Ination Security and ItsImpact on Business.ppt

InformationSecurityandItsImpactonBusiness Prof Chi ChunLoNationalChiao TungUniversityOct 5 2006 INTRODUCTION WhatifsomeoneasksyourCEO HowSecureisYourCorporation Onefootinicewaterandonefootinboilingwaterdoesnotmeanthatonaverageyouareatroomtemperature Corporationsarenotmonolithic andallpartsofthebusinessdon thave ornecessarilyneed thesamelevelofsecuritySecurityisnotanendstate norcanitbejudgedbymeasuringanysinglevariableatanysinglepointintime SellingSecurityisStillaChallenge Istheglasshalfempty orisithalffull Securityislikethebrakesonyourcar TheirfunctionistoslowyoudownButtheirpurposeistoallowyoutogofast BillMalick Gartner ScopeofSecurity SystemSecurity MostlyTechnicalIssues HardwareOrganization Culture Behavior Policy RiskManagement Standards LegalRightsetc CausesofInformationDamage InformationSecurity Highdependenceoninformationasacontributingfactorofsuccessorfailure createdtheneedforinformationsecurityandcontrolInformationsecuritydefinition preservationofconfidentiality integrityandavailabilityofinformationandinformationsystems Theobjectiveofinformationsecurityistoensurethecontinuityofbusinessmanagementandtoreduceinterruptionsofbusinessbypreventingandminimizingtheconsequencesofsecurityincidents Informationsecurityrelatestoallcontrolsaimedatprotectingtheavailability integrityandconfidentialityofinformation InformationSecurityComponents Reliability Confidentiality Exclusivity Integrity Availability Thedegreetowhichtheorganizationcandependuponaninformationsystemforitsprovisionofinformation BusinessModelforInformationSecurity Vulnerabilities Threats Legislation IdentityMgmt Assurance Controls BusinessImpacts ConfidentialityIntegrityAvailability Assets BusinessRisks exposing Toalossof causing causing whicharemitigatedby whichrequire causing exploit whichprotectagainst reduce SecuritySystemsDevelopmentLifeCycle SSDLC AsystematicwayofprovidinginformationsecurityPhases Phase1 Investigation includingpolicyandprocedureetc Phase2 Analysis includingriskmanagementetc Phase3 LogicalDesign includingstandardsetc Phase4 PhysicalDesign includingtechnologyselectionetc Phase5 Implementation Phase6 MaintenanceandChange POLICYandPROCEDURE PolicyandProcedure Apolicyistypicallyadocumentthatoutlinesspecificrequirementsorrulesthatmustbemet Intheinformation networksecurityrealm policiesareusuallypoint specific coveringasinglearea Forexample an AcceptableUse policywouldcovertherulesandregulationsforappropriateuseofthecomputingfacilities Astandardistypicallyacollectionsorsystem specificorprocedural specificrequirementsthatmustbemeetbyeveryone Forexample youmighthaveastandardthatdescribestohowtohardenaWindowsNTworkstationforplacementonanexternal DMZ network PeoplemustfollowthisstandardexactlyiftheywishtoinstallaWindowsNTworkstationonanexternalnetworksegment Aguidelineistypicallyacollectionofsystemspecificorproceduralspecific suggestions forbestpractice Theyarenotrequirementstobemet butarestronglyrecommended Effectivesecuritypoliciesmakefrequentreferencestostandardsandguidelinesthatexistwithinanorganization ASecurityPolicyFramework Policiesdefineappropriatebehavior Policiessetthestageintermsofwhattoolsandproceduresareneeded Policiescommunicateaconsensus PoliciesprovideafoundationforHRactioninresponsetoinappropriatebehavior Policiesmayhelpprosecutecases ImportanceofSecurityPolicies Securitypoliciesareanabsolutemustforanyorganization Theyprovidethevirtualgluetoholditalltogether Policieslaytheground work Imagineasmallcitythatdidnothaveanyrules Whatwouldlifebelike Thesameappliestoyourorganization WhoandWhattoTrust