Transcript Document 7328471

ISA 562
Internet Security
Theory & Practice
Information Security
Management
CISSP Topic 1
ISA 562
1
Objectives
• Roles of and responsibilities of
individuals in a security program
• Security planning in an organization
• Security awareness in the
organization
• Differences between policies,
standards, guidelines and procedures
as related to security
• Risk Management practices and tools
2
Introduction
• Purpose of information security is to
protect an organization's valuable
resources, such as information,
hardware and software.
• Should be designed to increase
organizational success.
• Information systems are often
critical assets that support the
mission of an organization
3
Information Security TRIAD
4
IT Security Requirements - I
•
Security Solutions should be designed
with two main focus areas:
1. Functional Requirements:
–
–
–
Defines security behavior of the control
measures
Selected based on risk Assessment
Properties:
–
They should not depend on another control:
•
–
Why?
They should fail safe by marinating security of the
system in an event of a failure:
•
Why?
5
IT Security Requirements -II
2. Assurance Requirements:
• Provides confidence that security
functions is performing as expected.
• Examples :
–
–
–
–
Internal/External Audit.
Threat Risk Assessments
Third Party reviews
Compliance to best practices
3. Example for Functional vs. Assurance:
–
–
Functional Requirement: a network Firewall
Permits or denies traffic.
Assurance requirement: logs are generated
and monitored
6
Organizational & Business
Requirements
• Focus on organizational mission:
– Business driven
• Depends upon organizational type:
– Example: Military , government and
commercial.
• Must be sensible and cost effective
– Solutions must be developed with due
consideration of the mission and
environment of business
7
IT Security Governance
• Integral part of overall corporate governance:
– Must be fully integrated into the overall risk-based
threat analysis, it also
• Ensures that the IT infrastructure of the
company:
– Meets the AIC requirements.
– Supports the strategies and objectives of the company.
– Includes service level agreements when outsourced.
8
Security Governance Major
parts
1.
Leadership:
1.
2.
Structure:
1.
3.
Security leaders must be fully integrated into the
company leadership where they can be heard.
it occurs at many different levels of the organization
and is in a layered approach.
Processes:
1.
by following internationally accepted “best practices”:
2.
Job rotation , Separation of duties, least privilege,
mandatory vacations …etc.
Some Examples for standards : ISO 17799 & ISO
27001:2005
3.
9
Security Blueprints
• Provide a structure for organizing
requirements and solutions.
– they are used to ensure that security is
considered from a holistic view.
• Used to identify and design security
requirements
• Infrastructure Security Blueprints
10
Policy overview
1.
2.
3.
Operational environment is a complex web of
laws, regulations, requirements, competitors
and partners
Change frequently and interact with each other
, within this environment
Management must develop and publish overall
security statements addressing
1.
Security policies and their supporting elements such as
standards , baselines and guidelines.
11
Policy overview
12
Functions of Security policy - I
1. Provides Management’s Goals and
objectives in writing
2. Documents compliance
3. Creates the security culture
4. Anticipates and protects others from
surprises
5. Establishes the security activity/function
6. Holds individuals personally
responsible/accountable
13
Functions of Security policy-II
• Address foreseeable conflicts
• Ensures employees and contractors are
aware of organizational policy and
changes
• Mandates an incident response plan
• Establishes process for exception handling
, rewards, discipline
14
Policy Infrastructure
1.
2.
High level policies are
interpreted into a number of
functional policies.
Functional polices are derived
from overarching policy of the
organizations and
1.
3.
create the foundation for the
procedures, standards, and
baselines to accomplish the
security objectives
Functional polices gain their
credibility from senior
management’s buy-in.
15
Example Functional Policies
1.
2.
3.
4.
5.
6.
7.
8.
9.
Data classification
Certification and accreditation
Access control
Outsourcing
Remote access
Acceptable Internet usage
Privacy
Dissemination control
Sharing control
16
Policy Implementation
• Standards, procedures, baselines,
and guidelines turn the objectives
and goals established by
management in the overarching and
functional policies into actionable and
enforceable actions for the
employees.
17
Standards and procedure
1. Standards: Adoption of common
hardware and software mechanism and
products throughout the enterprise.
