Policies & Risk Analysis

advertisement
Policies & Risk Analysis
CS461/ECE422
Fall 2011
Readings
• Chapters 14 and 15 of Computer Security
• Information Security Policies and Procedures,
Thomas Peltier
• Information Security Risk Analysis, by Thomas R.
Peltier
– On reserve at the library
– Chapters 1 and 2 Google Books
– Identifies basic elements of risk analysis and reviews
several variants of qualitative approaches
• SANS policy project
– http://www.sans.org/resources/policies/
Security Policy
• A security policy is a formal statement of the
rules by which people who are given access to
an organization’s technology and information
assets must apply. (RFC 2196)
• Defines what it means for the organization to
be in a secure state.
– Otherwise people can claim ignorance.
Mechanisms or Controls or
Countermeasures
• Entity or procedure that enforces some part of
the security policy
– Access controls (like bits to prevent someone from
reading a homework file)
– Disallowing people from bringing CDs and floppy
disks into a computer facility to control what is
placed on systems
Types of Policies that Affect
Information Security
•
•
•
•
•
-8
Data protection
Privacy
Email
Hiring
Numerous others types of organizational
policies with varying impact on information
security
Natural Language Security Policies
• Targeting Humans
– Written at different levels
•
•
•
•
To inform end users
To inform lawyers
To inform technicians
Users, owners, beneficiaries (customers)
• As with all policies, should define purpose not mechanism
– May have additional documents that define how policy maps to
mechanism
• Should be enduring
– Don't want to update with each change to technology
• Shows due diligence on part of the organization
-9
Key Parts of Organizational Policy
1. What is being protected? Why?
2. Generally how should it be protected?
3. Who is responsible for ensuring policy is
applied?
4. How are conflicts and discrepancies to be
interpreted and resolved?
How to Write a Policy
• Understand your environment
– Risk Analysis (see next lecture)
• Understand your industry
– Look for “standards” from similar companies
– Leverage others wisdom
– Already proven with auditors/regulators
• Standards
• ISO 17799 – Code of Practice for Information Security
Management
• COBIT – Control Objectives for Information and Related
Technolgy
• SANS, CERT have policy guidelines
• Gather the right set of people
– Technical experts, person ultimately responsible, person who
can make it happen
– Not just the security policy “expert”
-11
Security Policy Life Cycle
Risk Analysis
Reassessment
Policy
Development
Policy
Implementation
Policy
Approval
Raising
Awareness
Security Policy Contents
• Purpose – Why are we trying to secure
things
• Identify protected resources
• Who is responsible for protecting
– What kind of protection? Degree but probably
not precise mechanism.
• Cover all cases
• Realistic
-13
More Specific Policy Content Ideas
• Principles of Security
• Organizational Reporting
Structure
• Physical Security
• Hiring, management,
firing
• Data protection
• Communication security
• Hardware
• Software
• Operating systems
•
•
•
•
•
•
•
•
•
•
Technical support
Privacy
Access
Accountability
Authentication
Availability
Maintenance
Violations reporting
Business continuity
Supporting information
University of Illinois Information
Security Policies
• University of Illinois Information Security Policies
– System wide policy; Identifies what, not how
– http://www.obfs.uillinois.edu/cms/one.aspx?pageId=91
4038
• CITES UIUC standards and guidelines
– DNS - http://www.cites.uiuc.edu/dns/standards.html
– FERPA http://www.cites.uiuc.edu/edtech/development_aids/fe
rpa/index.html
• CS Department policies
• https://wiki.engr.illinois.edu/display/tsg/Policies
-15
Example Privacy policies
• Busey Bank
• https://www.busey.com/home/fiFiles/static/do
cuments/privacy.pdf
– Financial Privacy Policy
• Targets handling of personal non-public data
• Clarifies what data is protected
• Who the data is shared with
-16
Poorly Written Policies
•
Cars.gov – Had following in click-through policy
for dealers
•
This application provides access to the [Department of
Transportation] DoT CARS system. When logged on to the CARS
system, your computer is considered a Federal computer system
and is the property of the U.S. Government. Any or all uses of this
system and all files on this system may be intercepted, monitored,
recorded, copied, audited, inspected, and disclosed... to
authorized CARS, DoT, and law enforcement personnel, as well as
authorized officials of other agencies, both domestic and foreign.
