OWASP Minneapolis St Paul Local Chapter Proactive Lifecycle Security Management February 16th, 2009
Download ReportTranscript OWASP Minneapolis St Paul Local Chapter Proactive Lifecycle Security Management February 16th, 2009
OWASP Minneapolis St Paul Local Chapter
Proactive Lifecycle Security Management
February 16 th , 2009
Survey
Which of the following is the responsibility of IT?
System owner Data owner System custodian All of the above True or False – The CIO/IT Director is responsible for accepting information and system security risks on behalf of the organization?
True or False – The individual in charge of information security is responsible for: Defining security controls Implementing security controls Managing security controls All of the above
Setting the Stage
In the last four years, approximately 250 million records containing personal identifiable information of United States residents stored in government and corporate databases was either lost or stolen. Since little attention was given to database breaches prior to 2005, it is safe to assume that every man, woman and child has had their personal information exposed at least once statistically.
Quote from InsideIDTheft.info
Data theft and breaches from cybercrime may have cost businesses as much as $1 trillion globally in lost intellectual property and expenditures for repairing the damage last year, according to a survey of more than 800 chief information officers in the U.S., United Kingdom, Germany, Japan, China, India, Brazil, and Dubai. The respondents estimated that they lost data worth a total of $4.6 billion and spent about $600 million cleaning up after breaches
McAfee Report - "Unsecured Economies: Protecting Vital Information"
According to the “Open Security Foundation's DATALOSSdb” this pie chart represents events involving the loss, theft, or exposure of personally identifiable information (PII) for 2008.
No Lack of Publicity or Victims
Customer loss following data breach
PGP Corporation and the Ponemon Institute annual report U.S. Cost of a Data Breach Study
Cost of Data Breach
PGP Corporation and the Ponemon Institute annual report U.S. Cost of a Data Breach Study
Cost of a Security Bug
Phase Non-Technical Cost Production Test $166,272 for 1000 records $1,500/vulnerability (prevent approx. 20 bugs) Technical Cost to Fix $8,500 Total Cost $174,772 $2,125 (man-power, computer, testing, configuration management) $3,625 Code Design $600 $150/vulnerability (prevent approx. 100 bugs) $920 (dev, test) $142 (developer, architect time) $1,520 $292
Courtesy of SecurityCompass – presented at 2008 Minnesota Government IT Symposium Non-Technical Costs = breach reporting, regulatory violation (penalties), legal fees What is the reputational cost: ??????
Security Authorization Process Summary
Security authorization (formerly called certification and accreditation) ensures that on a near real-time basis, the organization’s senior leaders the security state of the information system and explicitly
accept
operations and assets, individuals, and other organizations.
understand
the resulting risk to organizational “An information system is authorized for operation at a specific point in time based on the risk associated with the current security state of the system.”
Who is this process targeted at?
Business owners Data owners Personnel responsible for:
Development, acquisition and integration System security Auditors/assessors Security implementation and operations
Security Authorization History
Roots go back to 1983 Federal Information Processing Standard (FIPS) 102
Known by many different names; Certification & Accreditation (C&A) National Information Assurance Certification & Accreditation Process (NIACAP) Defense Information Technology Security Certification and Accreditation Process (DITSCAP) DOD Information Assurance Certification and Accreditation Process (DIACAP) Director of Central Intelligence Directive (DCID) 6/3
Key Definitions
Information System –
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information
Security Authorization
– The testing and/or evaluation of management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting security requirements for the system
Security Control Assessment
– The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system
Security Authorization Boundary
operation by an authorizing official and excludes separately authorized systems, to which the information system is connected – All components of an information system to be authorized for
Plan of Action and Milestones
– A document that identifies tasks needing to be accomplished, resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
Security Plan
- Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements
List not all inclusive – See NIST SP 800-37, Appendix B for more detailed list
Key Process Players
Authorizing Official –
A senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations, assets, individuals, and other organizations
Information (data) Owner –
Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal
Information System Owner –
development, integration, modification, operation and maintenance of an information system Official responsible for the overall procurement,
Information System Security Officer
maintaining the appropriate operational security posture for an information system or program – Individual assigned responsibility for
Security Control Assessor
– The individual, group or organization responsible for conducting a security control assessment
!!! Discussion Point: Conflicts of interest !!!