1. Examples: Desktop, Anti-Virus, Firewall
2. Procedures: required step by step
actions which must be followed to
accomplish a task.
3. Guidelines: recommendations for
security product implementations,
procurement and planning, etc.
1. Examples: ISO17799, Common Criteria, ITIL
18
Baselines
• Benchmarks used to ensure that a
minimum level of security configuration is
provided across multiple implementations
and systems.
– They establish consistent implementation of
security mechanisms.
– Platform unique
• Examples:
– VPN Setup,
– IDS Configuration,
– Password rules
19
Three Levels of security planning
1. Strategic Planning: long term
1. Focuses on the high-level, long-range
organizational requirements
2. Examples: overarching security policy
2. Tactical Level Planning: medium-term
1. Focus on events that will affect the entire
organization.
2. Examples: functional plans
3. Operational planning: short-term
1. Fighting fires at the keyboard level, this
2. Directly affects the ability of the organization
to accomplish its objectives.
20
Organizational roles and
responsibilities
• Every actor has a role:
– Entails responsibility:
– must be clearly communicated and
– understood by all actors.
• Duties associated with the role
Specific must be assigned
• Examples:
– Securing email
– Reviewing violation reports
– Attending awareness training
21
Specific Roles and
Responsibilities (duties)- 1
• Executive Management:
– Publish and endorse security policy
– establishing goals, objectives
– overall responsibility for asset protection.
• Information systems security
professionals:
– Security design, implementation,
management,
– Review of the organization security
policies.
22
Specific Roles and
responsibilities - 2
• Owners:
– information classification
– set user access conditions
– decide on business continuality priorities
• Custodians:
– Security of the information entrusted to them
• Information System Auditor
Auditing assurance guarantees.
• Users
– Compliance with procedures (AIC) and policies
–
23
Personal Security: Hiring staff
• Background checks/Security clearances
• Check references/ educational records
• Sign Employment agreement
– Examples:
• Non-disclosure agreements
• Non-compete agreements
• Low level Checks
• Consult the Human Resources (H.R.)
department
• Termination procedures
24
Third party considerations
• Established procedures to address
these groups on an individual basis.
• Examples of third party are:
– Vendors/Suppliers
– Contractors
– Temporary Employees
– Customers
25
Personnel good practices
• Job description and defended roles
and responsibilities
• Least privilege/Need to know
• Compliance with need to share
• Separation of duties
• Job rotation
• Mandatory vacations
26
Security Awareness
• Awareness training
– Provides employees with a reminder of
their security responsibilities.
– Motivate personnel to comply with
requirements
– Examples:
• Videos
• Newsletters
• Posters
• Key-chains, etc.
27
Training and Education
• Job training
– Provides skills needed to perform the
security functions in their jobs.
– Focus on security-related job skills
– Specifically address security
requirements of the organization, etc.
• Professional Education
– Provides decision-making, and security
management skills that are important
for the success of an organizations
security program.
28
Good training practices
• Address the audience
– Management
– Data Owner and custodian
– Operations personnel
– User
– Support personnel
29
Risk from NIST SP 800-30
• Risk is a function of the likelihood of a
given threat-source’s exercising a
particular potential vulnerability,
and the resulting impact of that adverse
event on the organization (SP800-30)
30
Definitions Related to Risk
• Threat: the Potential for a mal-actor to
exercise a specific vulnerability.
• Vulnerability: A Flaw or weakness in system
security procedures, design, implementation
or internal controls that could be exercised
and could result in a security breach or
violation of systems security policy.
• Likelihood: the probability that a potential
vulnerability may be exercised within the
threat environment.
• Countermeasures: A risk reduction control
– maybe technical, operational or management
controls or a combination of these type
31
Risk Management concept
flow
32
Risk Management
Definitions
• Asset: Something that is valued by the organization to
accomplish its goals and objectives
• Threat: Any potential danger to information or an
information systems.
– Examples:
• Unauthorized access, Hardware failure, Loss of key
personnel
• Threat Agent: Anything that has the potential of causing a
threat.
• Exposure: An opportunity for a threat to cause loss.