•
According to EFF
–
-17
http://www.eff.org/deeplinks/2009/08/cars-govterms-service
Example Acceptable Use Policy
• IEEE Email Acceptable Use Policy
– http://eleccomm.ieee.org/email-aup.shtml
– Inform user of what he can do with IEEE email
– Inform user of what IEEE will provide
• Does not accept responsibility of actions resulting
from user email
• Does not guarantee privacy of IEEE computers and
networks
– Examples of acceptable and unacceptable use
-18
What is Risk?
• The probability that a particular threat will
exploit a particular vulnerability
– Not a certainty.
– Risk impact – loss associated with exploit
• Need to systematically understand risks to a
system and decide how to control them.
Slide #19
What is Risk Analysis?
• The process of identifying, assessing, and
reducing risks to an acceptable level
– Defines and controls threats and vulnerabilities
– Implements risk reduction measures
• An analytic discipline with three parts:
– Risk assessment: determine what the risks are
– Risk management: evaluating alternatives for
mitigating the risk
– Risk communication: presenting this material in an
understandable way to decision makers and/or the
public
Slide #20
Risk Management Cycle
From GAO/AIMD-99-139
Slide #21
Basic Risk Analysis Structure
• Evaluate
–
–
–
–
Value of computing and information assets
Vulnerabilities of the system
Threats from inside and outside
Risk priorities
• Examine
– Availability of security countermeasures
– Effectiveness of countermeasures
– Costs (installation, operation, etc.) of countermeasures
• Implement and Monitor
Slide #22
Who should be Involved?
• Security Experts
• Internal domain experts
– Knows best how things really work
• Managers responsible for implementing
controls
Slide #23
Identify Assets
• Asset – Anything of value
– Physical Assets
• Buildings, computers
– Logical Assets
• Intellectual property, reputation
Slide #24
Example Critical Assets
•
•
•
•
•
•
•
•
People and skills
Goodwill
Hardware/Software
Data
Documentation
Supplies
Physical plant
Money
Slide #25
Vulnerabilities
• Flaw or weakness in system that can be
exploited to violate system integrity.
Slide #26
Example Vulnerabilities
•Physical
•V01 Susceptible to
unauthorized building
access
•V02 Computer Room
susceptible to unauthorized
access
•V03 Media Library susceptible
to unauthorized
access
•V04 Inadequate visitor control
procedures
•(and 36 more)
•Administrative
•V41 Lack of management
support for security
•V42 No separation of duties
policy
•V43 Inadequate/no computer
security plan policy
•V47 Inadequate/no
Communications
emergency action plan
•V87 Inadequate communications
•(and 7 more)
system
•Personnel
•V88 Lack of encryption
•V56 Inadequate personnel
•V89 Potential for disruptions
screening
•...
•V57 Personnel not adequately •Hardware
trained in job
•V92 Lack of hardware inventory
•...
•V93 Inadequate monitoring of
•Software
maintenance
•V62 Inadequate/missing audit personnel
trail capability
•V94 No preventive maintenance
•V63 Audit trail log not
program
reviewed weekly
•…
•V64 Inadequate control over
•V100 Susceptible to electronic
application/program
emanations
changes
Slide #27
Threats
• Set of circumstances that has the potential
to cause loss or harm
• Attacks against key security services
– Confidentiality, integrity, availability
• Threats trigger vulnerabilities
– Accidental
– Malicious
Slide #28
Example Threat List
•T01 Access (Unauthorized to
System - logical)
•T02 Access (Unauthorized to Area
- physical)
•T03 Airborne Particles (Dust)
•T04 Air Conditioning Failure
•T05 Application Program Change
(Unauthorized)
•T06 Bomb Threat
•T07 Chemical Spill
•T08 Civil Disturbance
•T09 Communications Failure
•T10 Data Alteration (Error)
•T11 Data Alteration (Deliberate)
•T12 Data Destruction (Error)
•T13 Data Destruction (Deliberate)
•T14 Data Disclosure
(Unauthorized)
•T15 Disgruntled Employee
•T16 Earthquakes
•T17 Errors (All Types)
•T18 Electro-Magnetic
Interference
•T19 Emanations Detection
•T20 Explosion (Internal)
•T21 Fire, Catastrophic
•T22 Fire, Major
•T23 Fire, Minor
•T24 Floods/Water Damage
•T25 Fraud/Embezzlement
•T26 Hardware
Failure/Malfunction
•T27 Hurricanes
•T28 Injury/Illness (Personal)
•T29 Lightning Storm
•T30 Liquid Leaking (Any)
•T31 Loss of Data/Software
•T32 Marking of Data/Media
Improperly
•T33 Misuse of
Computer/Resource
•T34 Nuclear Mishap
Slide #29
•T35 Operating System
Penetration/Alteration
•T36 Operator Error
•T37 Power Fluctuation
(Brown/Transients)
•T38 Power Loss
•T39 Programming Error/Bug
•T40 Sabotage
•T41 Static Electricity
•T42 Storms (Snow/Ice/Wind)
•T43 System Software Alteration
•T44 Terrorist Actions
•T45 Theft
(Data/Hardware/Software)
•T46 Tornado
•T47 Tsunami (Pacific area only)
•T48 Vandalism
•T49 Virus/Worm (Computer)
•T50 Volcanic Eruption
Characterize Threat-Sources
Threat
Source
Motivation
Script
Kiddy
Capability
Resources
Attack
Probability
Deterrenc
e
Challenge, ego, Standard scripts Personal
rebellion
assets.
