Tema 1-Modulo 3 - Information Security Analysis PDF

## 1.3. Analysis of risks and management of files ### Introduction This topic introduces the concept of information security as a process to eliminate risks associated with confidentiality, integrity and availability of one of the most valuable business resources: information. To start the topic, you should read the case study and consult the sources mentioned in them to understand the perspective of information security from the company's point of view. It is particularly interesting to look information on estimates of the cost of incidents or security breaches that have been reported in the media. Finally, the fundamental question in management is whether the cost of "non-security" is higher than the cost of "security". In other words, information security management must be based on a cost-benefit analysis. The problem is that the quantification of the cost in this case depends on the risk analysis. The topic should be started by understanding and being able to state the following: - **What is being protected:** Confidentiality, Integrity and Availability - **From what assets:** Valuable assets classified as such - **By what means:** Through controls implemented in policies, standards and procedures. In addition to the above, it is important to know about the protection of physical threats. This is just briefly reviewed here, but this training should be complemented with external resources. As a general aspect of great importance, you should understand the "human factor" and understand that "social engineering" techniques make the most sophisticated technical means useless. It is interesting to look for and read cases of security breaches where the "weakest link" was an employee and not a badly configured system. ### Information security implies confidentiality, integrity and availability. Talking about information security is much more than just talking about how to configure firewalls, apply patches to fix new vulnerabilities in the operating system or store backups carefully. Information security involves determining what needs to be protected and why, what to protect it from and how to protect it. The terms "information security" and "computer security" are often used interchangeably, although they do not describe exactly the same thing. In general, information security (information security) refers to the confidentiality, integrity and availability of information, regardless of the medium in which the data is stored. Information is stored in different media, which can be electronic, printed or other. On the other hand, information security involves implementing strategies that cover the organization 's processes in which information is the primary asset. In contrast, "computer security" is a more restrictive concept that characterizes the technical security of computer systems. A secure computer system can include sophisticated cryptography techniques, intrusion detection and internal activity monitoring. However, the simple negligence of an employee regarding security key policy can allow access to an intruder. It is important to understand that a security system includes people and procedures, beyond computer systems. In the words of Bruce Schneier (2000): > "If you think technology can solve your security problems, that means you do not understand the problems, and you do not understand technology". ### Fundamental perspectives of information security There are three: legal, technical and organizational. The **legal perspective** concerns international, national and regional regulations that primarily protect privacy and intellectual property rights. The **technical perspective** is the development, analysis, configuration and deployment of technical elements (hardware, software, networks) that have certain security-related characteristics. Finally, the **organizational perspective** essentially considers security to be a fundamental element for the business, as it ensures that business processes take place without disruption in terms of confidentiality, availability and integrity of information. The organizational perspective of security is based on risk analysis, since the cost of breaches or attacks on security is a factor to be avoided, given the difficulty of its estimation. This also includes legal risks, as most companies store personal information, at least from clients. We can say that the organizational and legal perspectives indicate what needs to be protected (what is established in law and the important resources for the organization) and why and from what (because they protect people's rights against violations of privacy or because compromising certain information resources affects the business due to information theft or industrial espionage). The technical perspective is in charge of how to protect from a technical point of view (for example, whether certain operating system updates should be used, whether honeypots should be deployed or an IDS installed) depending on the changing types of threats (for example, the widespread use of smartphones requires additional measures for this type of platform). Information security in an organization basically implies the protection of the necessary assets so that the organization can fulfill its mission against damage or destruction. Due to its nature, this is a critical activity in the company. Since a perfect level of security cannot be achieved, the decision of the level of security (and the cost incurred in obtaining it) is a basic management decision. On the other hand, it is important to emphasize that security is an ongoing process of improvement and not a system state, so policies and