• Vulnerability: Is a weakness that could be exploited.
• Attack: An Intentional action trying to cause harm.
• Countermeasures and safeguards: Are those measures and
actions that are taken to protect systems.
• Risk: The probability that some unwanted event could
occur
• Residual Risk: The amount of risk remaining after
countermeasures and safeguards are applied
33
Risk Management
• The purpose of risk management is
to identify potential problems
– Before they occur
– So that risk-handling activities may be
planned and invoked as needed
– Across the life of the product or project
34
The Risk Equation
35
Risk Factors
• The Risk arises when threat-agent
attack assets and vulnerabilities are
present
• Residual Risk happens when threatagent attack assets and
countermeasures are in place but
are not sufficient
36
Risk Management
• Risk Management identifies and
reduces total risks ( threats,
vulnerabilities, & asset value)
• Mitigating controls: Safeguards &
Countermeasures reduce risk
• Residual Risk should be set to an
acceptable level
37
Purpose of risk Analysis
• Identifies and justifies risk mitigation
efforts
– Identifies the threats to business
processes and information systems
– Justifies the implementation of specific
countermeasures to mitigate risk
• Describes current security posture
• Conducted based on risk to the
organization's objectives/mission
38
Benefits of Risk Analysis
• Focuses policy and resources
• Identifies areas with specific risk
requirements
• Part of good IT Governance
• Supports
– Business continuity process
– Insurance and liability decisions
– Legitimizes security awareness
programs
39
Emerging threats factors
• Risk Assessment must also address
emerging threats
– New technology
– Change in culture of the organization or
environment
– Unauthorized use of technology, etc.
• Can come from many different areas
• May be discovered by periodic risk
assessments
40
Sources to identity threats
•
•
•
•
•
•
•
•
•
Users
Systems administrators
Security officers
Auditors
Operations
Facility records
Community and government records
Vendor/security provider alerts
Other types of threats :
– Natural disasters – flood, tornado, etc.
– Environment-overcrowding or poor moral
– Facility -physical security or location of
building
41
Risk analysis key factors
• Obtain senior management support
• Establish the risk assessment team
– Define and approve the purpose and scope of
the risk assessment team
– Select team members
– State the official authority and responsibility
of the team
– Have management review findings and
recommendations
• Risk team members
– Some of the areas which should be included:
• Information System Security, IT & Operations
Management, Internal Audit, Physical security, etc
42
Use of automated tools for risk
management
• Objectives is to minimize manual
effort
• Can be time consuming to setup
• Perform calculations quickly
– Estimate future expected losses
– Determine the benefit of security
measures
43
Preliminary security
evaluation
• Identify vulnerabilities
• Review existing security measures
• Document findings
• Obtain management review and
approval
44
Risk analysis types
• Two types of Risk analysis
– Quantitative Risk analysis
– Qualitative Risk analysis
• Both provide valuable metrics
• Both are often required to get a full
picture
45
Quantitative risk analysis
• Assign independently objective
numeric monetary values
• Fully quantitative if all elements of
the risk analysis are quantified
• difficult to achieve
• Requires substantial time and
personnel resources
46
Determining asset value
• Cost to acquire, develop, and
maintain
• Value to owners, custodians, or users
• Liability for protection
• Recognize cost and value in the real
world
– Price others are willing to pay
– Value of intellectual property
– Convertibility/negotiability
47
Quantitative analysis steps
1. Estimate potential losses
–
SLE – Single Loss Expectancy
•
•
•
SLE = Asset Value ($) X Exposure Factor (%)
Exposure Factor=% of asset loss when threat is successful
Types of loss to consider
–
Physical destruction/theft, Loss data, etc
2. Conduct threat analysis
–
ARO-Annual Rate of Occurrence
•
•
Expected number of exposures/incidents per year
Likelihood of an unwanted event happening
3. Determine Annual Loss Expectancy (ALE)
–
–
–
–
–
Combine potential loss and rate/year
Magnitude of risk = Annual Loss Expectancy
Purpose of ALE
Justify security countermeasures
ALE=SLE * ARO
48
Qualitative Risk analysis
• Scenario oriented
– Does not attempt to assign absolute
numeric values to risk components
• Purely qualitative risk analysis is
possible
• Qualitative risk analysis factors
– Rank seriousness of the threats and
sensitivity of assets
– Perform a carefully reasoned risk
assessment
49
Other risk analysis methods
• Failure modes and effects analysis
– Potential failures of each part or module
– Examine effects of failure at three levels
• Immediate level (part or module)
• Intermediate level (process or package)
• System-wide
• Fault tree analysis
– Sometimes called “spanning tree analysis”
– Create a “tree” of all possible threats to, or
faults of the system
• “Branches” are general categories such as network
threats, physical threats, component failures, etc.