Internet
access
Certain
Internet
Firewall/IPS
Terrorist
Ideological,
destruction,
fund raising
Can hire smart
people
Internet
access,
substantial
hardware,
infiltration
Depends on
organization
Internet
Firewall/IPS,
hiring policy
Insider
Ego, revenge,
money
Detailed
knowledge of
organization
Complete
access from
the inside
Probable for
most
organizations
Hiring
policy,
internal log
monitoring
Controls
• Mechanisms or procedures for mitigating
vulnerabilities
– Prevent
– Detect
– Recover
• Understand cost and coverage of control
• Controls follow vulnerability and threat
analysis
Slide #31
Example Controls
•C01 Access control devices - physical
•C02 Access control lists - physical
•C03 Access control - software
•C04 Assign ADP security and assistant in
writing
•C05 Install-/review audit trails
•C06 Conduct risk analysis
•C07Develop backup plan
•C08 Develop emergency action plan
•C09 Develop disaster recovery plan
•...
•C21 Install walls from true floor to true
ceiling
•C22 Develop visitor sip-in/escort
procedures
•C23 Investigate backgrounds of new
employees
•C24 Restrict numbers of privileged users
•C25 Develop separation of duties policy
•C26 Require use of unique passwords for
logon
•C27 Make password changes mandatory
•C28 Encrypt password file
•C29 Encrypt data/files
•C30 Hardware/software training for
personnel
•C31Prohibit outside software on system
•...
•C47 Develop software life cycle
development
program
•C48 Conduct hardware/software inventory
•C49 Designate critical programs/files
•C50 Lock PCs/terminals to desks
•C51 Update communications
system/hardware
•C52 Monitor maintenance personnel
•C53 Shield equipment from electromagnetic
interference/emanations
•C54Identify terminals
Slide #32
Types of Risk Analysis
• Quantitative
–
–
–
–
Assigns real numbers to costs of safeguards and damage
Annual loss exposure (ALE)
Probability of event occurring
Can be unreliable/inaccurate
• Qualitative
– Judges an organization’s relative risk to threats
– Based on judgment, intuition, and experience
– Ranks the seriousness of the threats for the sensitivity of the
asserts
– Subjective, lacks hard numbers to justify return on investment
Slide #33
Quantitative Analysis Outline
•
•
•
•
•
•
Identify and value assets
Determine vulnerabilities and impact
Estimate likelihood of exploitation
Compute Annual Loss Exposure (ALE)
Survey applicable controls and their costs
Project annual savings from control
Slide #34
Quantitative
• Risk exposure = Risk-impact x RiskProbability
– Loss of car: risk-impact is cost to replace car,
e.g. $10,000
– Probability of car loss: 0.10
– Risk exposure or expected loss =
10,000 x 0.10 = 1,000
• General measured per year
– Annual Loss Exposure (ALE)
Slide #35
Quantitative
• Cost benefits analysis of controls
• Risk Leverage to evaluate value of control
– ((risk exp. before control) – (risk exp. after))/
(cost of control)
• Example of trade offs between different
deductibles and insurance premiums
Slide #36
Qualitative Risk Analysis
• Generally used in Information Security
– Hard to make meaningful valuations and meaningful
probabilities
– Relative ordering is faster and more important
• Many approaches to performing qualitative risk
analysis
• Same basic steps as quantitative analysis
– Still identifying asserts, threats, vulnerabilities, and
controls
– Just evaluating importance differently
Slide #37
Approaches to Risk Analysis
• Baseline Approach
– See if your organizing matches best practices
– Low overhead for analysis, but best practices may not be
appropriate for your organization
• Informal Approach
– Bring in expert to kick the tires, but not following a format
process
• Detailed Risk Analysis
– Follow formal process. Higher overhead, but less likely to miss
things
– Is the focus of text
• Combined or Hybrid Approach
– In practice a combination of the above approaches are used
Example Detailed Approach in Text
• Step 1: Establish context
– How much risk is your organization willing to
absorb
• Step 2: Identify assets
• Step 3: Identify Threats/Risks/Vulnerabilities
– Pick from lists of known threats
– Brainstorm new threats
– Mixing threats and vulnerabilities here...
