Risk management Winter 2020, COMP 3061 Computer Security Dr Danish Khan Lecture outline • Introduction to risk • Risk management framework • Security controls • Risk assessment • Business impact analysis • Data security and privacy policies • Personnel risks • Third-party risks Introduction to risk What is an information security risk? Probability means the likelihood over a defined period of time. It is measured between 0 and 1 where probability of 0 means that there is no risk and probability of 1 means that the incident will definitely occur. Threat actor can be a malicious person or an automated program. Risk is the probability of a threat actor taking advantage of a vulnerability by using a threat against an IT system asset. A vulnerability is a weakness inherent in an asset that leaves it open to a threat. A threat is an action a threat actor can use against a vulnerability to create a negative effect. You can’t have a threat without a vulnerability. You can check vulnerability database at https://nvd.nist.gov/ • Asset – is a resource with economic value that an individual, corporation or country owns with the expectation that it will provide a future benefit. • Asset can be measured tangibly or intangibly; a router device is tangible (it has a dollar value). • Faith, trust, happy are intangible Types of threat actors • Hacktivists • A hacker and an activist; some form of agenda, often political or fueled by a sense of injustice • Script kiddies • Limited skill set; use open source attacking tools • Insiders • People within an organization • Competitors • Outside of organization to gain access to the same customers as the targeted company. • Organized crime • Group which use extra legal methods to gain access to resources. Usually well funded. • Nation state/APT • Government directed attacks; for example one country sending spies to another country to gain information. Well funded. Often uses advanced persistent threat (APT) to get long-term control of a compromised system, continuously looking for new data to steal. Calculating risk • Risk = Probability x Vulnerability x Threat • Risk = Probability x Impact II. Risk management framework How to apply security controls in an organization? Risk management framework Risk management concepts • A risk management framework (RMF) describes the major steps and flows of the complex process of applying security controls in an organized and controlled fashion. • Concepts • Infrastructure • Security controls - The action of strengthening a vulnerability to reduce or eliminate the impact is called a security control. • Laws • Standards • Best Practices RMF steps • Categorize the information system • Assets and determine the impact of losing them • Select security controls • Select an initial set of baseline security controls for the information system based on the security categorization. • Implement the security controls • Apply the security controls • Assess the security controls • Test/assess the security controls to verify they’re doing the job you want them to do. • Authorize information system • Authorize the now-strengthened information system to operate. • Monitor the security controls • Monitor the information system on an ongoing basis, checking for new vulnerabilities and overall performance. III. Security controls • Types of controls • Management of control types • Security control strategies Types of controls Separation of control Deterrent control Technical control Preventative control Administrative control Corrective control Physical control Detective control Compensating Types of control • Deterrent control • • • • Deter a potential attacker from attempting an attack. Good light around the house. Fake cameras around the building. Welcome banner accessing SSH server. • Preventative control • Long character password length • Putting a lock on the server room door • Background check when hiring a new employee Types of control • Detective control • Actively look for an attack and alert security professionals to the presence of an active, ongoing attack. • Corrective control • A corrective control applies after an attack has taken place and fixes/mitigates the result of the incident. Restoring data from backups is probably the most common example of a corrective control. • Compensating • Provide a temporary solution to a vulnerability that’s less than optimal. • Use compensating controls to keep going until a better control is available or possible. Management of control types • Technical controls • Technical controls are security controls applied to technology. If you specify a security control that states, “All edge routers must be able to communicate on SNMPv3,” then you’ve made a technical control. • Administrative controls • Administrative controls are applied to people. If you have a security control that states, “All users must log off their workstations every time they leave their office, regardless of length of time,” then you’ve made an administrative control. • Physical controls • Physical controls are applied to secure physical areas from physical access by unauthorized people. Fences, door locks, elevator floor blockers, and biometric retinal scanners are all examples of physical