• Prune “branches” that do not apply
• Concentrate on remaining threats.
50
Risk mitigation options
• Risk Acceptance
• Risk Reduction
• Risk Transference
• Risk Avoidance
51
The right amount of security
• Cost/Benefit analysis- balance
between the cost to protect and
asset value
• To estimate, need to know:
• Asset value
• Threats, Adversary, means , motives, and
opportunity.
• Vulnerabilities and Resulting risk
• Countermeasures
• Risk tolerance
52
Countermeasures selection
principles
• Based on cost/benefit analysis, total cost of
safeguard
•
•
•
•
•
•
Selection and acquisition
Construction and placement
Environment modification
Nontrivial operating cost
Maintenance, testing
Potential side effects
• Cost must be justified by the potential loss
• Accountability
– At least one person for each safeguard
– Associate directly with performance reviews
• Absence of design secrecy
53
Countermeasures selection
principles (Continued)
• Audit capability
– Must be testable
– Include auditors in design and implementation
• Vendor Trustworthiness
– Review past performance
• Independence of control and subject
– Safeguards control/constrain subjects
– Controllers administer the safeguards
– Controllers and subject are from different populations
• Universal application
– Impose safeguards uniformly
– Minimize exceptions
54
Countermeasures selection
principles (Continued)
• Compartmentalization and defense in depth
– Safeguard’s role
– Consider to improve security through layers of security
• Isolation, economy and least common
mechanism
– Isolate from other safeguards
– Simple design is more cost effective and reliable, etc
• Acceptance and tolerance by personnel
– Care must be taken to avoid implementing controls that
pose an unreasonable constrains
– Less intrusive controls are more acceptable
• Minimize human intervention
– Reduces the possibility of errors and “exceptions” by
reducing the reliance on administrative staff to maintain
the control
55
Countermeasures selection
principles (Continued)
• Sustainability
• Reaction and recovery
– Countermeasures should do the following when
activated
• Avoids asset destruction and stops further damage
• Prevents disclosure of sensitive information through a
covert channel
• Maintains confidence in system security
• Captures information related to the attack and attacker
• Override and fail-safe defaults
• Residual and reset
56
Basis and origin of ethics
• Religion, law, tradition, culture
• National interest
• Individual rights
• Enlightened self interest
• Common good/interest
• Professional ethics/practices
• Standards of good practice
57
Ethics
• Formal ethical theories
– Teleology: Ethics in terms of goals, purposes,
or ends
– Deontology: Ethical behavior is duty
• Common ethical fallacies
–
–
–
–
–
Computers are a game
Law-abiding citizen, Free information
Shatterproof
Candy-from-a-baby
Hackers
• Difficult to define
– Start with senior management
58
Codes of ethics - examples
• Relevant professional codes of ethics
include:
• Internet Activities Board (IAB)
– Any activity is unethical & unacceptable that purposely:
» Seeks to gain unauthorized access to the internet
resources
» Disrupts the intended use of the internet
» Wastes resources through such actions
» Destroys the integrity of computer-based information
» Compromises the privacy of users
» Involves negligence in the conduct of internet-wide
experiments
59
Codes of ethics - examples
• Relevant professional codes of ethics
include:
– (ISC)2 and other professional codes:
• ISC2 Code of ethics preamble
– Protect society, the commonwealth, and the infrastructure
– Provide diligent and competent services to principals,etc
• Auditors
• Professional codes may have legal
importance
60
References
• ISC2 CBK Material
• ISC2 official Guide
• CISSP All-in-one
61