controls established for information protection should be reviewed, tested and adapted as necessary, in response to new risks that are identified. In this sense, it can be said that there is no perfectly secure information system, as threats evolve, and so does the organization and its information resources. However, depending on the processes related to security, it will be easier or harder for a violation or security breach to occur, and it will also have a greater or lesser impact and will be more or less costly to mitigate. ### Information security is usually conceptualized around three basic principles. These are those already mentioned: confidentiality, integrity and availability. Below, each one is described. #### Confidentiality Privacy is perhaps the aspect most often mentioned in terms of confidentiality. Personal privacy is a right protected by international and national regulations. But this is just one side of confidentiality. Within a company, the list of top providers in an area is not personal information, but its access should be restricted to certain employees. Let's think about another example, the source code of a computer application developed by a company for sale, that code should not be disclosed and should be closely protected. In other cases, confidentiality is associated with other external restrictions. For example, defense plans, due to their nature, must be classified as confidential. Confidentiality is the property of preventing the intentional or unintentional disclosure of information to unauthorized persons or systems. Threats to confidentiality are many, and the ways to achieve access are very diverse. Later we will talk about social engineering, which takes advantage of the human factor to obtain confidential information. However, many Trojans have the goal of obtaining confidential information automatically, for example. #### Integrity Perhaps the most typical example of an attack against integrity is the alteration of a bank account balance. Attacks against integrity often also involve confidentiality losses, but not necessarily. Sometimes, the intruder or unauthorized person does not modify the information directly, but does modify some of the programs that update the information. In this way, even without knowing the balance of a bank account, it can be reduced by deliberately altering the software, either the program itself or the process in which the program is running. Integrity is the property that seeks to keep data free of unauthorized modifications. Some authors consider that integrity should also cover modifications not authorized by authorized personnel; that is, internal control of authorizations. Information integrity is managed according to three basic principles: - **Need-to-know:** This is very simple. Users should only have access to those information resources that are absolutely necessary for them to do their job. Going one step further, this principle leads to establishing specific controls to prevent users from modifying information in ways that compromise its integrity. An example of this type of control is a record of user action transactions, so that they can be inspected later. - **Separation of duties:** This implies that there should never be a single user responsible for a given task. In this way, at least two people will be involved, and it will be harder to manipulate data for personal gain. - **Rotation of duties:** This works in the same direction and suggests that tasks assigned to employees be rotated amongst different people. The problem with rotation is that in companies with few employees in a particular type of position, it may be difficult to switch their tasks. #### Availability A system is available when its legitimate users can use it to perform legitimate functions. That is, to do the work necessary for the business. Availability is the characteristic, quality or condition of information to be available to those who should access it as authorized users, whether people, processes or applications. In the context of information security, availability is usually discussed in two situations: - **DoS attacks:** They have become popular on the web through the media. A DoS attack on a system is basically an attack that redirects the computing resources of the system through external means to tasks that prevent its use by legitimate users. These attacks are often carried out by first infecting other computers on the network without the owners' knowledge, so that they coordinate to request the service of a given website (as is the case with botnets). - **Data losses:** These are caused by processing capacity losses or by accidental data loss due to natural disasters (Earthquakes, floods, et cetera.) or to human actions (bombs, sabotage, et cetera.). Data losses due to natural disasters may seem like remote possibilities to many companies, so they are often underestimated. This type of disaster or unplanned event is the subject of contingency plans. An example of an alternative processing site, which can be used to keep the business running by transferring it to another physical infrastructure. Technically, advances in fault-tolerant computing are commonly used mechanisms, combining hardware and software to ensure availability. ### Other important concepts In addition to the triad that we have just discussed, there are other basic concepts related to information security, which are important and useful to consider at this time. The table below summarizes them. | Concept | Definition | Example | | ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Identification Systems | Resources by which users claim their identity | The most common means is