Other Process Roles
Common Control Provider
Information System Security Engineer
Chief/Corporate Security Officer
Risk Executive Function
Regulatory & Industry Requirements
Requirement # 6 – Develop and maintain secure systems and applications Requirement # 6.6 – Application security assessment Payment Card Industry (PCI) Health Insurance Portability and Accountability Act (HIPAA) § 164.308 Administrative Safeguards (a)(1)(ii)(A) Risk Analysis Gramm-Leach-Bliley Act (GLBA) Federal Financial Institutions Examination Council (FFIEC) Sarbanes-Oxley (SOX) Manage & Control Risk requirement Information Security Booklet
-
Information Security Risk Assessment
-
Systems Development, Acquisition, and Maintenance Section 404, Management Requirements PCAOB Auditing Standard No. 2 Federal Information Security Management Act (FISMA) IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies & Entities Federal Energy Regulatory Commission (FERC) – 18 CFR Part 40, Mandatory Reliability Standards for Critical Infrastructure Protection Government Accounting Office (GAO) Federal Information System Controls Audit Manual (FISCAM) § 3544. Federal agency responsibilities CA -1 Certification, Accreditation, and Security Assessment Policies and Procedures CIP-007-1 – Cyber Security – Systems Security Management Chapter 4 - Evaluating and Testing Business Process Application Controls
Standards
ISO 27001 – Information Technology – Security Techniques – Information Security Management Systems - Requirements Control Objectives and Controls – Internal Organization
•
A.6.1.4 – Authorization process for
•
information processing facilities A.10.4 – System Acceptance Information Security Forum (ISF) – The Standard of Good Practice for Information Security SD - Systems Development Control Objectives for Information and related Technology (COBIT) AI2 – Acquire and Maintain Application Software AI4 – Enable Operation and Use AI6 – Manage Changes AI7 – Install and Accredit Solutions and Changes
Additional Benefits
“Direct” business participation Pre-production security authorization =
$ avings
Risk acceptance at the appropriate level of management Risks are documented and mitigated Business explicitly accept residual risk and recommended security controls Standardization Assessment, documentation and acceptance of security risks Architecture and configuration documentation Documentation (i.e. BCP/DR, policies, asset inventory, etc.) Unbiased security controls assessment
Relationship to System Lifecycle
Dark gray = Acquisition Lifecycle Phases Light gray = Development Lifecycle Phases
Risk Management Framework
Security Authorization is part of a dynamic risk management process
Security Authorization Process
RMF = Risk Management Function
Preparation Phase
Categorize Information System • Task 1: Describe the information system Define system boundary Document system in security plan • Task 2: Register system in organization asset inventory • Task 3: Determine security category and document in security plan Organizational/business criticality Relationship/impact to other systems Classification of data processed by system Security Control Selection • Task: Select security controls and document in security plan System specific (implemented), common (inherited) and/or hybrid controls Controls used to manage system risk (i.e. management controls) Automated system safeguards and countermeasures (i.e. technical controls) Policy, standards, and procedural measures (i.e. operational controls) Security Plan Approval • Task: Review and approve the security plan
Authorization Boundary
• • • • • Purpose = Reduce cost and complexity, and facilitate more targeted application of security controls Must be done before system categorization and security plan development Separate of large and complex systems into multiple components or sub systems. Sub-systems… • • • • • • include data, technology and personnel should generally be under the same direct management control have same function or mission/business objective have the same operating characteristics and information security needs that reside in the same general operating environment that reside in different locations with similar operating systems Software applications do not require a separate security authorization but rather include them in the authorization boundary of the host system Use commonsense
• • • • • •
System Security Plan
Prepared and maintained by the information system owner Living document Provides overview of security requirements and description of security controls Should contain supporting appendices or reference appropriate sources • • • • • Risk assessments System interconnection diagrams Service level agreements Data flow diagrams Disaster recovery and contingency plans • • • • Security configurations Configuration management plan Incident response plan Applicable policies and procedures • Hardware and software inventories Should be updated whenever events impact agreed upon security controls • • • • • Vulnerability scan New threat to system Redefinition of business priorities/objectives Addition of new hardware, software or firmware Change to operating environment • • Addition of new connections Weaknesses or deficiencies discovered (before or after a breach) Classify accordingly
Preparation Phase
Implement Security Controls • • Task 1: Implement security controls specified in security plan Task 2: Document “implemented” security controls in security plan Functional description Planned inputs Expected behavior and outputs Security Controls Assessment (examination, interview and test) • • • • • • • • • • • • Task 1: Select an assessor Task 2: Develop a plan to assess “all” security controls Task 3: Review and approve assessment plan Task 4: Obtain appropriate documentation needed to assess security controls Task 5: Perform assessment Task 6: Prepare preliminary assessment report Task 7: Review preliminary assessment report with system owner Task 8: Perform remediation actions Task 9: Assess remediated security controls Task 10: Update security assessment report and prepare executive summary Task 11: Update security plan Task 12: Prepare Plan of Action & Milestones