Trustisamajorprincipleunderlyingthedevelopmentofsecuritypolicies Initialstepistodeterminewhogetsaccess Decidingonleveloftrustisadelicatebalancingact ToomuchtrustmayleadtoeventualsecurityproblemsToolittletrustmaymakeitdifficulttofindandkeepemployeesorgetjobsdoneHowmuchshouldyoutrustpeopleregardingtotheiraccessorusageofcomputerandnetworkresources PossibleTrustModels Trusteveryoneallofthetime easiesttoenforce butimpracticalonebadapplecanruinthewholebarrelTrustnooneatnotime mostrestrictive butalsoimpracticaldifficulttostaffpositionsTrustsomepeoplesomeofthetime exercisecautioninamountoftrustgivenaccessisgivenoutasneededtechnicalcontrolsareneededtoensuretrustisnotviolated WhythePoliticalTurmoil Peopleviewpoliciesas animpedimenttoproductivitymeasurestocontrolbehaviorPeoplehavedifferentviewsabouttheneedforsecuritycontrols Peoplefearpolicieswillbedifficulttofollowandimplement Policiesaffecteveryonewithintheorganization WhoShouldBeConcerned Users policieswillaffectthemthemost Systemsupportpersonnel theywillberequiredtoimplement complywithandsupportthepolicies Managers theyareconcernedaboutprotectionofdataandtheassociatedcostofthepolicy Companylawyersandauditors theyareconcernedaboutcompanyreputation responsibilitytoclients customers ThePolicyDesignProcess Choosethepolicydevelopmentteam Designateapersonoragrouptoserveastheofficialpolicyinterpreter Decideonthescopeandgoalsofthepolicy Scopeshouldbeastatementaboutwhoiscoveredbythepolicy Decideonhowspecifictomakethepolicynotmeanttobeadetailedimplementationplandon tincludefactswhichchangefrequently ThePolicyDesignProcess Asampleofpeopleaffectedbythepolicyshouldbeprovidedanopportunitytoreviewandcomment Asamplingofthesupportstaffeffectedbypolicyshouldhaveanopportunitytoreviewit Incorporatepolicyawarenessasapartofemployeeorientation Providearefresheroverviewcourseonpoliciesonceortwiceayear BasicPolicyRequirements Policiesmust beimplementableandenforceablebeconciseandeasytounderstandbalanceprotectionwithproductivityPoliciesshould statereasonswhypolicyisneededdescribewhatiscoveredbythepoliciesdefinecontactsandresponsibilitiesdiscusshowviolationswillbehandled LevelofControl Securityneedsandcultureplaymajorrole SecuritypoliciesMUSTbalancelevelofcontrolwithlevelofproductivity Ifpoliciesaretoorestrictive peoplewillfindwaystocircumventcontrols Technicalcontrolsarenotalwayspossible Youmusthavemanagementcommitmentonthelevelofcontrol PolicyStructure Dependentoncompanysizeandgoals Onelargedocumentorseveralsmallones smallerdocumentsareeasiertomaintain updateSomepoliciesappropriateforeverysite othersarespecifictocertainenvironments Somekeypolicies acceptableuseremoteaccessinformationprotectionperimetersecuritybaselinehost devicesecurity TheAcceptableUsePolicy Discussesanddefinestheappropriateuseofthecomputingresources Usersshouldberequiredtoreadandsignaccountusagepolicyaspartoftheaccountrequestprocess Akeypolicythatallsitesshouldhave RemoteAccessPolicy Outlinesanddefinesacceptablemethodsofremotelyconnectingtotheinternalnetwork Essentialinlargeorganizationwherenetworksaregeographicallydispersedandevenextendintothehomes Shouldcoverallavailablemethodstoremotelyaccessinternalresources dial in SLIP PPP ISDN framerelaytelnet sshaccessfrominternetcablemodem VPN DSL InformationProtectionPolicy Providesguidelinestousersontheprocessing storageandtransmissionofsensitiveinformation Maingoalistoensureinformationisappropriatelyprotectedfrommodificationordisclosure Maybeappropriatetohavenewemployeessignpolicyaspartoftheirinitialorientation Shoulddefinesensitivitylevelsofinformation ThePerimeterSecurityPolicy Describes ingeneral howperimetersecurityismaintained Describeswhoisresponsibleformaintainingit Describeshowhardwareandsoftwarechangestoperimetersecuritydevicesaremanagedandhowchangesarerequestedandapproved VirusProtectionandPreventionPolicy Providesbaselinerequirementsfortheuseofvirusprotectionsoftware Providesguidelinesforreportingandcontainingvirusinfections Providesguidelinesforseverallevelsofvirusrisk Shoulddiscussrequirementsforscanningemailattachments Shoulddiscusspolicyforthedownloadandinstallationofpublicdomainsoftware VirusProtectionandPreventionPolicy Shoulddiscussfrequencyofvirusdatafileupdates Shoulddiscusstestingproceduresforinstallationofnewsoftware PasswordPolicy Providesguidelinesforhowuserlevelandsystemlevelpasswordsaremanagedandchanged Discussespasswordconstructionrules Providesguidelinesforhowpasswordsareprotectedfromdisclosure Discussesapplicationdevelopmentguidelinesforwhenpasswordsareneeded DiscussestheuseofSNMPcommunitystringsandpass phrases OtherImportantPolicies Apolicywhichaddressesforwardingofemailtooffsiteaddresses Apolicywhichaddresseswirelessnetworks Apolicywhichaddressesbaselinelabsecuritystandards Apolicywhichaddressesbaselinerouterconfigurationparameters Apolicywhichaddressesrequirementsforinstallingdevicesonadirtynetwork SecurityProcedures Policiesonlydefine what istobeprotected Proceduresdefine how toprotectresourcesandarethemechanismstoenforcepolicy Proceduresdefinedetailedactionstotakeforspecificincidents Proceduresprovideaquickreferenceintimesofcrisis Procedureshelpeliminatetheproblemofasinglepointoffailure e g anemployeesuddenlyleavesorisunavailableinatimeofcrisis ConfigurationManagementProcedure Defineshownewhardware softwareistestedandinstalled Defineshowhardware softwarechangesaredocumented Defineswhomustbeinformedwhenhardwareandsoftwarechangesoccur Defineswhohasauthoritytomakehardwareandsoftwareconfigurationchanges DataBackupandOff siteStorageProcedures Defineswhichfilesystemsarebackedup Defineshowoftenbackupsareperformed Defineshowoftenstoragemediaisrotated Defineshowoftenbackupsarestoredoff site Defineshowstoragemediaislabeledanddocumented IncidentHandlingProcedure Defineshowtohandleanomalyinvestigationandintruderattacks Definesareasofresponsibilitiesformembersoftheresponseteam Defineswhatinformationtorecordandtrack Defineswhotonotifyandwhen Defineswhocanreleaseinformationandtheprocedureforreleasingtheinformation Defineshowafollow upanalysisshouldbeperformedandwhowillparticipate RISKMANAGEMENT Risk Riskisthelikelihoodoftheoccurrenceofavulnerabilitymultipliedbythevalueoftheinformationassetminusthepercentageofriskmitigatedbycurrentcontrolsplustheuncertaintyofcurrentknowledgeofthevulnerability WhatisRisk AdefinableeventProbabilityofoccurrenceImpactofoccurrenceAriskoccurswhentheproblemhappensLossexpectancythatathreatmightexploitavulnerability Relationshipamongdifferentsecuritycomponents ThreatAgent Threat Vulnerability RISK Exposure Safeguard Givesriseto Exploits Leadsto Candamage Andcausesan Canbecountermeasuredbya Directlyaffects Risk VulnerabilityIdentification Vulnerability isasoftware hardware orproceduralweaknessthatmayprovideanattackertheopendoortoenterasystem SpecificavenuesthreatagentscanexploittoattackaninformationassetarecalledvulnerabilitiesExaminehoweachthreatcouldbeperpetratedandlistorganization sassetsandvulnerabilitiesProcessworksbestwhenpeoplewithdiversebackgroundswithinorganizationworkiterativelyinaseriesofbrainstormingsessionsAttheendofriskidentificationprocess listofassetsandtheirvulnerabilitiesisachieved RiskMitigation UnderstandsecurityriskUnderstandtechnologyAcceptRiskDocumentationofriskacceptanceisaformofmitigation DeferortransferriskInsuranceMitigateriskTechnologycanmitigaterisk RiskManagementProcess HowtoDevelopaSecurityRiskManagementProcess Securityriskmanagementprocess Aprocessforidentifying prioritizing andmanagingrisktoanacceptablelevelwithintheorganizationDevelopingaformalsecurityriskmanagementprocessmustaddressthefollowing ThreatresponsetimeRegulatorycomplianceInfrastructuremanagementcostsRiskidentificationandassessment prioritization SuccessfulFactorsforSecurityRiskManagementProcess Keyfactorstoimplementingasuccessfulsecurityriskmanagementprocessinclude ExecutivesponsorshipWell definedlistofriskmanagementstakeholdersOrganizationalmaturityintermsofriskmanagementAnatmosphereofopencommunicationsandteamworkAholisticviewoftheorganizationSecurityriskmanagementteam sauthority RiskManagementProcess RiskAssessmentFlowchart Step1 SystemCharacterization Input RiskAssessmentActivities Output Step2 ThreatIdentification Step3 VulnerabilityIdentification Step4 ControlAnalysis Step5 LikelihoodDetermination Step6 ImpactAnalysis LossofIntegrity LossofAvailability LossofConfidentiality Step7 RiskDetermination Step8 ControlRecommendations Step9 ResultsDocumentation Hardware Software Systeminterfaces Dataandinformation People Systemmission Historyofsystemattack Datafromintelligenceagencies NIPC OIG FedCIRC massmedia Reportsfrompriorriskassessments Anyauditcomments Securityrequirements Securitytestresults Missionimpactanalysis Assetcriticalityassessment Datacriticality Datasensitivity Currentcontrols Plannedcontrols Threat sourcemotivation Threatcapacity Natureofvulnerability Currentcontrols SystemBoundary SystemFunctions SystemandDataCriticality SystemandDataSensitivity ImpactRating ThreatStatement ListofPotentialVulnerabilities ListofCurrentandPlannedControls LikelihoodRating Likelihoodofthreatexploitation Magnitudeofimpact Adequacyofplannedorcurrentcontrols RisksandAssociatedRiskLevels RecommendedControls RiskAssessmentReport RiskMitigationFlowchart Input RiskMitigationActivities Output Step1 PrioritizeActions Step2 EvaluateRecommendedControlOptions Associatedcosts Feasibility Step3 ConductCost BenefitAnalysis Impactofimplementing Impactofnotimplementing Associatedcosts Step4 SelectControls Step5 AssignResponsibility Step6 DevelopSafeguardImplementationPlan RisksandAssociatedRiskLevels PrioritizedActions RecommendedControls SelectedPlannedControls ResponsiblePersons StartDate TargetCompletionDate MaintenanceRequirements Step7 ImplementSelectedControls Risklevelsfromtheriskassessmentreport Riskassessmentreport ActionsrankingfromHightoLow Safeguardimplementationplan Listofpossiblecontrols Cost benefitanalysis SelectedControls Listofresponsiblepersons ResidualRisks RiskAnalysisMethod RiskAnalysisMethod Twotypesofriskanalysis Quantitative attemptstoassignrealnumberstothecostsofsafeguardsandtheamountofdamagethatcantakeplaceQualitative Ananalysisthatjudgesanorganization srisktothreats whichisbasedonjudgment intuition andtheexperienceversusassigningrealnumberstothispossiblerisksandtheirpotentialloss e g AnalyticalHierarchyProcess AHP StepsofQuantitativeRiskAnalysis Assignvaluetoinformationassets tangibleandintangible EstimatepotentiallossperriskPerformathreatanalysisDerivetheoveralllosspotentialperriskChoosesafeguards countermeasureforeachriskDetermineriskresponse e g mitigation avoidance acceptance QuantitativeRiskAnalysis ExposureFactor EF Percentageofassetlosscausedbyidentifiedthreat rangesfrom0to100 SingleLossExpectancy SLE AssetValuexExposureFactor 1 000 000 10 likelihood 100 000AnnualizedRateofOccurrence ARO Estimatedfrequencyathreatwilloccurwithinayearandischaracterizedonanannualbasis Athreatoccurringoncein10yearshasanAROof0 1 athreatoccurring50timesinayearhasanAROof50AnnualizedLossExpectancy ALE SingleLossExpectancyxAnnualizedRateofOccurrenceSafeguardcost benefitanalysis ALEbeforeimplementingsafeguard ALEafterimplementingsafeguard annualcostofsafeguard valueofsafeguardtothecompany QuantitativeRiskAnalysis Summary ProsUsesprobabilityconcepts thelikelihoodthatanriskwilloccurorwillnotoccurThevalueofinformationisexpressedinmonetarytermswithsupportingrationaleRiskassessmentresultsarederivedandexpressedinmanagementspeak ConsPurelyquantitativeriskanalysisnotpossiblebecausequantitativemeasuresmustbeappliedtoqualitativeelementsCanbelessambiguousbutusingnumberscangiveappearanceofspecificitythatdoesnotreallyexistHugeamountofdatamustbegatheredandmanaged QualitativeRiskAnalysis Doesnotassignnumbersandmonetaryvaluetocomponentsandlosses Walksthroughdifferentscenariosofriskpossibilitiesandranktheseriousnessofthethreatsforthesensitivityoftheassets IdentifyingQualitativeRisks ExpertInterviewsBrainstormingNominalGroupTechniqueAffinityDiagramAnalogyTechniques QualitativeRisksMatrix 100 4 12 ExampleQualitativeRiskMatrix Hostage KidnapStrike WalkoutHostileTakeover MajorExplosion TerrorismIndustrialEspionage0 SabotageComm Disease Flood SuicideTelecommFailure Maj OperatorError ChildCareIncidentTransportationIncident MinorExplosion NeighborIssue CivilUnrest EmployeeViolence Tornado BreachITSecurity OrganizedCrime Blizzard Bribery Extortion ProtestersInjury DeathAccusation Libel Slander Fog BombThreatEquipmentMalfunc PowerFailure IceStorm MediaInvestigation ChemicalSpill Contamination MajorFire ClassActionLawsuit ManagementIssues SecurityBreach LossofIT Virus MajorElectricalStorm HIGHRISK LOWRISK MEDIUMHIGH MEDIUMLOW QualitativeRiskAnalysis Summary ProsIssimpleandreadilyunderstoodandexecuted Providesageneralindicationofsignificantareasofriskthatshouldbeaddressed ConsIsdifficulttoenforceinuniformityandconsistencybutprovidessomeorderofmeasurementIssubjectiveinbothprocessandmetrics Cannotprovidecost benefitanalysis QuantitativeversusQualitative Source CISSPCommonBodyofKnowledgeReviewSeminar ISC2 CorporateRiskAnalysisStrategy CorporateRiskAnalysisStrategy CorporateRiskAnalysisStrategy BaselineApproach InformalApproach DetailedApproach CombinedApproach CombinedApproach HighLevelRiskAnalysis DetailedRiskAnalysis BaselineApproach SelectionofSafeguards RiskAcceptance ITSystemSecurityPolicy ITSecurityPlan BaselineApproach EstablishaminimumsetofsafeguardstoprotectallorsomeITsystemsofanorganizationAchievedthroughtheuseofsafeguardcatalogueswhichsuggestasetofsafeguardstoprotectanITsystemagainstthemostcommonthreatsThelevelofbaselinesecuritycanbeadjustedtotheneedsoftheorganization InformalApproach ConductinformalpragmaticriskanalysisExploittheknowledgeandexperienceofindividuals DetailedApproach Involvestheidentificationoftherelatedrisks andanassessmentoftheirmagnitudeforallITsystemsTheresultoftheanalysisshouldbesavedAssetandtheirvaluesThreat vulnerability andrisklevelsSafeguardsidentified CombinedApproach Firstitisnecessarytoconductaninitialhighlevelriskanalysistoidentifywhichapproach baselineordetailedapproach isappropriateforeachITsystemInputforthedecisionastowhichapproachissuitableforwhichITsystem ThebusinessvaluesoftheITsystemsThelevelofinvestmentinthisITsystemTheasset svalueoftheITsystem TheProcessofRiskAnalysis EstablishmentofReviewBoundary IdentificationofAssets ValuationofAssetsandEstablishmentofDependenciesBetweenAssets ThreatAssessment VulnerabilityAssessment IdentificationofExisting PlanningSafeguards AssessmentofRisks SelectionofSafeguards Ri