Information Systems Security Management

Download Report

Transcript Information Systems Security Management 

CMGT 442
Information Systems Risk Management
Philip Robbins – November 21, 2012 (Week 2)
University of Phoenix Mililani Campus
Objectives: Week 2
•
-
Risk Assessment (Part 1)
Review Week 1: Concepts
LT Activity: Week 1 & Week 2 Article Readings
Stuxnet
Week 2: Components of Risk
Quiz #2
Review Week 2: Questions
Assignments: IDV & LT Papers
Review Information Sharing Articles
Review: Information Security Services
PROTECT
DETECT
REACT
INFORMATION ASSURANCE
Information Security Services
DiD PDR Paradigm
Confidentiality
ISS
PEOPLE
Information Assurance
Services
TECHNOLOGY
Physical IAS
Identity A&A IAS
Content IAS
INFORMATION
SECURITY
Cyber IAS
Configuration IAS
Training IAS
Availability
ISS
Integrity
ISS
Continuity IAS
OPERATIONS
Defense in Depth Primary Elements
Review: Information Assurance Services
SUSTAIN
M ES
L
ns
O SS
tio
TR A
ra
N
O
pe
C
O
ns
re
io
to
us
es
tr
R
In
f.
to
ct
s
ea
R
sk
i
e.
tR
s
ec
ce
et
vi
D
er
d.
tS
ec
t
ot
us
Pr
Tr
c.
e
it y
ag
gr
te
an
In
M
n
b.
ai
nt
ai
FU
N
C
TI
ES
R NT
SU M E
EA S
Information
Assurance
Framework
RESPOND
M
a.
Information
Assurance
Services
(IAS)
DEFEND
O
N
S
CONTROL MEASURES
7. Information Content
Conditioning & Control






