confidentiality
Download
Report
Transcript confidentiality
Introduction to Information
Security
Dr. Randy M. Kaplan
1
Risk Management
Risk Mangement
Identify and control risks faced by an organization
Two major tasks
Risk identification
Risk Control
3
Risk Mangement
Identify and control risks faced by an organization
Two major tasks
Risk identification
Examining and documenting the security posture
of an organization’s information technology and
the risks it faces
Risk Control
4
Risk Mangement
Identify and control risks faced by an organization
Two major tasks
Risk identification
Risk Control
Apply controls to reduce risks to an
organization’s data and information systems
5
Competition
Organizations must design and create safe
environments
For business processes and procedures to function
The environments maintain Confidentiality and privacy
Assure integrity of organizational data
6
Risk Management
Sun Tzu - The Art of War
“If you know the enemy and know yourself, you
need not fear the result of a hundred battles. If you
know yourself and not the enemy, for every victory
gained you will also suffer a defeat. If you know
neither the enemy nor yourself, you will succumb in
every battle.”
7
Know Yourself
You must Identify
Examine
Understand
The information and systems currently in place
within your organization
8
Protecting Assets
Defined as Information and systems that use, store, and
transmit information
You must understand what they are, how they add
value to the organization, and to which
vulnerabilities they are susceptible
9
Protecting Assets
Know what you have
Know what you are doing to protect it
If you have a control in place to protect an asset this
does not mean that the asset is protected
10
Protecting Assets
Frequently when an organization puts a control in
place it thinks that its work is done and it has nothing
more to do
This should raise a red flag as far as security is
concerned
Controls need to be periodically reviewed, revised,
and maintained
Policies, educations, training, and technologies that
protect information must be carefully maintained
11
Know the Enemy
Moving on to Sun Tzu’s next piece of advice we
examine the threats facing the organization
Determine threats that directly affect the organization
and the security of the organization’s information
assets
Use your understanding of these aspects to create a
list of threats prioritized by how important each asset
is to the organization
12
Communities of Interest
A community of interest is a group of people who
share a common interest
Usually this interest is something that the members of
the community interact about on a regular basis
sharing knowledge about the domain
A community of interest is not a casual group or club
but a group of people engaged in serious knowledge
management
13
Communities of Interest
The Communities of Interest of Interest to Information
Security
Information Security
Management and Users
Information Technology
14
Communities of Interest
The Communities of Interest of Interest to Information
Security
Information Security
Best understand the threats and attacks
Take a leadership role in addressing risk
Management and Users
Information Technology
15
Communities of Interest
The Communities of Interest of Interest to Information
Security
Information Security
Management and Users
Properly trained and kept aware of threats these
groups act as early detectors and response to
threats
Information Technology
16
Communities of Interest
The Communities of Interest of Interest to Information
Security
Information Security
Management and Users
Information Technology
Build secure systems
Operate them safely
17
Communities of Interest
Information Technology
Build secure systems
Operate them safely
Ensure good backups to control the risk from
hard drive failure
Evaluate valuation
Evaluate threats
18
Communities of Interest
Other Responsibilities
Evaluate the risk controls
Determine which control options
Acquiring or installing the needed controls
Overseeing that the controls remain effective
Essential that Communities of Interest conduct
periodic management reviews
19
Identifying Risks
Identify Information Assets
Identify
Classify
Prioritize
Assets are targets -
Threats
Threat Agents
20
Identifying Assets
Circumstances
Settings
Assets
Vulnerabilities
21
Risk Identification Process
Risk
Identification
Plan and organize
the process
Categorize system
components
Inventory and
categorize assets
Identify Threats
Specify vulnerable
assets
Risk
Assessment
Assign value to
attack on assets
Assets likelihood of
attack on
vulnerabilities
Calculate relative
risk factor for
assets
Review possible
controls
Document findings
22
Asset Identification
People
Procedures
Identification of all of the
elements of an
organization’s system
including -
Data
Information
Hardware
Networking Elements
23
Asset Identification
Categories
Traditional
SecSDLC
Risk Management
System Components
People
Employees
Trusted Employees
Other Staff
Procedures
IT and business
standard procedures
IT and business
sensitive procedures
Information
Transmission
Processing
Storage
Software
Software
Applications
Operating systems
Security Components
Hardware
System devices and
peripherals
Systems and peripherals
Security devices
Networking components
Intranet components
Internet or DMZ
components
Procedures
Data
24
Identifying People,
Procedures, and Data
Assets
Identifying
Human resources
Documentation
Data and information
Is more challenging than hardware and software
25
Identifying People,
Procedures, and Data
Assets
Assign individuals who have knowledge, experience,
and judgement to this task
As assets are identified, they need to be recorded
using a reliable data-handling process
Recording process needs to be flexible to record
various types of attributes
26
Recommended Attributes
People
Position name/number/ID
Supervisor
Security clearance level
Special skills
27
Recommended Attributes
Procedures
Description
Intended purpose
Relationship to -
Software, hardware, networking elements,
storage location
28
Recommended Attributes
Data
Classification
Owner
Creator
Manager
Size of data structure
29
Recommended Attributes
Data (continued ...)