Slide #39
Step 4: Analyze Risks
• Analyze existing controls
• Determine likelihood
– Assign value from 1 to 5 where 1 is Rare and 5 is
almost certain
• Determine consequence/impact
– Assign value from 1 to 6 where 1 is insignificant
and 7 is doomsday
Step 5: Determine Resulting Level of
Risk
Doomsday
Catastrophic
Major
Moderate
Minor
Insignificant
Almost
Certain
E
E
E
E
H
H
Likely
E
E
E
H
H
M
Possible
E
E
E
H
M
L
Unlikely
E
E
H
M
L
L
Rare
E
H
H
M
L
L
Another way of calculating risk
• Could add the Risk Likelihood and the Risk
Consequence
– Likelihood is Likely (4) and Consequence is
Moderate (3) so Risk level is 7
• Could perform some other function of
Likelihood and Consequence
Step 6: Document in Risk Register
Asset
Threat /
Vuln.
Existing
Control
Likelihood Conseque
nce
Level of
Risk
Risk
Priority
Internet
Router
Outside
hacker
attack
Admin
password
Possible
Moderate
High
1
Unlikely
Major
High
2
Destructio Accidental None
n of data
fire or
center
flood
Dealing with Risk
• Avoid risk
– Implement a control or change design
• Transfer risk
– Change design to introduce different risk
– Buy insurance
• Assume risk
– Detect, recover
– Plan for the fall out
– Reduce consequence
– Controls to reduce the downside of risk occurrence
– Reduce likelihood
– Controls to reduce the chance of risk occurring.
Slide #44
Risk/Control Trade Offs
• Only Safe Asset is a Dead Asset
– Asset that is completely locked away is safe, but
useless
– Trade-off between safety and availability
• Do not waste effort on efforts with low loss value
– Don’t spend resources to protect garbage
• Control only has to be good enough, not absolute
– Make it tough enough to discourage enemy
Slide #45
Security Plan
Risk
Level of
Risk
Rec. Controls
Priority
Selected
Controls
Required
resources
Resp.
Persons
Start –
end dates
Comment
Hacker
attack on
internet
router
High
Disable
external
telnet access
Use detailed
auditing of
privileged
command use
Set policy for
strong admin
policy
Set backup
strategy for
router
configuration
file
Set change
control policy
for the router
configuration
High
Strengthe
n access
authentic
ation
Install IDS
3 days IT
net
admin
1 day
training
Lead
network
system
admin,
Corporate
IT
support
team
2/1/06 –
2/4/06
Need
periodic
test and
review of
configura
tion
policy
and use
Implementation of Security Plan
•
•
•
•
•
•
•
Implement
Training
Awareness
Maintenance
Change and config management
Monitoring and incident handling
Compliance checks
Communicate Results
• Write a good executive summary
– It is likely that is all that is going to be read
• Conduct meetings and training sessions to
communication what really needs to be
known in the organization
• Still important to write the report
– When something goes wrong, the Risk Analysis
report will be dredged up.
Key Points
• Security policy bridges between human
expectations and implementation reality
• Key Elements of Risk Analysis
– Assets, Threats, Vulnerabilities, and Controls
• Quantitative vs qualitative
• Not a scientific process
– Companies will develop their own procedure
– Still a good framework for better
understanding of system security
Slide #49
Download