identification by username and password. | | Authentication | Evaluation of evidence of a user's identity. | Verification of the entered password against the one stored in the system. | | Accountability | The ability of a system to attribute each action performed to a specific user. | Audit systems and logs (logs) fulfill this function. | | Authorization | Rights and permissions assigned to an individual with respect to system resources. | Read or write permissions on specific files. | | Privacy | The level of confidentiality granted to system users. | The manner and degree to which social network users can see the data of other users. | ### Information security is an economic matter. Companies often don't take information security into account until they experience an attack or a security breach. And once this unwanted event occurs, an economic consideration begins. Since security costs money, the fundamental problem is to find a balance between security costs and the economic impact of risks. It is important to understand the economic side of security, since technical advances in security (as cryptography was in its day) do not improve the safety of companies if these advances are not put into practice. Cryptography, following the example, becomes a "mathematical weapon" that is useless if employees do not comply with the policies of choosing and keeping their keys. Generally, security involves costs beyond just the cost of systems, software or the time of experts in configuring and designing these systems. It also has a cost in the form of employee resistance or frustration, which sometimes sees security measures as impediments to carrying out their work more efficiently. In the case of application development, well-protected software costs more and takes more development time than software that isn't. On the other hand, only those intrusions with a significant impact have a substantial economic impact, and these usually do not lead to the closure of the company. This means that "rationally", most companies do not devote great efforts to security. Therefore, many security technologies are used when the following two elements occur: - **They are easy to implement** - **Security auditors start demanding them** This is the case, for example, with firewalls. The cost of implementing them has decreased considerably because they are increasingly easy to implement, and more people are knowledgeable about how to do so. On the other hand, the cost of not having them, in case of an audit, is high (the company will not pass the audit). The economic aspect of security is so important that it is a field of study in itself, called *Information Security Economics*. Tyler Moore and Roose Anderson (2008) publish technical reports on advances in this area that are worth reading. ### An economic framework for information security. Adrian Mizzi developed a conceptual framework to address the concerns of many companies about whether they are investing too much or too little in information security. This framework makes it possible to estimate the Return on Investment in Information Security (ROSI), although the estimation of the variables involved is complex, given the elusive nature of measuring threats and vulnerabilities. The idea is that there are costs, both from an attack and defense point of view, and subsequent damage mitigation. Attackers face security measures and vulnerability detection. For an attacker to incur this "breach cost" or CTB, the benefits of their actions must outweigh the cost. The difficulty on this side is twofold: - On the one hand, the benefits of attacks are difficult to estimate beforehand, but generally, if the intention is selling confidential information, for example, for credit card fraud, the cost of exploring the vulnerabilities is low compared to the potential benefit. Only when the protection mechanisms are more complex does the attacker not continue. - On the other hand, the attackers' motives are subjective and include non-economic motives that may lead them to incur a higher CTB than the expected economic benefits (which sometimes are none at all). The estimation of the CTB can be made by contracting a "penetration testing" service, where professionals are hired to simulate an attack under realistic conditions. From the side of the organization, the two basic costs are: - **Cost of building defensive measures**, such as firewalls, redundant systems, IDS, et cetera. - **Cost of repairing vulnerabilities**. In a simple configuration, this can involve keeping the software updated with the latest patches, but sometimes this is not enough, and a proactive effort is required to look for potential vulnerabilities as they appear. In addition to the above, there are post-incident costs that include calculating the losses incurred (see the references of the Ponemon Institute in the case study of this topic), and also the cost of system rebuilding. This reconstruction, depending on the effect of the incident, could be as simple as reinstalling or repairing software, but sometimes it can be as expensive as hiring professionals to recover damaged data. In other cases, the repair is supplemented with a "counterattack" or "pursuit" of the intruders. ### Information Security is a process. Security is not a product, something that can be achieved and once finished, that is it. On the contrary, security is a set of continuous activities performed within a systematic plan, which must be constantly assessed. That is, information security is a process. The fundamental elements of this process are the information assets, so the basis of the entire process is their identification, before going on to apply a set of