analyzing the problem LOOKING INSIDE THE PERIMET Traditional information security practices were primarily concerned with keeping the “bad guys” out (securing the perimeter). The assumption was that anything outside your network (or physical walls) was un- trusted and anything inside could be trusted. Changing Boundaries Inside your organization. 48% of breaches caused by insiders –Verizon Report Exploit Mobile Attacks on Sensitive Data RISK FOCUSED FUTURE Vulnerability Assessment : General Scan VS Risk Based approach Pitfall (problem) : Time and Money wasted addressing New vulnerabilities and patching flaws rather then building a robust risk model. Risk Management is about maximizing the output of an organization ( services, products, profit) while minimizing the chances of unexpected outcomes. Example: Supermarket Thefts Enterprise risk framework ( Common Language) https://amp-thenationalnews-com.cdn.ampproject.org/c/s/amp.thenationalnews.com/uae/cybersecurity-jobs-boom-in-uae-with-starting-salaries-of-dh40- 000-or-more-1.1148156 RISKY BUSINESS CHAPTER 2 Risk Analysis and Management APPLYING RISK MANAGEMENT TO INFORMATION SECURITY The goal is not to be secure rather be secure enough Risk Threshold in an organization is an amount of risk that an organization is willing to accept Risky business venture and staying within the risk tolerance range The information security function’s role is to reduce the organization’s operating risk with sound information security practices to enable the organization to take business risks that their competitors can’t! MISSION OF INFORMATION SECURITY Not every vulnerability needs to be “fixed” Maintain CIAA at an acceptable level A good-risk model will take into account 1) The specific needs and objectives of the organization and 2) Guide the selection of the appropriate strategy 3) Bring the level of risk exposure into an acceptable range Information Security isn’t all about firewalls and encryption. What is it about ? Errors Vs Modeling of malicious threats Risk exposure is the measure of potential future loss resulting from a specific activity or event. An analysis of the risk exposure for a business often ranks risks according to their probability of occurring multiplied by the potential loss if they do. CIAA Confidentiality: Assurance that information is not disclosed to unauthorized individuals, processes, or devices. Integrity: Protection against unauthorized creation, modification, or destruction of information. Availability: Timely, reliable access to data and information services for authorized users. Accountability: Process of tracing, or the ability to trace, activities to a responsible source. Slide 2- GOAL OF RISK MANAGEMENT There are many definitions of risk: Def 1:The expected loss of confidentiality, integrity, availability, or accountability. Def 2: “The probable frequency and probable magnitude of future loss” Combined Def: The probable frequency and probable magnitude of future loss of confidentiality, integrity, availability, or accountability. Risk Management: The process of identifying, assessing, prioritizing, and addressing risks. GOAL OF RISK MANAGEMENT (CONT’D) Start thinking about managing the everyday risks that you uncover like a police investigation to bring down a large organized crime ring— sometimes you will have to let the little fish go, so you can catch the big fish. The goal of risk management is to maximize the output of the organization (in terms of services, products, and revenue) while minimizing the chance of unexpected negative outcomes. You can look at this in terms of minimizing uncertainties related to your organization’s products and services or aligning and controlling organizational components to produce the maximum output. The goal should never be zero exposure, but finding the right balance. ARCHITECTING A SECURITY PROGRAM The four main components in security program are: Policies are the foundational component of any mature information security program Risk management needs to be the lens through which you view the organization The building blocks of a security program are policies, standards, guidelines, procedures, and baselines POLICIES, PROCEDURES, STANDARDS, AND GUIDELINES Policies – high-level, broad statements of what the organization wants to accomplish Made by management when laying out the organization’s position on some issue Procedures – step-by-step instructions on how to implement policies in the organization Describe exactly how employees are expected to act in a given situation or to accomplish a specific task POLICIES, PROCEDURES, STANDARDS, AND GUIDELINES (CONTINUED) Standards – mandatory elements regarding the implementation of a policy Accepted specifications providing specific details on how a policy is to be enforced (detailed written definition for hardware and software and how