Presentation Title - PolyU
Download
Report
Transcript Presentation Title - PolyU
Security Assessment
and Methodologies
Michael Poon
NETdefence Co. Limited
08 Nov 2002
([email protected])
1
Agenda
Security Basics
Best Practice in InfoSec Management
InfoSec Risk Assessment
Policies, Standards and Procedures
2
Security is Very Complex
Security is currently
where networking was
15 years ago
Many parts & pieces
Complex parts
Lack of expertise in the
industry
No common GUI
Lack of standards
Attacks are growing
3
Security Basics: Information and Value
of Information
Information
Students, staff, plans, procedures, research, reports, mail,
contracts, archives, passwords … ALL ARE DATA but NOT
ALL ARE INFORMATION
Beware: data aggregation can become sensitive information
Value of Information
Impact and value of service
Strategic value
Exam papers
Recovery value
Department image and reputation
4
Security Basics: The triads
Correctness
Completeness
Validity
Authenticity
Non-repudiation
Integrity
Manipulation
Destruction
Falsification
Repudiation
SECURITY = QUALITY
Availability
Continuity Interruption
Punctuality Delay
Confidentiality
Exclusivity
Divulgation
5
Security Basics: The triads
Authentication
Verify Identity
ID Spoofing
ID Masquerade
Content Modification
SECURITY = QUALITY
Authorization
Verify Credentials
Grants Rights
Unauthorized
Access
Accounting
Auditability Repudiation
6
Threats
Primary Threats
Unauthorized access
User masquerading
Denial of service
Physical attack
…
Secondary Threats
Introduction of malware
Bad security administration
Uncontrolled changes
Bad architecture, implementation or exploitation
Misconfiguration
Manual error
…
7
Best Practice InfoSec Management
ISO/IEC 17799. Information Security Code of Practice (aka BS
7799)
ISO/IEC 13335. Guidelines for the Management of IT Security
(GMITS)
ITIL Security Management
Information Security Forum’s Standard of Good Practice
NIST’s Principles and Practices for Securing IT Systems
ISACA’s Control Objectives for Information and related
Technology (COBIT)
8
A Security Management Model
Goals
Prevent
Costs
Strategy
Management
Protect
Operations
Control
Monitoring & Maintenance
React
Operability
Efficiency
Incident Handling & Forensics
9
A Security Management Model
Define Goals: Availability
Integrity, Responsibility
Sponsorship
Policies, Standards, Procedures,
Reporting, Control, Legal, Training,
Awareness, Audit, Technology, PenTest
Operate Security
Awareness & Training
Verify Logfiles, control, alerts,
Update security, report incidents
Analyze evidence, restore service, report,
Lesson learnt, escalation procedures, contingency
10
ISO17799/BS7799: What is it?
A comprehensive set of controls comprising
best practices in Information Security.
An internationally recognized generic
information security standard covering
10 subject domains;
36 management objectives;
127 controls; and
500 detail controls.
11
ISO17799/BS7799: History
UK Government initiative to promote confidence in inter-company
trading
Contributed by Shell, BOC, BT, Marks & Spencer, Midland Bank,
Nationwide and Unilever
First Published as DTI Code of Practice as PD 0003 in 1993
Rebadged and published by British Standards Institution (BSI) as
BS7799 … Version 1, in Feb 1995
Top selling BSI publication in Spring 1996
Major revision of BS7799 … Version 2 published in May 1999
Formal certification and accreditation schemes launched by BSI in
the same year
Fast track ISO initiatives accelerated
Published as ISO standard in Dec 2000
Increasing international acceptance as the primary de facto
industry security standard
12
BSI Code of Practice Structure:
The 10 Subject Domains in Part 1
Security policy
Computer & network
Security organization
Assets classification &
control
Personnel security
Physical &
environmental security
management
System access control
System development &
maintenance
Business continuity
planning
Compliance
13
International Take Up
BS77999 adopted by UK, Netherlands, Australia, New
Zealand, Sweden, Switzerland and Norway since 1999.
Recommended in US NIST “Generally Principles for
Securing IT Systems”
High usage in Europe, beginning to penetrate US
market
Certification schemes completed and operational in
various countries since 1997
Five companies received BS7799 certification in Hong
Kong as of today.
14
Component Relationship
exploit
Threats
protect against
Vulnerabilities
increase
increase
expose
reduce
Security Controls
met by
Security Risks
indicate
Security
Requirements
increase
Assets
have
Asset Values
and Potential
Impacts
15
What is ISO 13335?
ISO/IEC 13335: Guidelines for the Management of IT
Security (GMITS)
ISO/IEC TR 13335-1: 1996 Part 1: Concepts and models for IT
Security
ISO/IEC TR 13335-2: 1997 Part 2: Managing and planning IT
Security
ISO/IEC TR 13335-3: 1998 Part 3: Techniques for the
management of IT Security
ISO/IEC TR 13335-4: 2000 Part 4: Selection of safeguards
ISO/IEC WD 13335-5: 1999 Part 5: Management guidance on
network security
16
Risk Assessment Methodology
Originally developed by U.S. National Security
Agency (NSA) as a standardised INFOSEC
Assessment Methodology (IAM) for Department of
Defence (DoD) organizations to perform their own
INFOSEC assessments.
A baseline methodology for information systems
security assessment in the U.S. Government over the
past fifteen years.