management tools. Information security management involves identifying information assets and developing, documenting, and implementing security policies, standards, procedures and guidelines that ensure their availability, integrity and confidentiality. Management tools (such as data classification, training and security awareness, risk assessment and risk analysis) are used to identify threats, classify assets and their vulnerabilities to establish effective security controls. It is important to distinguish between different management tools. Often, people use the term "policies" to refer to different tools that are used at different levels of management. Therefore, it is important to clarify terms. The figure below shows a hierarchy of tools and their relationships. ### Risk Management Risk is basically the possibility of an unwanted event occurring, with negative consequences, in our context, on information security resources. Risks must be studied and analyzed in order to make decisions regarding them. Decisions can be made in basically three ways: - **Accepting the risk as it is.** - **Implementing some type of action to mitigate the risk.** - **Externalizing or transferring the cost of the risk**. This is usually done by purchasing some kind of insurance, which would act as economic compensation in case of an occurrence. Another option is to outsource certain services to third parties, who would then be responsible for the risk. - **Avoiding the risk**: This option consists in ceasing to use certain resources, or halting the activities associated with the risk. However, this option has the opportunity cost of not obtaining benefits from the activity. The first option is obviously only viable if the organization is capable of absorbing the cost of the risk materializing. If the second option is chosen, typically, the organization must perform a cost-benefit analysis, particularly calculating the residual risk. In this regard, risk management is defined as the set of processes to identify, analyze and evaluate risks to make decisions about their assumption, mitigation or transfer. Questions about risk analysis and management can be summarized in the following points: - **What could happen?** (What are the unwanted events or threats?) - **If the event occurs, how bad could it be?** (Impact of the threat?) - **How often could it happen?** (Frequency of threat, e.g. annually?) - **How certain are we of the answers to the first three questions?** (Acknowledging our uncertainty?) Once risks have been analyzed and evaluated, risk management must respond to the following fundamental questions: - **What can be done** (Risk mitigation)? - **How much will it cost** (for time intervals, e.g. annually?) - **Is it profitable** (cost/benefit analysis?) In what follows, we delve deeper into the elements and activities that are fundamental to risk management in information security. ### Prior Definitions The terminology used for risk management, to avoid ambiguities, should be based on standards such as ISO 17799. Some important prior definitions include: - **Threat:** A potential danger to a resource. - **Threat Source/Agent:** Anything or anyone who has the potential to materialize a threat. - **Vulnerability:** A weakness or flaw in a resource. - **Exposure:** An opportunity for a threat to cause damage. In terms of controls, the following are usually distinguished: - **Logical Mitigation Mechanisms** (e.g. a firewall). - **Non-Technical Mitigation Mechanisms** (e.g. administrative and physical). Administrative measures include policies and procedures. Physical measures include alarms, locks and fire alarms. - **Safeguards:** Proactive preventive controls. - **Countermeasures:** Reactive corrective controls. ### Processes in Information Risk Management There are different models and standards for the processes in risk management. For example, the NIST SP-830 standard groups processes into three phases: 1. **Risk assessment:** - **Quantitative risk assessment**: Estimating the monetary value of a threat occurrence. - **Qualitative risk assessment:** Based on scenarios. 2. **Implementation of controls:** 3. **Continuous control evaluation.** Regardless of the model or good practices implemented, all share a common need to estimate the probability of the risk occurring and a suggestion of countermeasures to be implemented through controls. ### Quantitative Risk Analysis Quantitative risk analysis tries to assign quantitative values (e.g., monetary units) to the different elements. To do this, you have to start with an economic assessment of the resources. Based on this valuation, certain measures are established, which are summarized in the table below. | Concept | Formulation | | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Exposure Factor (FE) | Percentage of a resource's value loss associated with a threat. | | Single Loss Expectancy (SLE) | Value of the resource multiplied by the FE. | | Annualized Rate of Occurrence (ARO) | Frequency of the annual occurrence of the threat. | | Annualized Loss Expectancy (ALO) | (Annualized loss expectancy, ALO): SLE*ARO | The fundamental problem of the analysis is the difficulty of measuring the value of resources. This value can be estimated in different ways, without excluding: - The initial and continuous cost (for an organization) of purchasing, licensing, developing and maintaining a resource. - The value of the resource to maintain the business model or the competitive advantage. - The value of the resource to improve the business. - Market value of the resource, if it can be evaluated. For example, the value you could get by selling a trade secret. Having established the asset