CIST 1601 Information Security Fundamentals Chapter 1 Measuring and Weighing Risk Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College Identifying Assets Asset identification is the process of identifying the types and values of assets in an organization. In some cases, the process may be as simple as counting systems and software licenses. The more difficult part of an asset-identification process is attempting to assign values to information. In some cases, you may only be able to determine what would happen if the information were to become unavailable or lost. If absence of this information would effectively shut down the business, the information is priceless. Risk Assessment There are several ways to perform a risk assessment or risk analysis. They range from highly scientific formula-based methods to a conversation with the owner. The cost of an event and the probability that an event will occur are two of the most important factors to consider when you’re formulating a risk assessment. In general, you should attempt to identify the costs of replacing stolen data or systems, the costs of downtime, and virtually any risk factor you can imagine. You can move to risk assessment only after completing the asset identification. After you’ve determined the costs, you can then evaluate the likelihood that certain types of events will occur and the most likely outcome if they do occur. Risk Assessment Risk Avoidance (3:10) Risk assessment helps align security objectives with business objectives. Risk analysis is part of the disaster recovery plan. Risk analysis is the process of identifying assets and their associated threats, vulnerabilities, and potential risks, and justifying the cost of countermeasures deployed to mitigate the loss. It is important to note that risk analysis is focused on a cost-benefit analysis of countermeasures, and not on the selection of countermeasures. Risk analysis also measures the amount of loss that an organization can potentially incur if an asset is exposed to loss. During the process of risk assessment, it is necessary to review many areas, such as the following: Methods of access Authentication schemes Audit policies Hiring and release procedures Isolated services that may provide a single point of failure or avenue of compromise Data or services requiring special backup or automatic failover support. The following are the four major objectives of a risk analysis, in order of execution: 1. To identify all existing assets and estimate their monetary value. 2. To identify vulnerabilities and threats to information assets. Vulnerability is a weakness in the system, software, hardware, or procedure. A threat agent, leading to a risk of loss potential, can exploit this weakness. A virus is an example of a threat agent, and the possibility of a virus infecting a system is an example of a threat. 3. To quantify the possibility of threats and measure their impact on business operations. 4. To provide a balance between the cost of impact of a threat and the cost of implementing the safeguard measures to mitigate the impact of threats. Acting on Your Risk Assessment Risk Avoidance Some risks can be eliminated through a change in the technology, policy, or mechanism of employment. For example, the risk of “wardialing” attacks can be eliminated by removing legacy dial-up telephony modem devices. Risk Transference A risk may be transferred, such as when the risk of equipment loss is covered by a full-replacement insurance policy. Risk Mitigation Most risks fall into the mitigated response area, where the application of additional effort may reduce the risk to a level documented as acceptable. Risk Deterrence Risk deterrence involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you. This can be as simple as posting prosecution policies on your login pages and convincing them that you have steps in place to identify intrusions and act on them. Risk Acceptance Some risks cannot be addressed within a reasonable time or cost constrained and may be accepted, with proper documentation as to the reasons why the risk is acceptable. Risk Assessment Risk Calculations (5:11) The annualized rate of occurrence (ARO) signifies the probability of an event occurring within a year. This conclusion is usually based on referencing historical data. This measure can be used in conjunction with a monetary value assigned to data to compute single loss expectancy (SLE) and annual loss expectancy (ALE) values. SLE refers to the quantitative amount of loss incurred by a single event when a threat takes place. SLE equals the asset value (AV) multiplied by the threat exposure factor (EF). The exposure factor or probability is the percentage of loss that a realized threat could have on a certain asset. For example, a virus hits five computer systems out of 100 before it is prevented by the safeguard from further infecting the other 95 computers, resulting in a loss of five percent of the computers. If the asset value of 100 computers is $10,000, then the exposure factor will be $500, which is five percent of the total asset value. The formula for calculating SLE is: AV x EF = SLE. From the previous example: $10,000 x 5% = $500. Annual loss expectancy (ALE) refers to the loss potential of an asset for a single year. ALE equals the single loss expectancy (SLE) times the annualized rate of occurrence (ARO) When you’re computing risk assessment, remember this formula: SLE x ARO = ALE Thus, if you can reasonably expect that every SLE will be equivalent to $1,000 and that there will be seven occurrences a year (ARO), then the ALE is $7,000. Total risk can be calculated by multiplying the threats, the vulnerabilities, and the asset value. Total risk = threats x vulnerabilities x asset value. Risks Associated with Cloud Computing Cloud computing means using the Internet to host services and data instead of hosting it locally. Some examples would be to run Office-like applications from the Web (such as Google Docs) instead of having the applications installed on each workstation, storing data on server space rented from Amazon, using sites such as Salesforce.com, etc. Three ways to implement cloud computing: Platform as a Service – Also known as cloud platform services. Vendors allow apps to be created and run on their infrastructure. i.e. Amazon Web Services and Google Code. Software as a Service – Applications are remotely run over the Web. No local hardware is required and no software apps need be installed on the machine accessing the site. i.e. Salesforce.com. Costs are usually computed on a subscription basis. Infrastructure as a Service – Utilizes virtualization, and clients pay an outsourcer for resources used. GoGrid is a well known example. Risk related issues of cloud computing include: Regulatory Compliance – Depending on the type and size of your organization, there are any number of regulatory agency’s rules with which you must comply. User Privileges – Be cognizant of the fact that you will not have the same control over user accounts in the cloud as you did locally, and when someone locks their account by giving the wrong password too many times in a row, you /they could be at the mercy of the technical staff of the provider. