ISA 400 Management of Information Security
Week #3
Information Security & Risk Management
Philip Robbins – February 28, 2015
Information Security & Assurance Program
University of Hawai'i West Oahu
Information Security & Risk Management
Topics
• Review of Information Security Concepts
• Domain #3: Risk Management
• Classroom Examples / Exercises
• Quiz #3
• Assignment #3
Information Security & Risk Management
Assets
Safeguards
Threats
Risk
mitigated by
Risk
exploits
Vulnerabilities
Exposure
Information Security and Risk Management
3
Concepts
• Information
- What is it?
- Why is it important?
- How do we protect (secure) it?
Information Security Review of Concepts
• Information is valuable.
therefore,
• Information Systems are valuable.
etc…
• Compromise of Information Security Services (C-I-A) have real
consequences (loss)
- Confidentiality: death, proprietary info, privacy, theft
- Integrity: theft, loss of confidence, validity
- Availability: lost productivity, disruption of C2, defense,
emergency services
5
Information Security Review of Concepts
• Information Systems
Systems that store, transmit, and process information.
+
• Information Security
The protection of information.
_______________________________________________
• Information Systems Security
The protection of systems that store, transmit, and process
information.
6
Information Security Review of Concepts
• What is Information Assurance (IA)?
- Our assurance (confidence) in the protection of our
information / Information Security Services.
• What are Information Security Services (ISS)?
- Confidentiality: Making sure our information is protected
from unauthorized disclosure.
- Integrity: Making sure the information we process,
transmit, and store has not been corrupted or adversely
manipulated.
- Availability: Making sure that the information is there
when we need it and gets to those who need it.
7
Private vs. Military Requirements
• Which security model an organization uses
depends on it’s goals and objectives.
– Military is generally concerned with
CONFIDENTIALITY
– Private businesses are generally concerned with
AVAILABILITY (ex. Netflix, eBay etc) OR
INTEGRITY (ex. Banks).
– Some private sector companies are concerned
with CONFIDENTIALITY (ex. hospitals).
• Which ISS do you believe is most important?
- Map to Systems v.s. Content
Fundamental Concepts
• Progression of Terminology
Computer Security
(COMPUSEC)
Legacy Term (no longer used).
Information Security
(INFOSEC)
Legacy Term (still used).
Information Assurance
(IA)
Cyber Security
Term widely accepted today with
focus on Information Sharing.
Broad Term quickly being adopted.
Information Security Review of Concepts
• What is the Defense in Depth Strategy?
- Using layers of defense as protection.
• People, Technology, and Operations.
POLICIES &
PROCEDURES
PHYSICAL
PERIMETER
INTERNAL NETWORK
HOST
Onion Model
APPLICATION
DATA
10
Defense-in-Depth
Links in the Security Chain: Management, Operational, and Technical Controls
 Risk assessment
 Security planning, policies, procedures
 Configuration management and control
 Contingency planning
 Incident response planning
 Security awareness and training
 Security in acquisitions
 Physical security
 Personnel security
 Security assessments and authorization
 Continuous monitoring
 Access control mechanisms
 Identification & authentication mechanisms
(Biometrics, tokens, passwords)
 Audit mechanisms
 Encryption mechanisms
 Boundary and network protection devices
(Firewalls, guards, routers, gateways)
 Intrusion protection/detection systems
 Security configuration settings
 Anti-viral, anti-spyware, anti-spam software
 Smart cards
Adversaries attack the weakest link…where is yours?
Review of Fundamental Concepts
SUSTAIN
M ES
L
ns
O SS
tio
TR A
ra
N
O
pe
C
O
ns
re
io
to
us
es
tr
R
In
f.
to
ct
s
ea
R
sk
i
e.
tR
s
ec
ce
et
vi
D
er
d.
tS
ec
t
ot
us
Pr
Tr
c.
e
it y
ag
gr
te
an
In
M
n
b.
ai
nt
ai
FU
N
C
TI
ES
R NT
SU M E
EA S
Information
Assurance
Framework
RESPOND
M
a.
Information
Assurance
Services
(IAS)
DEFEND
O
N
S
CONTROL MEASURES
7. Information Content
Conditioning & Control






6. Identity Authentication &
Authorization






5. Education Training &
Awareness






4. Design, Configuration,
Operations & Administration






3. Continuity of
Operations






2. Cyber Security
Services






1. Physical Security
Services






FUNCTIONAL
ASSESSMENT
Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.
Information Security Review of Concepts
PROTECT
DETECT
REACT
INFORMATION ASSURANCE
Information Security Services
DiD PDR Paradigm
Confidentiality
ISS
PEOPLE
Information Assurance
Services
TECHNOLOGY
Physical IAS
Identity A&A IAS
Content IAS
INFORMATION
SECURITY
Cyber IAS
Configuration IAS
Training IAS
Availability
ISS
Integrity
ISS
Continuity IAS
OPERATIONS
Defense in Depth Primary Elements
Information Security Review of Concepts
• Fixed Resources
• Sustainable strategies reduce costs
Without DiD
Incidents
REACT
Cost Prohibitive/
Threshold
DETECT
Cost
PROTECT
With DiD
Time
14
Vulnerability
• A software, hardware, or procedural weakness
that may provide an attacker the opportunity to
obtain unauthorized access.
– Could be an un-patched application
– Zero Days
– “Lax” physical security
– Weak protocols
15
Risk Component: Vulnerabilities
• What are vulnerabilities?
Any flaw or weakness that can be exploited.
– Poorly communicated or implemented policy
– Improperly configured systems or controls
– Inadequately trained personnel
16
Countermeasure / Safeguard
• Some safeguard or countermeasure put into
place to mitigate the potential risk.
• A countermeasure reduces the possibility
that a threat agent will
be able to exploit a
vulnerability.
17
Risk Component: Controls & Safeguards
• Controls are put in place to prevent exploitation of
vulnerabilities.
• Cost of control should never exceed the
cost of the impact (loss) with no control.
• How do I figure out what controls I need?
• Is there a comprehensive checklist I can use?
- yes there is… it’s called:
“DoDI 8500.2”
Information Assurance Implementation
18
Threat
• A natural or man-made event that could have
some type of negative impact on the
organization.
19
Threat Agent
• An actual person that takes advantage of a
vulnerability
20
Exposure
• An instance of being exposed to losses from a
threat agent.
• Example: A public web server that has a known
vulnerability (that is not patched) is exposed.
21
Security Controls
The following “controls” should be utilized to
achieve security management directives:
• Administrative – policies, standards, procedures,
guidelines, personnel screening, training
• Technical Controls (logical controls)* authentication, firewalls, biometrics etc.
• Physical Controls – locks, monitoring,
mantraps, environmental controls.
22
Risk
• The likelihood of a threat agent taking
advantage of a vulnerability and the
corresponding business impact.
Risk ties the vulnerability, threat, and the likelihood
of exploitation together.
23
Classroom Example: Concept of Risk
• After a month on the job, as the new ISSM for UHWO, you
decide to update the CIO on the progress of the ISS program
at UHWO via email when all of a sudden the entire internal
network goes down!
• Your Computer Network Defense Team is able to determine
the source of the disruption to an unknown vulnerability that
was exploited on a generic perimeter router.
• The CIO calls you into his office and indicates to you that
he is “concerned about the Risk to the networks at UHWO”
and ‘wants a risk assessment conducted’ ASAP.
24
Classroom Example: Concept of Risk
- What does the CIO mean by “Risk to the networks at
UHWO”?
- As the ISSM, how would you conduct a risk assessment for
the CIO?
- How is risk measured and why is it important?
- What are some of the elements of risk?
25
Management of Information Security
• Management is ULTIMATELY responsible for
security… NOT admins, not security workers..
MANAGEMENT… let me repeat…
MANAGEMENT.
• Management must lead
and direct all security
programs. They must
provide the vision AND
support.
26
Management of Information Security
• Any good security program should be “top down”
with an ultimate goal.
• This approach management creates the vision
and lays out the framework.
It does not make sense just to run about locking
down machines without a vision. Though this is
often how things are actually done.*
- Why would a bottom up approach fail?
(can you build a house by just starting to build?)
27
Risk Management
• Information Systems Risk Management is the
process of identifying, assessing, and mitigating
(reducing) risks to an acceptable level.
- Why is this important?
• There is no such thing as
100% security.
- Can risk ever be eliminated?
28
Risk Management
• Risks MUST be identified, classified and
analyzed to asses potential damage (loss) to
company.
• Risk is difficult to measure and quantify,
however, we must prioritize the risks and attempt
to address them!
29
Risk Management
• Did I mention that ISRM is ULTIMATELY the
responsibility of MANAGEMENT?
• Should support the organizations
mission.
• Should have an ISRM policy.
• Should have an ISRM team.
• ISRM should be a subset of the companies total
Risk Management Policy.
30
Risk Management
• Goal of ISRM is to ensure the company is
protected in the most COST EFFECTIVE
manner!
(it doesn’t make sense to spend more to protect
something than the “something” is worth)
31
Risk Analysis
What is risk analysis?
– A tool for risk management, which identifies
assets, vulnerabilities and threats (What are
these again?)
– Access possible damage and determine
where to implement safeguards.
32
Goal of Risk Analysis
• Identify assets and their values
• Identify Vulnerabilities and threats
• Quantify the probability of damage and cost of
damage
• Implement cost effective countermeasures!
• ULTIMATE GOAL is to be cost effective. That is:
ensure that your assets are safe, at the same
time don’t spend more to protect something than
it’s worth*
33
Risk Authority
• MANAGEMENT!!!
• Management may delegate to data custodians
or business units that shoulder some of the risk.
• However, it is senior management that is
ultimately responsible for the companies health as such they are ultimately responsible for the
risk.
34
Information System Risk Management Review
• It is important to understand an assets value if
you plan on doing risk analysis.
• So what is something worth?
• Value can be measured quantitatively and/or
qualitatively.
35
Risk Component: Impact
• Loss (negative consequence) for the organization.
–
–
–
–
$ (USD)
Reputation
Degraded Information Security Services
…
36
Defining Risk
• What is Risk?
and...
thus
• Units for measurement:
Confidentiality, Integrity, Availability
Source:
Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
Defining Risk
• Risk is conditional, NOT independent.
Source:
Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
38
Defining Risk and Risk Component Relationship
Source: Harris, S. (2010). CISSP all in one exam guide, fifth edition. McGraw-Hill, New York, NY.
Defining Risk Behavior
• Expected Value of Risk = Product of Risks
• Risk is never zero: “We can never be 100% confident for protection”
• Risk Dimension (units): confidence in the loss of ISS, C-I-A
“Risk Loss Confidence”
Source:
Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
40
Defining Risk Behavior
Risk Loss Confidence Increases
through interconnections with other
network enclaves (risks)!
Network Enclave #1
Network Enclave #3
Network Enclave #2
Defining Risk Behavior
RiskEV = R1 x R2 x R3
RiskEV = LOW x MED x HIGH
RiskEV = ?
Network Enclave #1
R1 = LOW
Network Enclave #3
R3 = HIGH
R2 = MED
Network Enclave #2
Defining Risk Behavior
RiskEV = R1 x R2 x R3
RiskEV = LOW x MED x HIGH
RiskEV = HIGH
Network Enclave #1
R1 = LOW
Network Enclave #3
R3 = HIGH
R2 = MED
Network Enclave #2
Defining Risk Behavior
RiskEV = R1 x R2 x R3
RiskEV = LOW x MED x HIGH
RiskEV = HIGH
Network Enclave #1
R1 = LOW
Network Enclave #3
R3 = HIGH
R2 = MED
Network Enclave #2
44
Quantitative Risk Threshold
45
Quantifying Risk
• Expected Value and Risk Loss Confidence vs. Cumulative Risk
Product
Source:
Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
Quantifying Risk
• How do we quantify total risk?
- Average the risk to each Information Security Service:
Source:
Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
MAC Levels
Classification Levels
(i.e. SECRET & higher)
(i.e. PII, FOUO)
(i.e. UNCLASS)
49
Risk Component: Threats
• Rapid growth of Advanced Persistent Threats (APTs)
• Half million cases of cyber related incidents in 2012.
- Is this a problem?
- What about vulnerabilities
associated with
interconnections?
- How does risk management
help deal with APTs?
Source: US-CERT
50
Risk Component: Controls & Safeguards
• Control checklists exist depending on your MAC and
classification of your network enclave:
“DoDI 8500.2”
Information Assurance Implementation
checklists
51
Risk Component: Controls & Safeguards
Risk Component: Controls & Safeguards
IA Checklist: Controls for Vulnerabilities
DIACAP Scorecard
Information Assurance Services
• Taken from DoD 8500.2
56
Plan of Actions & Milestones (POA&M)
• Non-compliant (NC) controls / findings are listed on a POA&M.
57
Residual Risk
• Risks that remain after all of the response strategies have been
implemented.
N
S
ES
R NT
SU M E
EA S
C
TI
O
7. Information Content
Conditioning & Control
MITIGATION
M ES
L
ns
O SS
tio
TR A
a
r
N
O
pe
C
O
ns
re
io
to
us
es
tr
R
In
f.
to
ct
s
ea
R
sk
i
e.
tR
s
ec
ce
et
vi
D
er
d.
tS
ec
t
ot
us
Pr
Tr
c.
e
it y
ag
gr
te
an
In
n
ai
nt
ai
N
M
M
Information
Assurance
Framework
RESPOND
b.
a.
FU
DEFEND
CONTROL
SUSTAIN
CONTROL MEASURES
6. Identity Authentication &
Authorization
5. Education Training &
Awareness
4. Design, Configuration,
Operations & Administration
3. Continuity of
Operations
THREAT
RESIDUAL RISK
2. Cyber Security
Services
1. Physical Security
Services
FUNCTIONAL
ASSESSMENT
Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.
Semi-Quantitative (Qualitative) Risk Matrix
Catastrophic
(5)
Impact
Material
(4)
Major
(3)
Minor
(2)
Insignificant
(1)
Rare(1)
Unlikely(2)
Moderate(3)
Likelihood
Likely (4)
Frequent(5)
Risk Responses
• Risk Avoidance
– Halt or stop activity causing risk
• Risk Transference
– Transfer the risk (i.e. buy insurance)
• Risk Mitigation
– Reduce impact with controls/safeguards
• Risk Acceptance
– Understand consequences and accept risk
61
Risk Responses
Severity
High
Low
Accept /
Transfer
Avoid
Accept
Accept /
Transfer
Low
High
Frequency
62
Risk Components
• Let’s recap:
What are the components of Information
Systems Risk?
- Threats & Threat Agents
- Vulnerabilities (Weakness)
- Controls (Safeguards)
- Impact
How is each component important to understanding
and managing risk?
63
Risk Assessment & Analysis
- What is Quantitative Risk Analysis?
- What is Qualitative Risk Assessment?
- Positives (pros) and Negatives (cons) of each.
- Which method is preferred?
64
Value of Information and Information Assets
• Risk Management
• It’s important to understand the value of your
information and information systems.
• So what is my information worth?
- Value can be measured both Quantitatively and
Qualitatively.
65
Risk Assessment & Analysis
• Quantitative Analysis
• Qualitative Assessment
- Tangible impacts can be measured Quantitatively
in lost revenue, repair costs, or resources.
- Other impacts (i.e. loss of public confidence or
credibility, etc.) can be qualified in terms of High,
Medium, or Low impacts.
66
Risk Assessment & Analysis
• …with Quantitative analysis.
- Warning: There is MATH involved… =(
67
Quantitative Risk Analysis
• Quantitative analysis attempts to assign real values
to all elements of the risk analysis process.
- Asset value
- Safeguards / Controls
- Threat frequency
- Probability of incident
68
Quantitative Risk Analysis
•
•
•
-
Purely Quantitative Risk Analysis is impossible.
There are always unknown values.
There are always “Qualitative” values.
What is the value of a reputation?
…but what if you focused on Information Security
Services as a unit of measurement?
• Quantitative analysis can be automated with
software and tools.
- Requires large amounts of data to be collected.
69
Quantitative Risk Analysis (Step-by-Step)
1.
Assign value to your information.
2.
Estimate cost for each asset and threat
combination.
3.
Perform a Threat Analysis – determine the
probability of exploitation.
4.
Derive the overall loss potential per year.
5.
Reduce, Transfer, Avoid, or Accept the Risk.
70
Step 1. Assign Value to Assets
• What is my information assets worth?
- What is my costs to obtain?
- How much money does an asset bring in?
- What is its value to my competitors?
- How much would it cost to re-create?
- Are there possible legal liabilities to account for?
- What worth does it have?
- What capability / services does it provide?
71
Step 2. Estimate Loss Potential
• For each threat, we need to determine how much a
successful compromise could cost:
-
Physical damage
Loss of productivity
Cost for repairs
Amount of Damage - “Single Loss Expectancy” per
asset and threat*
• Example: if you have a virus outbreak and each
outbreak costs $50K in lost revenue and repair costs.
Your SLE = $50K
72
Step 2. Estimate Loss Potential
• When determining SLE, you may hear the term
EF (exposure factor).
• Loss then becomes a percentage of the assets
value (AV).
- This is where EF comes in…
SLE = AV X EF
73
Step 3. Perform Threat Analysis
• Figure out the likelihood of a threat incident.
- Analyze vulnerabilities and rate of exploits.
- Analyze probabilities of threats to your location and
systems.
- Review historical records of incidents.