Authorization - Execution Phase
Authorize Information System • Task 1: Assemble authorization package to submit to authorizing official for approval • Task 2: Determine the risk to the organization • Task 3: Formally accept risk (authorization decision) Compensating controls Risk mitigation strategy Residual risk • Task 4: Prepare the security authorization decision and document Authorization decision Terms and conditions for the authorization Authorization termination date
Authorization Package
Security Plan Security Assessment Report
AUTHORIZATION PROCESS
Authorization Package Plan of Action & Milestones
Continuous Monitoring Maintenance Phase
Strategy: Maintain the security authorization for the system over time in highly dynamic operational environment with changing threats, vulnerabilities, technologies and business processes Objectives: • • • • • Track the security “state” of a system on a continuous basis Ensure security controls are checked for effectiveness on an ongoing basis Address the security impact to systems when changes occur to hardware, software, firmware and operational environment Provide an effective process for updating security plans, security assessment reports and plans of action and milestones Security status reporting to authorizing official
Continuous Monitoring
Program includes: • Configuration management • • • • Security impact analysis on actual or proposed changes Assessment of selected controls Ongoing status reporting to appropriate levels of management Active involvement of Information System Owner, Security Control Assessor and Authorizing Official
• • •
Continuous Monitoring Continues Until… Changes to the system have affected security controls in the system or introduced new vulnerabilities into the system and; Organizational level risk to the business operations, assets or individuals has been affected or; The authorization deadline has passed, then….
“Reauthorization begins!”
Reauthorization
Reauthorization occurs at the discretion of the authorizing official in accordance with federal or organizational policy Time Driven Authorization termination date has been reached Event Authorizing official changes Routine environment/system changes Significant environment/system changes (per NIST 800-37) Installation of a new or upgraded operating system, middleware component or application Modifications to system ports, protocols or services Installation of a new or upgraded hardware platform or firmware component Modifications to cryptographic modules or services Changes in laws, directives, policies or regulations NOTE: Event driven reauthorization should be avoided in situations where the continuous monitoring process provides the necessary and sufficient information to the authorizing official to manage the potential risk arising from significant environment or system changes.
Process Implementation “Crawl before you walk, walk before you run”
If you have to comply with FISMA, you must have a security authorization process in place Based on NIST SP 800-37 Flexibility Even if you don’t implement this process, consider the value of this process Pre-production assessment Security plan 3 rd party assessment Business involvement
Where to get more information
I-Assure Forum www.i-assure.com/forums/Default.aspx
NIST SP 800-37 http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdf
Books FISMA Certification & Accreditation Handbook by Laura Taylor (ISBN-10: 1597491160) Building and Implementing a Security Certification and Accreditation Program by Patrick D. Howard (ISBN-10: 0849320623)
2009 Prediction
“More and more private sector companies and universities will have to comply with FISMA. Why? Many companies that are government contractors are being required to comply with FISMA already as a stipulation in their contracts with the government. Organizations that accept grants from the government are increasingly being required to comply with FISMA.” “FISMA 2008 will pass and government CISOs will become more empowered.”
Laura Taylor, Founder of Relevant Technologies and author of the
“FISMA Certification & Accreditation Handbook”
Status of FISMA Related NIST Publications
SP 800-30, Revision 1: Guide for Conducting Risk Assessments -
FEBRUARY 2010
SP 800-37, Revision 1: Guide for the Security Authorization of Federal Information Systems: A Security Life Cycle Approach -
JUNE 2009
SP 800-39: Managing Risk from Information Systems: An Organizational Perspective -
JULY 2009
SP 800-53A, Revision 1: Guide for Assessing the Security Controls in Federal Information Systems –
DECEMBER 2009
SP 800-CM: Guide for Security Configuration Management and Control (Publication number TBD) –
NOVEMBER 2009
Points to Remember
Assess a defined environment (authorization boundary) not the world Security authorization is an ongoing process Security control assessors make recommendations, they do not accept risk or approve mitigating controls on behalf of the organization Risk acceptance is the sole responsibility of the authorizing official Reuse and share of security control development, implementation, and assessment-related information to reduce cost and time An active continuous monitoring program reduces time and effort
Lets try again!
Which of the following is the responsibility of IT?
System owner Data owner System custodian All of the above True or False – The CIO/IT Director is responsible for accepting information and system security risks on behalf of the organization?
True or False – The individual in charge of information security is responsible for: Defining security controls Implementing security controls Managing security controls All of the above