controls. Security control strategies • Layered security • Vendor diversity • Do not stick with one vendor when providing security. Use different vendors. • Control diversity • Add admin and technical controls. • Asking user to select a complex password (admin control) and adding a complex password policy to windows (technical control). • User training • Continuous user training https://www.malwarefox.com/layered-security/ IV. Risk assessment Risk management processes and concepts Risk assessment methods • NIST special publication 800-30, Rev 1, “Guide for Conducting Risk Assessments. The link can be found at https://www.nist.gov/publications/guide-conducting-riskassessments Risk assessment process Risk assessment process • Identifying threat sources • • • • Environmental Manmade Internal – Insider to the organization External – Outsider your organization • Likelihood and impact • Likelihood of occurrence is the probability that a threat actor will initiate a threat or the probability that a threat could success- fully exploit a given vulnerability. • Impact is the degree of harm or damage caused to an asset or the organization. • Review NIST special publication 800-30, Rev 1 to get likelihood and impact tables. • Risk registers • A risk register is a scatter-plot graph that compares probability to impact. Risk registers are handy tools for detecting otherwise easily missed risks. Risk assessment process Risk assessment methods • Quantitative risk assessment (objective or numerical) • Asset value (AV) and exposure factor (EF) • AV is expressed in currency and EF is a probability between 0 and 1. • Single loss expectancy (SLE) = AV x EF • Lets say you have an asset (a server) which costs you $5000. A single loss event such as flood, you expect to loss 50% of the asset, the SLE would be 5000 x 0.5 = $2,500 • Annualized Rate of Occurrence (ARO) - The annualized rate of occurrence (ARO) is how many times per year you would expect a particularly negative event to occur, resulting in a loss of the asset • Annualized Loss of Expectancy (ALE) - amount of loss from the SLE and determines how much loss the organization could realistically expect in a oneyear period. • ALE = SLE x ARO Quantitative risk assessment - example • The Bayland Widget corporation has a data center in Totoville, Kansas. Totoville averages about seven major tornados a year. The ARO of a tornado is therefore 7. A serious tornado hit to the $2,000,000 facility would likely cause about 20 percent damage. Put those numbers together to create the SLE: • SLE = AV x EF; $2M x 0.2 = $400,000 • ALE = SLE x ARO; $400,000 x 7 = $2.8M loss/year Risk assessment methods • Qualitative risk assessment (subjective) • A qualitative risk assessment doesn’t necessarily use numerical values; it relies on descriptive elements derived from opinion, trend analysis, or best estimates. For example, what would the impact be to an organization if it suffered a loss of reputation in the marketplace? • Reputation cannot be easily quantified numerically. But it can be assigned a descriptive value, such as low, medium, or high. • Uses scale such as very high, high, moderate, low, very-low Risk response • Mitigate - an attempt to reduce risk, or at least minimize its effects on an asset. • Transfer - (also sometimes called risk sharing) deals with risk by sharing the burden of the risk, especially the impact element. • Accept - the organization has implemented controls and some risk remains. • Avoid - the organization could choose not to participate in activities that cause unnecessary or excessive risk. Note: Risk can never be completely eliminated; it may simply be reduced to a very unlikely level or to a very insignificant impact. V. Business impact analysis Business impact analysis concepts BIA basics • An analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption. • NIST SP 800-34, Revision 1, “Contingency Planning Guide for Federal Information Systems,” offers a detailed, three-stage BIA BIA stage 1 • Determine mission/business processes and recovery criticality. Mission/Business processes supported by the system are identified and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime. • Make sure you know which workflows and processes your organization depends on to operate, in other words, the missionessential functions. Determine the types of impact and consider the impact of the failure of each of these workflows and processes. Estimate how long it takes to bring those workflows and processes up to speed. BIA stage 2 • Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the resources required to resume mission/business processes and related interdependencies as quickly as possible. • What are the critical tools your organization uses to do these workflows and processes? Where are they? How do they work? In other words, a BIA provides identification of critical systems. BIA stage 3 • Identify recovery priorities for system resources. Based upon the results from the previous activities, system resources can be linked more clearly to critical mission/ business processes and functions. Priority levels can be established for sequencing recovery activities and resources. • Once you understand all the resources