• Annualized Rate of Occurrence (ARO)
Example: If the chance of a virus outbreak in any
month is = 75%, then
ARO = .75 * 12 (1 year)
= 9 occurrences per year
Step 4. Derive the Annual Loss Expectancy
Derive the ALE:
ALE = SLE * ARO
• Example:
Cost of a virus outbreak is $50K (SLE)
X
9 occurrences per year (ARO)
-----------------------------------------------------------------$450K cost total (ALE)
75
Step 5. Determine your Risk Response
• Risk Avoidance
– Halt or stop activity causing risk
• Risk Transference
– Transfer the risk (i.e. buy insurance)
• Risk Mitigation
– Reduce impact with controls/safeguards
• Risk Acceptance
– Understand consequences and accept risk
76
Reducing Risk
• When deciding whether to implement controls,
safeguards, or countermeasures: you SHOULD be
concerned about saving costs.
• It doesn’t make sense to spend more to protect an
asset that’s worth less!
• So how do we determine if it’s worth it?
…
77
Reducing Risk
• Reducing risks through controls / safeguards /
countermeasures makes sense when:
• If the cost (per year) of a countermeasure is
more than the ALE, don’t implement it.
78
Risk Analysis Review of Definitions
• The Annualized Rate of Occurrence (ARO) is the
likelihood of a risk occurring within a year.
• The Single Loss Expectancy (SLE) is the dollar value
of the loss that equals the total cost of the risk.
• The ALE is calculated by multiplying the ARO by the
SLE:
ALE = ARO x SLE
79
Risk Analysis Review of Definitions
• Assign value to information & assets:
Asset Value (AV)
• Estimate: Single Loss Expectancy (SLE)
• Estimate: Likelihood of Threats (ARO)
• Calculate: Annual Loss Expectancy (ALE)
• Risk Response: Reduce, Transfer, Avoid or Accept.
80
Class Exercise: Quantitative Analysis
• You own a data warehouse valued at $1,000,000 USD
(information & infrastructure included).
• If the threat of a fire breaking out were to occur, it is
expected that 40% of warehouse (including the data)
would be damaged/lost.
• The chance of a fire breaking out for this type of
warehouse is known to be 8% annually.
81
Risk Management
• Let’s move on to… Qualitative assessments.
82
Qualitative Risk Assessments
• Instead of assigning specific values…
• We walk through different scenarios, rank and
prioritize based on threats and counter measures.
• Techniques includes:
- Judgment
- Best practices
- Intuition (gut feelings)
- Experience
83
Qualitative Risk Assessments
• Specific techniques include:
- Delphi method (opinions provided anonymously)
- Brainstorming
- Storyboarding
- Focus groups
- Surveys
- Questioners
- Interviews / one-on-one meetings
… very subjective
84
Expressing Qualitative Risk
• Remember this?
Risk
Catastrophic
(5)
Impact
Material
(4)
RISK
Major
(3)
Minor
(2)
Insignificant
(1)
Rare(1)
Unlikely(2)
Moderate(3)
Compromise
Likely (4)
Frequent(5)
Expressing Qualitative Risk
Risk
Severity
High
Low
Accept /
Transfer
Avoid
Accept
Accept /
Transfer
Low
High
Exploitation Frequency
86
Quantitative v.s. Qualitative Risk Analysis
• Quantitative Advantage
Provides a measurement of the impacts’ magnitude.
• Quantitative Disadvantage
Meaning of the analysis may be unclear, requiring the
results to be interpreted in a qualitative manner.
• Qualitative Advantage
Prioritizes the risks, identifying areas for immediate
improvement.
• Qualitative Disadvantage
Does not provide specific quantifiable measurements of
the impacts magnitude.
87
Quantitative v.s. Qualitative Risk Analysis
• Quantitative Advantage
Impact is quantified (measurable).
• Quantitative Disadvantage
Analysis involves complex calculations and can be
confusing and resource intensive.
vs.
• Qualitative Advantage
Impact is clear & easy to understand.
• Qualitative Disadvantage
No unit of measure; assessment is subjective
(Low-Med-High).
88
Quantitative v.s. Qualitative Risk Analysis
• Which approach is preferred when it comes to
Information Systems Risk Management?
• Why?
- Let’s discuss…
89
Advanced Concepts in Risk
- Typically SRA is conducted as snapshots in time.
- Risk is quantitative, continuous, & time-dependent:
Rn (t )   {1  {P[ (t ) |  (t )] [1   (t )]} { [1   ( , t )]}} dt
U
Source:
Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
Quiz #3
• Short answer, closed book, closed notes.
91
Questions?
probbins@hawaii.edu
www2.hawaii.edu/~probbins
https://www.dorkatron.com/docs/ISA400/
92