INFOSEC Assessment
Methodology (IAM) developed
by The National Security Agency
(NSA) of the US Government
17
IAM - Baseline Categories
INFOSEC documentation
Contingency Planning
INFOSEC Roles and
Maintenance
Responsibilities
Identification & Authentication
Account Management
Session Controls
External Connectivity
Telecommunications
Auditing
Virus Protection
Configuration Management
Back-ups
Labelling
Media Sanitization/Disposal
Physical Environment
Personnel Security
Training and Awareness
18
Part 2: Risk Assessment
Pre-Assessment
Assessment
Post-Assessment
Reduce
Risk
Planning
- Aim
- Scope
- Boundary
- Gathering
information
- System
description
- Target risk &
required certainty
Assessment
Preparation
Risk
Analysis
- Identify assets
- Asset valuation
- Identify threats
- Assess likelihood of a
compromise
- Assess consequence
of a compromise
- Identify vulnerabilities
- Identify safeguards
- Assess risk
Recommendations
Policy
Framework
&
Requirement
Definition
Safeguard
Selection
Risks
- Avoid
- Transfer
- Reduce
- Accept
Decision
Accept
Risk
- Administrative
- Personnel
- Physical
- Technical
Construction
and
Implementation
Certification
Avoid or Transfer Risk
Refine System Design
Decision
Change Required
Significant
Decision
Operations
and
Maintenance
Accreditation
Insignificant
19
Assessment Steps
Pre-Assessment
Planning
Information Gathering
- Identify system and
information assets
- Understand the criticality of
information and system
- Pre-analysis
Onsite-Assessment
Risk Analysis
- Analyse Policy and
Standards
- Asset Identification and
Valuation
- Threat Analysis
- Vulnerability Assessment
- Impact and likelihood
Analysis
- Risk Level Analysis
Assessment of Risks
Established assessment
boundary and Prepared
Assessment Plan
Post-Assessment
Recommendations
Identification/
Review of
Constraints
Risk
Acceptance
Section of Safeguards
Final Assessment Report
20
Risk Analysis
Qualitative Methodology
A qualitative methodology is adopted throughout the
assessment in which scales (e.g. High, Low, Medium, 0,1,2,3,4)
are used in rankings and description.
21
Risk Analysis
Asset Identification and Valuation
Assets of IT infrastructure and systems within assessment boundary
are identified
Information asset is valued according to its sensitivity or criticality
Agree upon the scale to be used and the guideline for assigning a
value to an asset, e.g. on a scale of 0-4 based on CIA properties as
shown in the table below.
Other valuation method can be used, e.g.
– Safety
– Loss of goodwill
– Financial loss/disruption of activities, etc.
Confidentiality
Integrity
Availability
Email Message
3
3
2
DNS Record
2
4
3
Firewall Configuration
4
4
2
22
Risk Analysis
Threat and Likelihood Analysis
To identify the threats and to determine the likelihood of their
occurrence
Vulnerability and Ease of Exploitation Analysis
To identify and analyze the vulnerabilities of the IT Infrastructure and
systems
Levels of Threats
Asset
Value
Low
Medium
High
Levels of Vulnerability
L
M
H
L
M
H
L
M
H
0
0
1
2
1
2
3
2
3
4
1
1
2
3
2
3
4
3
4
5
2
2
3
4
3
4
5
4
5
6
3
3
4
5
4
5
6
5
6
7
4
4
5
6
5
6
7
6
7
8
23
Risk Assessment Report
Risk Analysis
Assets Identification and Valuation
Threat and Vulnerability Analysis
Impact and Likelihood Analysis
Risk Level Analysis
Assessment of Risks
– Findings
– Priority
– Discussion
– Recommendation
24
From Best Practice to Security
Management Model
Risk Assessment Report
On Current State of
Information Security
Document
Review
1. STRATEGY
1.1 Continuity of Business
1.2 Quality Criteria
1.3 Sponsorship
2. MANAGEMENT
2.1 Policies, Standards, Procedures
InfoSec Risk Assessment
Interviews
Findings
Risk Analysis
Recommendations
Tests
Gap Analysis
2.2 Awareness & Training
2.3 Legal & Regulatory
2.4 Security Controls & Audit
3. OPERATIONS
3.1 Perimeter Security
3.2 Network Security
3.3 Operating System Security
3.4 Database Security
3.5 Application Security
4. MAINTENANCE
Best Practice, e.g.
ISO 17799
InfoSec
Enhancement
Plan
4.1 Technology Watch
4.2 Monitoring
5. INCIDENT HANDLING
5.1 Penetration Testing
5.2 Forensics
25
Building Information Security Policies,
Standards & Procedures
Laws, Regulations
& Requirements
HKSAR Laws and Legislations
PCO Guidelines & Regulations
Best Practice InfoSec Management, e.g.
ISO 17799 Standard
ITS Security Policy
Departmental Security Requirements
Policies
Standards
Procedures,
Practices
Guidelines
26
Step by Step to InfoSec Management
Assess Risk
and Determine
Needs
Establish A
Central
Management
Focal Point
Implement
Appropriate
Policies and
Related Controls
Promote
Awareness
Monitor and
Evaluate Policy
and Control
Effectiveness
1. Recognize information resources as essential
organizational assets
2. Develop practical risk assessment procedures
that link security to needs and objectives
3. Hold individual accountable
4. Manage risk on a continuing basis
5. Designate a central group to carry out key activities.
6. Provide the central group ready and independent
access to senior members.
7. Designate dedicated funding and staff.
8. Enhance staff professionalism and technical skills
9. Link policies to needs and objectives
10. Distinguish between policies and guidelines.
11. Support policies through central security group.
12. Continually educate users and others on
risks and related policies
13. User attention-getting and user-friendly
techniques.
14. Monitor factors that affect risk and indicate
security effectiveness.
15. Use results to direct future efforts and hold
individuals accountable.
16. Be alert to new monitoring tools and techniques.
27
Thank you!
28