6. Identity Authentication &
Authorization






5. Education Training &
Awareness






4. Design, Configuration,
Operations & Administration






3. Continuity of
Operations






2. Cyber Security
Services






1. Physical Security
Services






FUNCTIONAL
ASSESSMENT
Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.
Review: NIST SP 800-30
Review: NIST SP 800-30
Learning Team Activity
• Activity: Review Week 1 & 2 ‘Article’ Readings
- 15 minutes: Read Articles
- 10 minutes: Answer article questions
- 10 minutes: Present your article to the class
- Submit for credit.
LT Activity: Week 1 Article Readings
• Barr (2011)
- What special issues must be addressed for a risk
management strategy that supports user-facing, web-based
systems?
- What are the risks associated with disruption of these
systems?
• Ledford (2012)
- What special issues must be considered for corporate data
which are not fully digitized?
- What are the risks associated with the loss of this data?
- What recovery procedures do you recommend for these
situations?
LT Activity: Week 2 Article Readings
• Keston (2008)
- How important is enterprise identity management for
reducing risk throughout the enterprise?
- Explain why a viable risk management strategy must
include, at a minimum, a solid enterprise identity
management process.
• Vosevich (2011)
- What software must be considered to provide adequate
security management across the enterprise?
Future Risks
• Weapons in Cyberspace: Are we at war?
• Cyber Crime vs. Cyber Warfare vs. Cyber Conflict
CYBER CRIME
CYBER WARFARE
CYBER CONFLICT
ESPIONAGE
Spying / Theft of Information
SABOTAGE
Disruption
ATTACK
Destruction
Break?
• This is probably time for a break…
Review: Risk Definition
• What is Risk?
thus
• Units for measurement:
Confidentiality, Integrity, Availability
Source:
Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
Defining Risk
• Risk is conditional, NOT independent.
Source:
Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
Defining Risk
• Expected Value of Risk = Product of Risks
• Risk is never zero: “We can never be 100% confident for protection”
• Risk Dimension (units): confidence in the loss of ISS, C-I-A
“Risk Loss Confidence”
Source:
Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
Risk Behavior
Risk Loss Confidence Increases
through interconnections with other
network enclaves (risks)!
Network Enclave #1
Network Enclave #3
Network Enclave #2
Risk Behavior
RiskEV = R1 x R2 x R3
RiskEV = LOW x MED x HIGH
RiskEV = ?
Network Enclave #1
R1 = LOW
Network Enclave #3
R3 = HIGH
R2 = MED
Network Enclave #2
Risk Behavior
RiskEV = R1 x R2 x R3
RiskEV = LOW x MED x HIGH
RiskEV = HIGH
Network Enclave #1
R1 = LOW
Network Enclave #3
R3 = HIGH
R2 = MED
Network Enclave #2
Risk Behavior
RiskEV = R1 x R2 x R3
RiskEV = LOW x MED x HIGH
RiskEV = HIGH
Network Enclave #1
R1 = LOW
Network Enclave #3
R3 = HIGH
R2 = MED
Network Enclave #2
Risk Behavior: REV & RLC
• Expected Value and Risk Loss Confidence vs.
Cumulative Risk Product
Source:
Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
Total Risk
• How do we quantify total risk?
- Average the risk to each Information Security Service:
Source:
Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
Risk Component: Threats
• Rapid growth of Advanced Persistent Threats (APTs)
• Half million cases of cyber related incidents in 2012.
- Is this a problem?
- What about vulnerabilities
associated with
interconnections?
- How does risk management
help deal with APTs?
Source: US-CERT
Risk Component: Vulnerabilities
• What are vulnerabilities?
Any flaw or weakness that can be exploited.
– Poorly communicated or implemented policy
– Improperly configured systems or controls
– Inadequately trained personnel
Quantitative Risk Thresholds
Semi-Quantitative Risk Matrix
Catastrophic
(5)
Impact
Material
(4)
Major
(3)
Minor
(2)
Insignificant
(1)
Rare(1)
Unlikely(2)
Moderate(3)
Likelihood
Likely (4)
Frequent(5)
Risk Responses
Severity
High
Low
Accept /
Transfer
Avoid
Accept
Accept /
Transfer
Low
High
Frequency
Risk Responses
• Risk Avoidance
– Halt or stop activity causing risk
• Risk Transference
– Transfer the risk (i.e. buy insurance)
• Risk Mitigation
– Reduce impact with controls/safeguards
• Risk Acceptance
– Understand consequences and accept risk
Information Systems Risk Components
• Let’s recap:
What are the components of Information
Systems Risk?
- Threats & Threat Agents
- Vulnerabilities (Weakness)
- Controls (Safeguards)
- Impact
How is each component important to
understanding and managing risk?
Risk Component Relationship
Source: Harris, S. (2010). CISSP all in one exam guide, fifth edition. McGraw-Hill, New York, NY.
Break?
• This is probably time for a break…
Quiz: Week 1
• 10-15 minutes
Week 2 Review Questions
Question #1
What is the likelihood of a threat taking
advantage of a vulnerability called?
A.
B.
C.
D.
A risk
A residual risk
An exposure
A countermeasure
Question #1
What is the likelihood of a threat taking
advantage of a vulnerability called?
A.
B.
C.
D.
A risk
A residual risk
An exposure
A countermeasure
Question #2
Which of the following combinations best
defines risk?
A. Threat coupled with a breach.
B. Threat coupled with a vulnerability.
C. Threat coupled with a breach of security.
D. Vulnerability coupled with an attack.
Question #2
Which of the following combinations best
defines risk?
A. Threat coupled with a breach.
B. Threat coupled with a vulnerability.
C. Threat coupled with a breach of security.
D. Vulnerability coupled with an attack.
Question #3
What can be defined as an event that could
cause harm to information systems?
A.
B.
C.
D.
A risk
A threat
A vulnerability
A weakness
Question #3
What can be defined as an event that could
cause harm to information systems?
A.
B.
C.
D.
A risk
A threat
A vulnerability
A weakness
Question #4
What is the definition of a security exposure?
A.
B.
C.
D.
An instance of being exposed to losses from a threat
Any potential danger to information or systems
Any potential danger to information or systems
Loss potential due to a threat
Question #4
What is the definition of a security exposure?
A.
B.
C.
D.
An instance of being exposed to losses from a threat
Any potential danger to information or systems
Any potential danger to information or systems
Loss potential due to a threat
Question #5
The absence of a safeguard, or a weakness in a
system that may possibly be exploited, is called
a?
A.
B.
C.
D.
Threat
Exposure
Vulnerability
Risk
Question #5
The absence of a safeguard, or a weakness in a
system that may possibly be exploited, is called
a?
A.
B.
C.
D.
Threat
Exposure
Vulnerability
Risk