value, a cost-benefit analysis can be performed since the estimated cost of mitigation measures (or the cost of outsourcing) can be compared to these valuations, based on annualized estimations. ## 1.4. Plans for implementing security measures ### Security Management Programs The goal of security management is to guarantee the confidentiality, integrity and availability of an organization's information resources. A security management program is a set of planned activities within an organization to ensure the availability, confidentiality and integrity of information resources. These programs should be communicated in an understandable way to all employees. A program is not a specific action, but rather an area of management geared toward continuous improvement. The importance of information security has led to its professionalization, embodied in the role of the Information Security Officer (ISO), CISO (Chief Information Security Officer) or other similar designation. This management is reflected in policies, standards, baselines and procedures. ### Classification of Information. Not all information in an organization is equally valuable. For example, industrial secrets, such as a product's manufacturing formula, affect a company's competitive advantage and very reason for being. Disclosing this information to third parties can simply shut down the organization. Something similar happens with information about a company's new product strategy. This information is the most prized object of industrial espionage. Given that the protection of information costs money, classifying it allows for the allocation of more money to the most valuable resources. Within the military environment and the public sector, information classification has a long history. However, this is useful for any organization, either as a mechanism for analysis or to assess which information is affected by certain legal protections. Information classification makes it possible to identify the value of information resources, including the most sensitive or vital information for the company. Classifying information also demonstrates a commitment to security and may be essential due to existing regulations. ### Classification Levels Classification is usually done according to a series of levels. The following table summarizes a typology common in government documents. | Type | Definition | | :---------- | :------------------------------------------------------------------------------------------------------------------------------------------------------- | | Unclassified | This information is not classified as sensitive or classified. By definition, releasing this information does not affect confidentiality. | | Sensitive but Not Classified | Information that has a minor impact if it is released. | | Confidential | Information that can cause damage if it is disclosed to national security. | | Secret | Information that would cause significant damage if it is disclosed. | | Top Secret | Information that would cause extremely serious damage if it is disclosed. | In the company environment, different types of classifications are used. The following table provides an example. | Type | Definition | | :----------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Public Use | Information can be publicly disseminated. | | Internal Use | Information that can be disseminated internally, but not externally. For example, information about suppliers and their efficiency. | | Confidential | The most sensitive information. For example: product formulas, new product launches, or mergers. | The above classification has to do with the impact on the company globally. But there is another category: personal information, whose dissemination is legally protected because it affects the individual rights of people. For example, an employee's salary or their medical records. In addition to the criteria of the impact on dissemination that we have just seen, the age of the information is usually also a criterion. Defense documents are typically declassified after a certain period of time. A formula for an old product will probably no longer have the same value if it has been imitated over time by competitors. ### Roles and Procedures in Classification. Information classification requires well-defined roles and a series of steps or systematic activities. The main roles are: - **Owner:** This person is in charge of the protection of information resources. They establish the critical nature of the information according to the approved classification policies and delegate routine tasks to the responsible person. - **Custodian:** Usually this is a technical person. The owner delegates the effective custody of the information to this person. This includes managing backups and any other necessary technical tasks. - **User:** These are the "consumers" of information for their daily work. The following are the fundamental principles for this role: - Information and resources must be used for the organization, never personally. - Users are responsible for managing the information they use in their work. In particular, they must ensure this information does not get "out in the open". For example, closing your terminal with password when leaving your workstation. - Users must understand and follow the organization's security policies and procedures. The following should be defined: - Classify the roles mentioned. - Specify the classification criteria. - Classify data by owner. - Specify and document any exceptions to classification policy. - Specify the controls that apply to each classification level. - Specify the procedures for declassifying information or transferring the information