that together make a particular workflow/process work, determine the priority of bringing them back up to speed if they fail. Types of impact • Financial - Financial impact manifests in several ways. It might mean lost or delayed sales. It might also lead to increased expenses, such as overtime, outsourcing, and fines. • Reputation – What if you visit a site and it is not working or a privacy breach. • Property – Property damage or property not habitable due to nearby fire in the building. • Safety/life - The most serious impact is loss of safety or life. • Privacy - An organization performs a privacy impact assessment (PIA) to determine the impact on the privacy of the individuals whose data is being stored, and to ensure that the organization has sufficient security controls applied to be within compliance of applicable laws or standards. Calculating impact • MTBF - typically applies to hardware components, represents the manufacturer’s best guess (based on historical data) regarding how much time will pass between major failures of that component • MTTF - indicates the length of time a device is expected to last in operation. In MTTF, only a single, definitive failure will occur and will require that the device be replaced rather than repaired. • MTTR - is the amount of time it takes for a hardware component to recover from failure. https://www.researchgate.net/figure/A-schematic-diagram-ofMTTF-MTTR-and-MTBF_fig5_334205633 Calculating downtime • The recovery time objective (RTO) is the maximum amount of time that a resource may remain unavailable before an unacceptable impact on other system resources occurs. • The recovery point objective (RPO) defines the amount of time that will pass between an incident and recovery from backup. VI. Data security and privacy policies Data privacy • Data organization • The first step to dealing with data security is organization. Analyze individual chunks of data, such as databases, spreadsheets, access control lists, and so on. Then determine the importance—the sensitivity—of that data. • Data sensitivity - IT security professionals need to apply appropriate security controls for data, making decisions based on the sensitivity of that data. The more sensitive the data, the more controls we apply to ensure its security. Impact table for data (FIPS 199) Data privacy • Commercial labels • Confidential, private, proprietary, public • Government/Military labels • Top secret, secret, confidential Data privacy • Data roles - Every data set needs some number of people with clearly defined roles who manage that data at various levels. Data roles help define both the various responsibilities and the responsible parties for the different jobs. • Data owner - The data owner is the entity who holds the legal ownership of a data set. • Data custodian - A data custodian ensures that the technical aspects of the data set are in good order. • Data steward - A data steward makes sure that the data set does what the data is supposed to do for the organization. Data stewards update the data as needed to conform to needs. Data stewards also define how users access the data. • Privacy officer - When an organization has data that is subject to privacy laws and regulations, it will assign a privacy officer to oversee that data. Privacy officers perform the due diligence to make sure that the data’s storage, retention, and use conform to any and all laws and regulations. Data privacy • Legal and compliance • Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley Act (SOX) provide strict federal guidelines for the handling, storage, and transmission of data. In addition, the Payment Card Industry Data Security Standard (PCI-DSS), while not a law, has equally stringent guidelines for credit card data. • Personally identifiable information • Personally identifiable information (PII) is any information referencing an individual that either by itself or with other information could identify that individual, allowing persons to contact or locate that individual without their permission. • Protected health information • Protected health information (PHI) is any form of personal health information (treatment, diagnosis, prescriptions, etc.) electronically stored or transmitted by any health provider, insurer, or employer. This health information must be tied to the individual’s PII to be considered PHI • Data retention • Number of laws and regulations require strict rules on how long different types of data is retained. The Sarbanes-Oxley Act is easily the most far-reaching law affecting the types of data public companies must retain and the length of time they must retain that data. Data privacy • Data destruction • Legacy media • Given that most legacy media isn’t completely erasable, the best way to eliminate the data is to destroy the media. Paper, film, and tape are all extremely flammable, so burning is an excellent method to destroy the data. For the more “green” organizations, pulping water-soluble media (paper) enables you to recycle the media and not pollute the environment. • Electronic media • Almost all electronic media is erasable, so in many cases you can nondestructively remove the data. Simple erasing, even reformatting, isn’t