Data structure used
Online or offline
Location
Backup procedures
30
How much can be tracked?
Decisions must be made about what is to be tracked
It is impossible to track all of the assets (especially
when it comes to data)
Therefore there needs to be a prioritization of the
assets in order to decide what to track and document
Most companies do not recognize all of their assets
31
Hardware, Software,
Network
What are the attributes of hardware, software, and
network assets that should be collected?
For each type of component this will vary
The most important thing is to be consistent in the
collection process
32
Hardware, Software,
Network Attributes
Name - use a common name
IP address
MAC address
Element type
An element will have attributes that may differ from
another elements
33
Hardware, Software,
Network Attributes
Element type
An element will have attributes that may differ from
another elements
For example, a server might be identified by,
Class of the device
OS of the device
Device capacity
34
Hardware, Software,
Network Attributes
Serial number
Applies to hardware and software
Record for each instance
Manufacturers Name
Manufacturers Part No. and/or Model No.
Acquisition Date
35
Hardware, Software,
Network Attributes
Software version, update revision, or FCO (field
change order)
Physical Location
Logical Location
Controlling Entity
36
Asset Valuation
In the beginning assets are identified, then it is
necessary to determine the value of the assets
identified.
All assets will not have equal value
All assets will not be equally protected
37
Asset Valuation
Question 1
Which information asset(s) is/are MOST critical to
the success of the organization?
In order to answer this question we can refer to the
organization’s mission and objectives
38
Asset Valuation
Which information asset(s) is/are MOST critical to the
success of the organization?
Which elements support the objectives?
Which elements are adjuncts to the objectives?
39
Asset Valuation
Example
Amazon’s uses web servers to receive and process
orders 24 hours a day seven days a week
These servers are critical to the success of
Amazon’s business
In customer service, the desktop systems used by
customer representatives, although important are
as critical
40
Asset Valuation
Which information asset generates the most
revenue?
How much of an organization’s revenue depends
on a particular asset?
In some organizations different systems are in
place for each line of business or service offering
Which play the greatest role in generating revenue
or delivering services?
41
Asset Valuation
Which information asset generates the most
profitability?
How much of an organization’s profitability depends
on a particular asset?
42
Asset Valuation
Example
Amazon’s Servers
Some servers support sales operations
Some servers support the auction process
Some servers support the customer review
database
Which of these servers contribute to profitability?
43
Asset Valuation
Sales operations
servers
Auctions servers
Customer review
database servers
Contribute directly to
profitiability
Auction server
contribute
Do not directly
contribute
Asset Valuation
Which asset would be most expensive to replace?
Which asset would be the most expensive to protect?
Which asset would be most embarrasing or cause the
greatest liability if revealed?
45
Ordering the Assets
Once the assets have been inventoried and the value
of each has been assessed it is possible to calculate
the relative importance of an asset with a process
known as weighted factor analysis
46
Data Classification
Corporate and military organizations use a variety of
schemes to classify information
This scheme is called a DATA CLASSIFICATION
SCHEME
Georgia-Pacific Corporation uses a corporate scheme
The U.S. Military uses a more complex scheme
47
Corporate Data
Classification
Confidential
Internal
External
48
Corporate Data
Classification
Confidential
Used for the most sensitive information that must
be tightly controlled even within the company
Access to this information is strictly on a need-toknow basis
Internal
External
49
Corporate Data
Classification
Confidential
Internal
The internal classification is used to denote
information that can be viewed inside an
organization by employees, authorized contractors,
and other parties
External
50
Corporate Data
Classification
Confidential
Internal
External
This is all information that has been approved by
the company for public release
51
Military Data Classification
Unclassified Data
Information to be distributed to the public without
any threats to U.S. national interests
Sensitive but Unclassified
Confidential Data
Secret
Top Secret
52
Military Data Classification
Unclassified Data
Sensitive but Unclassified
Any information of which the loss, misuse, or
unauthorized access to, or modification of might
adversely affect U.S. National interests
Confidential Data
Secret
Top Secret
53
Military Data Classification
Unclassified Data
Sensitive but Unclassified
Confidential Data
Any information the unauthorized disclosure of
which reasonable could be expected to cause
damage to the national security
Examples include compromise of information like
strength of U.S. forces
Secret
Top Secret
54
Military Data Classification
Unclassified Data
Sensitive but Unclassified
Confidential Data
Secret
Any information the unauthorized exposure of
which reasonably could be expected to cause
serious damage to the national security
Examples include disruption of foreign relations
significantly affecting national security
Top Secret
55
Military Data Classification
Unclassified Data
Sensitive but Unclassified
Confidential Data
Secret
Top Secret
Any information or material the unauthorized
disclosure of which reasonably could be expected
to cause exceptionally grave damage to the
national security
Examples include armed hostilities agains the U.S.