to another entity. - Create a corporate awareness program about classification and its associated controls. ### Articulating Security through Controls. All information security management revolves around the identification of potential threats, that is, risks. The goal is to establish mechanisms to reduce the likelihood of occurrence (in the sense of possibility) or, if a threat materializes, to reduce its impact. The goal is to reduce the effects of a security threat or vulnerability. Establishing a security control is a consequence of a prior study of the impact of certain vulnerabilities or threats. The structured process that produces estimates of losses due to these vulnerabilities is the risk assessment (Risk Assessment). Risk concepts are the yardstick for determining whether a control is well implemented or not. For example, let's consider the following control mentioned in ISO 27001:2013: - **Control Objective:** The control responsibility belongs to the user. - **Control or measure example:** [A.9.3.1] Use of password control: It should be required that users follow good security practices in the selection and use of passwords. The risk in this case would result in the loss of confidentiality (and also integrity and/or availability, since obtaining user passwords could allow an intruder to access systems and modify them). The organization should implement this control in the form of policies (general philosophy concerning passwords) and in concrete procedures (e.g., password change every six months, and password strength checking). These specific measures, in this case, help to reduce the probability that an intruder will be able to guess a password, and if they manage to do so, will help to reduce the impact to a temporal one. However, they will not eliminate the risk completely, given that a "social engineering" attack could trick a user into giving a password to malicious software (phishing would be an example). ### Physical and Logical Security The scope of security includes everything in the environment of information systems that could have an impact on the availability, integrity and confidentiality of information. A natural disaster is an example of a physical threat. Measures are also very diverse, such as closed-circuit television systems. Although this area of information security may seem the furthest from the profession itself, it is important to understand, because the best firewall will not be able to withstand an attack if someone has access to the computer running it. As an example of the importance of security, it is interesting to look at some examples of facilities with well-designed physical security measures. One example is the Bahnhof's bunker. The company had Wikileaks as a client. While building a data center in a bunker may seem to many analysts more about marketing than about physical necessity, its features are interesting when it comes to illustrating the combined physical-logical design of secure systems. The company considered aspects such as geological stability and isolation from external physical attacks. However, since one of the greatest physical risks is unauthorized physical access, location does not provide any additional benefit in this regard. Donn B. Parker, in his book ,*Fighting Computer Crime* (Wiley, 1998), compiled a complete list that he calls the seven main sources of physical losses. Below is a summary with examples: - **Temperature**: Extreme variations in temperature, such as a fire. - **Gases**: Gases used in warfare, such as Sarin gas, but also industrial gases or airborne particles. - **Liquids**: Floodwater, cleaning fluids. - **Organisms**: Viruses, bacteria or insects, for example, but also people. - **Projectiles**: Anything from meteorites to bullets or explosions. - **Movement**: Falls or earthquakes. - **Electricity Anomalies**: Magnetics, radiation, et cetera. Physical security controls are as varied as the threats. The fundamental areas to consider are summarized below. ### Fundamental Areas of Physical Security Controls - **Administrative Controls**: These include all procedures, as opposed to physical or technical controls. The following key aspects can be mentioned: - Planning installation requirements. - Managing the safety of the facilities. - Managing personnel. - **Environmental and Habitability Controls**: These are the physical controls that are essential to maintaining the operation of systems and the people who operate them. The following are key areas: - Power supply. - Fire detection and suppression. - Heating, ventilation and air conditioning. - **Technical and Physical Controls**: These include controls that are not purely administrative (although administrative aspects are also involved). The following are the key points: - Inventory control. This is crucial for controlling theft and damage to equipment. - Access control for facilities. - Facility control conditions. - Intrusion detection and alarms. - Storage media requirements. - **Personal controls**: A common misconception is that maintaining operating systems, network software and applications, along with defensive systems and written security policies, provides a sufficient level of security. The reality is that the weakest link is often the *human* factor. *Social engineering* is the practice and method of obtaining confidential information through the manipulation of legitimate users. It is important to understand that the human factor is an element of the information system, so policies and tools for implementing them must take this element into account.

Tema 1-Modulo 3 - Information Security Analysis PDF

Document Details

Tags

Related

Summary

Full Transcript