hey are to be used) Possibly externally driven. It ensures that consistent security controls are used through out the IT system. Guidelines – recommendations relating to a policy Key term: recommendations Not mandatory steps POLICIES, PROCEDURES, STANDARDS, AND GUIDELINES (CONTINUED) Image: http://itpolicies.nmsu.edu/files/2015/07/Policy-Procedure-Standard-Guideline-Graphic.jpg Additional information: http://mindfulsecurity.com/2009/02/03/policies-standards-and-guidelines/ SECURITY POLICIES Security policy – a high-level statement produced by senior management Outlines both what security means to the organization and the organization’s goals for security Main security policy broken down into additional policies covering specific topics Should include other policies Change management, data policies, human resources policies ARCHITECTING A SECURITY PROGRAM Risk Driven Security Policy: How the critical resources will be identified? The roles responsible for conducting risk assessments The process that will be followed for risk assessments How often assessments will be conducted? How findings will be scored and addressed? The process for requesting an exception ARCHITECTING A SECURITY PROGRAM (CONT’D) Having an exception approval process is essential on day one of implementation for any new policies or standards A vulnerability without a corresponding threat is not a risk to the organization Prioritize Risks ARCHITECTING A SECURITY PROGRAM (CONT’D) Prioritizing Vulnerabilities Let’s say you get an application penetration testing report back for your internal intranet site, and there are two findings as follows: Cross-site scripting vulnerability Privilege escalation vulnerability Both were rated as high risks by the testing team, but there are only enough development resources to fix one in the next release of the intranet application. How would you advise senior management? SECURITY DESIGN PRINCIPLES The implementation of advanced security controls can introduce many complexities to an environment. These complexities can lead to errors or make it difficult to detect unauthorized activity and can sometimes create a weakness inadvertently. Success in information security has lots to do with striking a good balance. There are three pervasive principles that will influence many facets of security standards, guidelines, and control designs: Least Privilege Defense in Depth Separation of Duties Slide 2- 32 LEAST PRIVILEGE A subject (whether a user, application, or other entity) should be given the minimum level of rights (access) necessary to perform their job functions No one should be granted a level of access above what they need to carry out their job function on a daily basis. The trick is to find the balance between what is practical to manage from a provisioning and deprovisioning perspectives versus having very granular and precise restrictions. As you increase the complexity of the restrictions, you may actually start to see the level of security decrease as errors Slide 2- 33 become more frequent. SECURITY PRINCIPLES Defense in Depth : This principle recommends the use of multiple security techniques or layers of controls to help reduce the exposure if one security control is compromised or circumvented. Example: Firewall + Intrusion Detection Systems (IDS) Different categories of controls (preventative, detective, and responsive), establishing zones of control (or enclaves), SECURITY PRINCIPLES (CONT’D) An enclave, also called a zone or domain, is an environment of systems all sharing the same risk profile and business function. These are usually logically or physically separated from other enclaves. A typical example of this is a De-Militarized Zone (DMZ). This is an enclave where you can place any directly Internet-facing services, such as e-mail or Web servers. A common mistake is to assume that all services in a DMZ (demilitarized zone) should be treated the same To truly implement a defense in depth strategy, even resources with different risk profiles and business functions in the DMZ itself may need to be separated from other DMZ resources to minimize transitive risk Transitive risk is the exposure imposed by a resource of lower sensitivity and with looser security controls on a resource with a higher sensitivity TIPS & TRICKS Never let sensitive data reside in a DMZ. Systems in this DMZ zone may be front-end interfaces to applications with sensitive data, but that information itself should never be stored on the DMZ systems, since they are exposed to far more attacks. Slide 2- 36 SECURITY PRINCIPLES (CONT’D) Separation of Duties: This principle requires the system to be built or process to be implemented so that no person or group has authority to perform all privileged functions, especially all functions related to the creation and handling of sensitive or critical information