enough. • NIST SP 800-88, Rev. 1, describes the ATA Secure Erase command built into PATA and SATA drives. Several programs can perform a secure erase. • DBAN 2.3.0 (Darik’s Boot and Nuke), a popular secure erase utility (and it’s free!). VII. Personnel risks Policies, plans and procedures related to organizational security Personnel risks • Hiring • Organizations perform background checks to look for potential issues, such as felony convictions, and to verify resume statements. • Sign a nondisclosure agreement (NDA) • Onboarding • Onboarding is the process of giving a new hire the knowledge and skills he or she needs to do the job, while at the same time defining the behaviors expected of the new hire within the corporate culture. Personnel risks • Personnel Management Policies • Standard operating procedures • how the organization do things according to the organization’s best practices—for their job functions. Some SOPs that are particularly important for IT security include login procedures, usable data storage locations, use of security credentials, and procedures for lost or damaged equipment. • Mandatory vacations • Many industries (for example, the U.S. banking industry) require all employees to take off work for a minimum of two weeks every year, a mandatory vacation. Mandatory vacations are an important security control mainly to make it harder to perpetuate embezzlement. Any embezzlement scheme usually requires the embezzler to monitor orders constantly, manipulate records, or deal with issues that might arise to keep themselves from being detected. Personnel risks • Personnel Management Policies (contd.) • Job rotations • Job rotation involves periodically switching people around to work in different positions. This practice enables different people to become proficient in a variety of job roles so that the organization doesn’t have to depend solely on one person to perform certain critical functions or tasks. • Separation of duties • a single individual should not perform all critical or privileged-level duties. These types of important duties must be separated or divided among several individuals. • Multi-person control • Multi-person control means that more than one person is required to accomplish a specific task or function. Personnel risks • Personnel Management Policies (contd.) • Training - User training should take place at two very distinct points in the user’s relationship with an organization: during the onboarding process to get the new hire to understand and subscribe to critical policies and good user habits, and, possibly even more importantly, as an ongoing continuing-education process. • User - A user must understand how his or her system functions and have proper security training to recognize common issues (malware, unauthorized user at their system, etc.). • privileged user - A privileged user has increased access and control over a system, including access to tools unavailable to regular users. • executive user - An executive user concentrates on strategic decisions including policy review, incident response, and disaster recovery. • system administrator - The system administrator has complete, direct control over a system. • data owner/system owner - From a role-based training aspect, these two otherwise slightly different functions are very similar in that in almost all cases the owner is the organization. In these cases, the main security role here is to know how to delegate security awareness to the proper authority. For data, this is usually the data custodian; for systems, it is usually the system administrator. Personnel risks • Personnel Management Policies (contd.) • Policies • Acceptable use policy - An acceptable use policy (AUP), also called a rules of behavior policy, defines what a user may or may not do on the organization’s equipment. • General security policies - People use social media networks and personal e-mail to exchange information and photo- graphs and keep in touch with family members and friends. Unfortunately, some people post way too much information on social media networks and through social media applications—hello, Snapchat—decreasing their (and others’) level of privacy. Personnel risks • Personnel Management Policies (contd.) • User habits • Password behaviors • Users should create complex passwords. • Users must try to create passwords that don’t use dictionary words. • Users should never share their passwords or write them down. • Users should change their passwords often to thwart password attacks. • Clean desk policies - A clean desk policy isn’t about asking employees not to leave old soda cans and candy wrappers on their desks! Instead, it creates a process for employees to clear sensitive data out of work areas so that it is stored securely at the end of the workday. • Preventing social engineering attacks - Users should be briefed on the general concepts of social engineering and how it works, and they should also be briefed on the specific types of attacks they may encounter, such as shoulder surfing, tailgating, dumpster diving, and so on. • Personally owned devices - Users should get training on risks posed by bringing personally owned devices to work and how they might help prevent these risks. Personnel risks • Personnel Management Policies (contd.) • Offboarding • Termination letter/exit interview - An employee should provide a written termination letter, defining final day of employment. In many organizations, this is also the time to perform an exit interview. Exit interviews give the soon-to-be-separated employee an opportunity to provide insight to the employer about ways to improve the organization. Some example questions include a) What are your main reasons for leaving? B) What procedures can we improve upon? • Return of equipment - All organizations should use a checklist to ensure that all equipment owned by the organization is returned by the departing employee. • Knowledge transfer - Knowledge transfer is the process that makes sure a separating employee provides any and all knowledge needed by the organization. VIII. Third-party risk Policies, plans and procedures related to organizational security Considerations • Security policy and procedures • Although your organization should have its own security policies, procedures, and pro- cesses, third-party organizations usually have their own as well. Sometimes these policies and procedures conflict between the parties and have to be negotiated, resolving any differences between them, in advance. • Privacy considerations • Privacy is a serious consideration when exchanging data with any third party. If you con- tract services with a third party, make sure to agree on data privacy prior to entering into any business agreements. Privacy considerations include employee data privacy; privacy related to the type of data itself, such as financial data, personally identifiable information (PII), and protected health information (PHI); and how the third party will treat this data. Considerations • Risk awareness • Many organizations require that third-party providers or business associates have an established risk management program that includes threat and vulnerability assess- ments, risk mitigation strategies, and so on. This helps assure an organization that the third party has performed its due care and diligence in assessing and managing risk and is therefore able to reduce and mitigate it. • Understanding data sharing • Security policy set forth in third-party agreements should cover unauthorized data sharing and access control. Considerations • Data ownership • Organizations must define the types of data to which they claim ownership initially, and how they would classify that data in terms of its sensitivity and protection requirements. • Supply chain assessment • Supply chains, the processes by which organizations receive necessary goods and services from third parties, is a huge issue for any organization, especially in the manufacturing and distribution industries. • From the standpoint of IT security, our biggest concern is availability of equipment, software, and online services. To that end, it’s important for IT security folks to conduct a supply chain assessment to ensure those critical products are available as needed and to create alternative processes. Considerations • Agreement types • Sales and purchase agreement (SPA) • A sales and purchase agreement (SPA) is a legal document obligating a buyer to buy and a seller to sell a product or service. SPAs are critical and common for large, complex purchases. An SPA not only defines prices, but payment amounts and time frames for deposits. • Service level agreement (SLA) • a legal document that defines the expectations for servic- es that a third-party provider will guarantee to the organization. The provider guarantees the service they provide to be up and running and usable by the organization, either for a certain percentage of time or to a certain level of standards. Considerations • Agreement types • Business partners agreement (BPA) • The business partners agreement (BPA) specifies what type of relationships the different parties will have, usually from a legal perspective. An entirely separate company may be established for the business venture, combining elements of both individual businesses; this is usually for long-term or large-scale ventures. • Memorandum of understanding (MOU) • Sometimes called a memorandum of agreement (MOA), is a document often used within a large business or government agency that establishes an agreement between two independently managed parties that may be working together on a project or business venture. Considerations • Agreement types • Interconnection security agreement (ISA) • Telecommunication companies will use an interconnection security agreement (ISA) when connecting to each other’s network to handle essential details about technology and personnel. An ISA is not a legal document used to cover technical issues between two parties. An ISA may detail how two independently owned and managed network infrastructures are connected to each other. • Verifying compliance and performance • Any agreement between business parties and providers should specify how each party can verify compliance and performance standards. You may specify certain common standards and performance levels that each party has to meet, as well as legal or governance compliance. Q/A