56
A Practical Scheme
Most organizations don’t need as detailed a
classification as the military scheme
Most organizations need a scheme to protect data
57
A Practical Scheme
Public
Information for general public dissemination
For Official Use Only
Sensitive
Classified
58
A Practical Scheme
Public
For Official Use Only
Information that is not particularly sensitive, but not
for public release
Sensitive
Classified
59
A Practical Scheme
Public
For Official Use Only
Sensitive
Information important to the business that could
embarrass the company or cause loss of market
share if revealed
Classified
60
A Practical Scheme
Public
For Official Use Only
Sensitive
Classified
Information of the utmost secrecy to the
organization
Could severely impact the welfare of the
organization
61
Security Clearances
The other part of a data classification scheme is the
personnel scurity clearence structure
In organizations that require security clearances each
user of data must be assigned a single authorization
level
Indicates the level of classification that he or she is
authorized to view
62
Threat Identification
Once the assets are classified the next step is to
identify the threats that an organization faces
Of these threats there are those that will be
“important” and those that will be “unimportant”
It is critical to distinguish between these types of
threats as it is impossible to attend to all of the
possible threats that could possibly effect and
organization
63
Threat Assessment
Threats
Acts of human error or failure
Compromises to intellectual property
Deliberate acts of espionage or trespass
Deliberate acts of information extortion
Deliberate acts of sabotage or vandalism
64
Threat Assessment
Threats (continued)
Deliberate acts of theft
Deliberate software attacks
Forces of nature
Quality of service deviations from service providers
Technical hardware failures or errors
65
Threat Assessment
Threats (continued)
Technical software failures or errors
Technological obsolescence
66
Threat Assessment
Each of the threats must be examined to determine
its potential to cause damage to an organization and
its assets
67
Threat Assessment
Questions to Ask
Which threats present a danger to an organization’s
assets in the given environment?
Any category is eliminated that does not apply to
the organization
68
Threat Assessment
After it has been determined which threats apply -
It is necessary to seek examples in each category
These examples are examined to determine if any
do not apply in the current environment
69
Threat Assessment
Which threats represent the most danger to the
organization’s information?
Danger may be Probability of threat of attack
Amount of damage the threat could create
Frequency of which an attack could occur
70
Threat Assessment
Threat Ranking
Quantitative and Qualitative measures can be used
to rank threats
Rank threats subjectively in the order of danger
Rate each threat on a scale from 1 to 5
1 = not significant
5 = very significant
71
Threat Assessment
Questions to Ask
How much would is cost to recover from a
successful attack?
This cost is a guide to corporate spending on on
controls for the threat
Provide a rough $ assessment of the cost to
recover (Is it a chevy or a cadillac?)
72
Threat Assessment
Questions
Which of the threats will require the greatest
expenditure to prevent?
Some threats like malicious code have very low
costs of protection (comparatively)
Other threats very high cost of protection
73
Threat Assessment
As seen by Computing Executives
Deliberate software attacks (Rank = 1)
Technical software failures or errors (Rank = 2)
Acts of human error or failure (Rank = 3)
Deliberate acts of espionage or tresspass (Rank =
4)
Deliberate acts of sabotage or vandalism (Rank =
5)
74
Threat Assessment
As seen by Computing Executives
Technical hardware failures or errors (Rank = 6)
Deliberate acts of theft (rank = 7)
Forces of nature (Rank = 8)
Compromises to intellectual property (Rank = 9)
Quality of service deviations from service providers
(Rank = 10)
75
Threat Assessment
As seen by Computing Executives
Technological obsolescence (Rank = 10)
Deliberate acts of information extortion (Rank = 11)
76
Threat Assessment
How can you use these rankings?