Example: Monitoring of system administrator activities on a critical server STATES OF DATA There are 3 states of Data: In Transit: Data that is being electronically transmitted (travel) between systems or physically transported ( through an email, web, instant messaging, or any communication channel). It’s information that is traveling from one point to another. In Process: Data as it is being used by the system or application. For instance, when a user inputs data into a form, how is that data filtered and parsed, how is it stored in memory while being processed, and how is it made available to other users? At Rest: Data not in use, data is stored on a physical or logical medium. Examples may be files stored on file servers, records in databases, documents on flash drives, hard disks etc. The concern is how to protect data in all its states. How to protect data at rest? data at rest could be protected using Encryption, Access control, or physical protection. THREATS TO INFORMATION For every state that data can take, there is a long list of threats to that information. The major categories are: Unauthorized Disclosure, such as a data breach Corruption, such as an accidental modification of a data record Denial of Service, such as an attack that makes a resource unavailable Inability to Prove the Source of an Attack, such as the use of a shared account to perform an Slide 2- 39 unauthorized activity BUSINESS-DRIVEN SECURITY PROGRAM Profile risk appetite: Speak to stakeholders about risk tolerance Every organization has a certain threshold for risks across the entire business; the challenge is gauging the executive team’s risk appetite before an incident occurs. When developing a security program, you need to be aware of: Start with the organization’s objectives and identify how the security program can help achieve them, not the other way around. (map a security initiative to a business objective). Risk Model should be robust and evolving: need to demonstrate a comprehensive and repeatable process for assessing handling risks within your organization. Small independent risks create big risks Regulators expectations (100%) Not realistic BUSINESS-DRIVEN SECURITY PROGRAM (CONT’D) Positioning information Security no longer based on FUD- Fear, Uncertainty and Doubt with limited resources Due Diligence: You will be judged from the outside (auditors, customers, regulators, or even judges in court) Make sure to follow standards. Ex. Using WPA2 (a type of encryption used to secure the vast majority of Wi-Fi networks.) instead of WEP. Facilitating Decision Making: Assess the risk before making a business decision For third party, use the Standardized Information Gathering (SIG) questionnaire. SECURITY AS AN INVESTMENT Return On Investment (ROI) for security spending Security seen as a cost center Steer clear of the “Chicken Little Mentality” and rather provide risk based decisions that serve the business objectives Security Metrics: Before you produce and report a metric, question the value of the activity or effort being reported EX Auditing (man hours) QUALITATIVE VERSUS QUANTITATIVE Quantitative analysis approaches will focus on hard numbers and calculations to determine the risk exposure. Risk Exposure value is comprised of Risk Impact and Probability that the risk will materialize Risk Exposure = Risk Impact X Probability Another way to look at risk exposure is that it is a measurement of the probability that a threat will occur and the impact the threat will have on a given business process or mission QUALITATIVE ANALYSIS Qualitative risk analysis is the process of assessing individual project risk probability of occurrence and impact against a pre-defined scale. The purposes of the qualitative risk analysis are to prioritize risks, improve risk understanding and identify the main risk exposure areas. QUANTITATIVE ANALYSIS A quantitative risk analysis is a further analysis of the highest priority risks during a which a numerical or quantitative rating is assigned in order to develop a probabilistic analysis of the project. Relies on having accurate historical data about previous breaches, and in some cases, under- standing some advanced mathematical concepts Risk Exposure = Sensitivity × Severity × Likelihood Exposure Rating = Severity2 × Threat EXAMPLE Suppose you plan to purchase $10,000 worth of investment grade corporate bonds. If the issuer defaults, your loss could amount to the entire $10,000. If the default risk is 2.09 percent, what will be risk exposure? Solution: 2.09/100 * 10000 = 209$ loss Slide 2- QUALITATIVE VERSUS QUANTITATIVE Qualitative Quantitative risk-level project-level subjective evaluation of probabilistic estimates of time probability and impact and cost quick and easy to perform time consuming no special software or tools may require specialized tools required