As a way to decide where to place your resources
As a way to determine where the most likely
successful attacks will occur (according to other
executives)
77
Risk Assessment
Definition of Risk
Risk is
the LIKELIHOOD of the occurrence of a vulnerability
multiplied by
the VALUE of the information asset
minus
the percentage of risk mitigated by CURRENT CONTROLS
plus
the UNCERTAINTY of the current knowledge of the vulnerability
78
Risk Assessment
Our goal at this point is to develop a way to evaluate
the relative risk of each of the listed vulnerabilities
79
Likelihood
LIKELIHOOD
Probability that a specific vulnerability within an
organization will be successfully attacked
In risk assessment a numeric value is assigned to
the likelihood of a vulnerability being successfully
exploited
NIST recommends that likelihoods are in the range
of 0.1 to 1.0
80
Calculating Likelihood
Unless it is the case that you have accumulated
significant data about a particular vulnerability it would
be difficult to calculate the likelihood
For that reason it is a good idea to use external
references whenever possible as a resource for
likelihood values
81
Valuation of Information
Assets
Once the assets are identified weighted scores can
be assigned to the assets to indicate an asset’s
valkue
The values must be assigned by again asking the
questions,
Which threats present a danger to an organization’s
assets in the given environment?
Which threats represent the most danger to the
organization’s information?
82
Valuation of Information
Assets
The values must be assigned by again asking the
questions,
Which threats present a danger to an organization’s
assets in the given environment?
Which threats represent the most danger to the
organization’s information?
How much would it cost to recover from a
successful attack?
83
Valuation of Information
Assets
The values must be assigned by again asking the
questions,
Which threats present a danger to an organization’s
assets in the given environment?
Which threats represent the most danger to the
organization’s information?
How much would it cost to recover from a
successful attack?
Which of the threats would require the greatest
expenditure to prevent?
84
Valuation of Information
Assets
Once these questions are re-evaluated the
background information from the risk identification
process is used to answer the following question Which of the questions posed above for each
information asset is the most important to the
protection of information of the organization?
This question helps set priorities
85
Controls
If a vulnerability is managed by a control it no
longer needs to be considered for additional
controls and can be set aside
If a vulnerability is partially controlled, estimate the
percentage it has been controlled
86
Determining the Risk
For the purposes of RELATIVE RISK ASSESSMENT
risk equals likelihood of vulnerability occurrence times
value or impact minus percentage risk already
controlled plus an element of uncertainty
Let risk be R
Let likelihood be l
Let value be v
Let percentage controlled risk be c
Let uncertainty be u
87
Determining the Risk
Thus risk represented formulaically would be R = (l * v) - c + u
88
Determining Risk
Examples
Example 1
Asset A
v=50, l=1.0, c=0, u=10%
R = (50 * 1.0) - 0 + (10% * (50 * 1.0)) = 55
89
Determining Risk
Example 2
Asset B
v=100, 2 vulnerabilities
l(2)=.5, c=50%,u=20%
l(3)=.1, c=0, u=20%
R(B,Vulnerability 2) = (100 * .5) - ((100 * .5) * .5) +
(100 * .5) * .2) = 35
R(B,Vulnerability 3) = (100 * .1) - ((100 * .1) * 0) +(
(100 * .1) * .2) = 12
90
Possible Controls
For each threat and its associated vulnerabilities that
have residual risk create a preliminary list of control
ideas
RESIDUAL RISK is the risk that remains after the
existing control is applied
91
Types of Controls
Three General Categories
Category 1 - Policies
Category 2 - Programs
Category 3 - Technologies
92
Types of Controls
Three General Categories
Category 1 - Policies
Documents that specify an organization’s approach
to security
Category 2 - Programs
Category 3 - Technologies
93
Types of Controls
Three General Categories
Category 1 - Policies
Category 2 - Programs
Activities performed within the organization to
improve security
Category 3 - Technologies
94
Types of Controls
Three General Categories
Category 1 - Policies
Category 2 - Programs
Category 3 - Technologies
Technical implementations of the policies defined
by the organization
95
Access Controls
Access control address the issue of allowing a user
into a trusted area of the organization
These areas can include both physical and logical
areas
An example of a physical area is a particular office
area, i.e., the area where sensitive information is
maintained
An example of a logical area is a particular computer
system where sensitive data is maintained
96
Access Controls
Access Controls consist of a combination of -
Policies
Programs
Technologies
97
Types of Access Controls
Mandatory
Limited control over access to information
resources
Non-discretionary
Discretionary
98
Types of Access Controls
Mandatory
Non-discretionary
Managed by a central authority
Can be based on an individuals role (role-based
controls)
Can be based on tasks (task-based controls)
Discretionary
99
Types of Access Controls
Mandatory
Non-discretionary
Discretionary
Implemented at the discretion or option of the data
user
100
Documenting the Results
The product of the risk assessment is a worksheet
that ranks the risks
This worksheet should contain the following items
Asset, asset impact, vulnerability, vulnerability
likelihood, risk-rating factor
101
Risk Control Strategies
When organizational management has determined
that risks from information security threats are
creating a competitive disadvantage they empower
the information technology and information security
organizations to control the risks
102
Quote
“Most organizations can spend only a reasonable
amount of time and money on information security,
and the definition of reasonable differs from
organization to organization and even from manager
to manager.”
103
Risk Control Strategies
Once the risks are ranked, the team must choose one
of four strategies to control each of the risks resulting
from the vulnerabilities
These are -
Avoidance
Transfer
Mitigation
Acceptance
104
Avoidance
Prevent exploitation of the vulnerability
Preferred approach
Accomplished by countering threat(s), removing
vulnerabilities in assets, limiting access to assets, and
adding protective safeguards
105
Avoidance
Three Common Methods
Application of Policy
Training and Education
Applying Technology
106
Avoidance
Three Common Methods
Application of Policy
Management mandates that certain procedures
are always followed
Training and Education
Applying Technology
107
Avoidance
Three Common Methods
Application of Policy
Training and Education
Awareness, education, and training are essential
if employees are to exhibit safe and controlled
behavior
Applying Technology
108
Avoidance
Three Common Methods
Application of Policy
Training and Education
Applying Technology
Technology is often required to assure that risk is
reduced
109
Implementing Avoidance
Risks may be avoided by Countering the threats facing an asset
Eliminating the exposure of a particular asset
Eliminating a threat is difficult
It can be done
110
Transference
Approach that tries to shift the risk to other assets
Can be achieved by rethinking how processes are
implemented in the organization -
Revising deployment models
Outsourcing
Purchasing insurance
Service contracts
111
Transference
The philosophy of transference becomes a business
rationale for moving non-core activities outside of an
organization while only maintaining core activities in
the organization
112
Mitigation
Reduce impact of exploitation of a vulnerability
through planning and preparation
Approach includes three types of plans
IRP
DRP
BCP
113
IRP
Incident Response Plan
This document defines the actions an organization
should take while and incident is in progress
For example, if you know your network is being
attacked by a hacker, this is the document that will
answer the question, “what do you do in response
to the attack?”
114
DRP
The Disaster Recovery Plan is the most common of
the mitigation procedures
The DRP frequently is largely based on a strategy for
backing up key information assets.
In reality a DRP must include significantly more than
just a backup plan
115
DRP
The DRP specifies what needs to be done when the
disaster stops.
DRPs can include strategies to limit losses before and
during the disaster
The DRP is a specification of how to “get back up and
running” in the event of a disaster
DRPs are frequently practiced within a organization
116
BCP
The Business Continuity Plan addresses the issue of
how the organization will maintain business
operations during an incident or disaster
It naturally also relates to the DRP because the BCP
will transition to the DRP once the disaster is over
BCP may require the setup of special sites that can
be used in the event that the main processing sites
for the business are adversely affected by an incident
117
Acceptance
Acceptance differs from the other choices of how to
deal with risk in that it approaches it from the
standpoint of doing nothing about it
Under these circumstances the organization has
decided to take the consequences of the exploitation
118
Acceptance
The only accepted use of this strategy is as follows Determined the level of risk
Assessed the probability of attack
Estimated the potential damage that could occur
from attacks
Evaluated controls using each type of feasibility
Decided that a particular function, service,
information, or asset did not warrant the cost of
protection
119
Acceptance
Example
Supposing it would cost an organization $100,000
per year to protect a server
The organization has determined that to replace the
server and the data on the server, and to cover the
associated recovery costs would cost $10,000
Under these circumstances the organization may
be satisfied with taking its chances
120
Acceptance
When an organization chooses acceptance as the
strategy to address all of its security issues it is
usually a statement about the organization’s ability to
proactively respond to a threat
It also represents an organizational apathy towards
security
An organization leaves itself open to litigation when
adopting a strategy of ignorance is bliss
121
Risk Evaluation Strategy
In order to determine if a risk is viable, that is, a
strategy should be selected to address it, a process
should be followed to make this assessment
122
Risk Evaluation Strategy
Viable
threats
System as
Designed
Is
system
vulnera
ble?
Yes
No
No risk
Is
system
exploita
ble?
Yes
Vulnerabilit
y exists
No
No risk
Yes
Risk exists
Is the
attacker’s
gain >
cost?
Risk may be
accepted
Threat and
vulnerability
exist
Yes
Is expected loss >
organization’s
acceptable level?
No
Risk is
unacceptable
No
Risk should be
accepted
123
Risk Evaluation Strategy
Rules of Thumb for Strategy Selection
When a vulnerability exists: implement security
controls to reduce the likelihood of a vulnerability
being exercised
When a vulnerability can be exploited: Applied
layered protection, architectural designs, and
administrative controls to minimize risk or to
prevent an occurrence
124
Risk Evaluation Strategy
Rules of Thumb for Strategy Selection
When the attacker’s cost is less than his potential
gain: Apply protections to increase the attacker’s
cost
When potential loss is substantial: Apply design
principals, architectural designs, and technical and
non-technical protections to limit the extent of the
attack, thereby reducing the potential for loss
125
Ongoing Evaluation
Like most things, the conditions which bring about the
needs for controls do not remain static
The effectiveness of controls will change over time
The amount of risk incurred by a threat will change
over time
A control may be ineffective or may become no longer
needed over time
126
Ongoing Evaluation
For these reasons it is necessary, on an ongoing
basis to evaluate the effectiveness of controls
It is also necessary to make sure that new threats are
addressed as they arise because the conditions that
give rise to threats are changing all of the time also
127
Categories of Controls
Four control categories are defined Control function
Architectural layer
Strategy layer
Information security principle
128
Control Function
Controls designed to defend systems are Preventive
Detective
129
Control Function
Controls designed to defend systems are Preventive
Stop attempts to exploit a vulnerability
Implement enforcement of an organizational
policy or security principle
Detective
130
Control Function
Controls designed to defend systems are Preventive
Detective
Warn organizations of violations of Security principles
Organizational policies
Attempts to exploit vulnerabilities
131
Control Function
Controls designed to defend systems are Preventive
Detective
Use techniques like Audit trails
Intrusion detection
Configuration monitoring
132
Architectural Layer
Some controls apply to one or more layers of the
organization’s technical architecture
Firewalls, for example, operate between the WAN
and LAN of a network
133
Architectural Layer
The layers of an information architecture are
considered to include -
Organizational policy
External networks
Extranets
Intranets
Network devices
Systems
Applications
134
Strategy Layer
Controls are sometimes classified by the risk control
strategy that they are operate within -
Avoidance
Mitigation
Transference
135
Secure Information
Controls can also be characterized according to an
accepted characteristic of secure information
A control may enforce the CONFIDENTIALITY of
information. An example of this is SSL
A control may enforce the INTEGRITY of the
information. An example of this is the CRC or Tripwire
A control may enforce the AVAILABILITY of the
information. An example of this is the use of
redundancy in the network
136
Secure Information
A control may enforce AUTHENTICATION. An
example of this is requiring the user to identify
themselves before access to a critical information
asset is granted
A control may enforce AUTHORIZATION. In this
case the control assures that a specific user has
the rights to access a specific information asset in a
specific way
137
Secure Information
A control may enforce ACCOUNTABILITY. An
example of this is that each and every action taken
that involves an information asset can be attributed
to an employee
A control may enforce PRIVACY. In this case the
control assures that the information asset does not
in any way contain any personally identifying
information.
138
Feasibility Studies
Choosing a strategy involves exploring
Economic implications
Non-economic implications
Answer the question, “What are the actual and
perceived advantages to implementing a control as
opposed to the actual and perceived disadvantages
to implementing a control?”
139
Cost Benefit Analysis
Determine the economic feasibility of an
implementation
Formal process to document the decision is called a
cost benefit analysis
140
Cost of a Control
Items affecting the cost of a control or safeguard
Cost of development
Cost of acquisition
Cost of implementation
Install, configure, test hardware, software,
services
Service costs (maintenance and upgrades)
Cost of maintenance (labor expense)
141
Benefit
Definition
The value that an organization realizes by using
controls to prevent losses associated with a specific
vulnerability
Determine how much value is at risk for the asset
A benefit can be expressed as an ANNUALIZED
LOSS EXPECTANCY
142
Asset Valuation
Asset valuation is the process of assigning value or
financial worth to each information asset
There is an argument to be made that it is impossible
to do this
Insurance underwriters do not have valuation tables
for this purpose
Much of the work of valuation of information asset can
draw upon the work that was done during risk
identification process
143
Asset Valuation
Estimate
Real costs of design and development of
information asset
Perceived cost of design and development of
information asset
144
Asset Valuation
Costs involve valuation of characteristics including -
Design, development, installation, maintenance,
protection, recovery, defense against loss, and
litigation
145
Components of Asset
Valuation
Value retained from the cost of creating the
information asset
Cost to the organization of developing or collecting
the information asset
Example: Multimedia based training averages 350
hours of development for each hour of training time
Average hourly rate for a programmer is $35/hour =
$12,250 per hour of multimedia development time
146
Components of Asset
Valuation
Value retained from past maintenance of the
information asset
The expenditure to maintain the information asset
after it has been developed
147
Components of Asset
Valuation
Value implied by the cost of replacing the information
This is the actual cost of replacing the information
in the event it is lost or compromised
This calculation includes all costs - human labor
and technical
148
Components of Asset
Valuation
Value from providing the information
This is the cost of actually providing the information
to those who use the information
Costs included here are things like database
capability, networks, and related software systems
149
Components of Asset
Valuation
Value incurred from the cost of protecting the
information
This represents a recursive conundrum as we are
trying to calculate the cost of protecting the
information based on the cost of protecting the
information
It is possible to estimate the cost and that should
be used in the valuation
150
Components of Asset
Valuation
Value to owners
This is the value of the actual information asset
For example if a company mines a database to find
a certain population of individuals that would desire
a product they manufacture, how much is that data
worth?
151
Components of Asset
Valuation
Value of intellectual property
Intellectual property is an even more difficult type of
information asset to value
We won’t be able to estimate what a new idea will
be worth - for example, what would a medication
that cures a certain type of cancer be worth to the
patient that has that type of cancer?
152
Components of Asset
Valuation
Value to adversaries
What would it be worth to the competition to know
what your organization was up to? Could another
organization gain a competitive edge? Could it
mean the difference between getting and not
getting a contract?
153
Components of Asset
Valuation
Loss of productivity while the information assets are
unavailable
Inside an organization, when information assets
become unavailable this may lead to an inability to
carry out work, which in turns leads to a loss of
productivity, which in turn can have a value
attached to it
154
Components of Asset
Valuation
Loss of revenue while information assets are
unavailable
What if a business is unable to process a credit
card transaction and this is the only way you are
able to pay? What do they do?
At this point they will loose their revenue. They
depend on the information asset for revenue and its
unavailability has a direct effect on loss of revenue
155
Coming up with a $ Value
Each collection of information must be valued. The
value is based on the following questions How much did it cost to create or acquire the
information?
How much would it cost to recreate or recover this
information?
How much does it cost to maintain this information?
How much is this information worth to the
organization?
156
Coming up with a $ Value
Each collection of information must be valued. The
value is based on the following questions How much is this information worth to the
competition?
157
After the assets are valued
...
The potential loss that could occur from the
exploitation of a vulnerability can begin to be
determined
The questions to be asked at this point include What damage could occur and what financial
impact could it have?
What would it cost to recover from the attack, in
addition to the financial impact of damage?
What is the single loss expectancy for each risk?
158
Single Loss Expectancy
Definition
A SINGLE LOSS EXPECTANCY (SLE) is the
calculation of the value associated with the most
likely loss from an attack
It is a calcualtion based on the value of the asset
and the EXPOSURE FACTOR (EF) which is the
expected percentage of loss that would occur from
a particular attack as follows
159
Single Loss Expectancy
SLE = asset value * exposure factor
Example
Web site - estimated value $1,000,000
Defaced by a hacker
10% of web site defaced or destroyed
SLE = $1,000,000 * .10 = $100,000
160
Probability of Attack
Extremely difficult to estimate
Not always references to go to
Some sources are available for some threat-asset
pairs
Tornado-building
For this reason the probability of an attack is usually
estimated in a table indicating the probability for an
attack in a given time frame
161
Probability of Attack
Such an estimate is called the ANNUALIZED RATE
OF OCCURANCE (ARO)
162
Calculating Loss
Once an asset’s value is known the next step is to
determine how much loss is expected from a single
expected attack and how often attacks will occur
Once these values are determined, the overall lost
potential per risk can be determined
This is usually called the ANNUALIZED LOSS
EXPECTANCY (ALE)
163
Calculating Loss
ALE = SLE x ARO
For the web site we have been using as an example,
since the SLE = $100,000 and the ARO = .50, the
ALE = $50,000
This means that if nothing is done the company can
be expected to loose $50,000 each year as a result of
web site exploitations
164
Calculating CBA
CBA determines whether or not the control alternative
being evaluated is worth the associated cost incurred
to control the specific vulnerability
165
Calculating CBA
The CBA is most easily calculated by Using the ALE prior to the implementation of the
proposed control ALE(prior)
Subtract the revised ALE(post) which assumes the
control is in place
Complete the calculation by subtracting the
annualized cost of the safeguard (ACS)
166
Calculating CBA
The CBA is most easily calculated by Summarizing CBA = ALE(Prior) - ALE(post) - ACS
167
Benchmarking
Benchmarking is the practice of Seeking out and studying practices in other
organizations
These organizations produce results that you would
like to produce in your own
When selecting other organizations it important to
compare to other LIKE organizations
168
Benchmarking
Once the desired practices are identified an
organization will develop a way to measure how it is
performing
There are two types of measurements that are used Metrics-based
Performance-based
169
Metrics-based
Comparisons based on numerical standards
Numbers of successful attacks
Staff hours spent on system protection
Dollars spent on protection
Estimated value in dollars of the information lost in
successful attacks
Loss in productivity hours associated with
successful attacks
170
Metrics-based
The difference between an organization’s measures
and those of other is often referred to as a
PERFORMANCE GAP
171
Process-based Measures
Process-based measures are more strategic than
metrics-based approaches
Process-based measures allow an organization to
examine the activities that are necessary to achieve a
goal rather than the specifics of the goal
The primary focus of process-based measure is
method rather than outcome
172
Categories of Benchmarks
Two categories of benchmarks
Standards of due care and due diligence
Best practices
Within best practices, the GOLD STANDARD is a
subcategory of practices that are considered the
“best of the best”
173
Categories of Benchmarks
Standard of Due Care
Organizations adopt levels of security for a legal
defense
Must show they have done what any prudent
organization would do
Insufficient to implement these standards and then
ignore them
174
Categories of Benchmarks
Standard of Due Diligence
When an organization administers controls at or
above the levels of due care the organization has
shown they are performing at the level of due
diligence
DUE DILEGENCE is the demonstration that the
organization is diligent in ensuring that the
implemented standards continued to provide the
required level of protection
175
Applying Best Practices
When considering the adoption of best practices Does your organization resemble the identified
target organization with the best practice under
consideration?
Are the resources your organization can expend
similar to those identified with the best practice?
Is your organization in a similar threat environment
as that proposed in the best practice?
176
Problems w/ Benchmarking
& Best Practices
Biggest problem
No sharing of experience in the industry
No reporting of successful attacks since
organizations consider these as failure
Lessons learned are not recorded
177
Problems w/ Benchmarking
& Best Practices
Another Problem
No two organizations are identical
Differences that can exist include Size, composition, management philosophy,
organizational cultures, technological
infrastructures, and budgets for security
178
Problems w/ Benchmarking
& Best Practices
Problem 3
Best practices are a moving target
What worked well two years ago, may be
completely worthless against today’s threats
Security practices must be kept up to date
Methods, techniques, guidelines, policies,
educational and training approaches, and
technologies to combat threats
179
Other Feasibility
Beyond the financial feasibility, there are several
other kinds of feasibility that must be determined
There are organization, operational, technical, and
political feasibility
180
Organizational Feasibility
Examines how well the proposed information security
alternatives will contribute to the efficiency,
effectiveness, and overall operation of an
organization
181
Operational Feasibility
Addresses user acceptance and support
Management acceptance and support
Overall requirements of the organization’s
stakeholders
Also known as BEHAVIORAL FEASIBILITY because
it measures the behavior of users
182
Technical Feasibility
Examines whether or not the organization has or can
acquire the technology necessary to implement and
support the control alternatives
183
Political Feasibility
For some organizations the most significant feasibility
evaluated may be political
Within organizations, political feasibility defines what
can and cannot occur based on the consensus and
relationships between the communities of interest
184
Risk Appetite
Defines the quantity and nature of risk that an
organization is willing to accept as they evaluate the
tradeoffs between perfect security and unlimited
accessibility
185
Summary
The main take away from this chapter should be that
risk plays a significant part of the picture in any
discussion about security
For any organization the determination of risk
involves calculating the value of information and the
kinds of threats the information asset may be subject
to
In addition to this calculation an estimate must be
made of the probability of each type of attack
186
Summary
The cost of instituting a control must be compared to
the potential cost that might be incurred in the event
of a successful attack
In some cases it may not be cost appropriate to
institute a control because the potential loss is far less
than the control cost
187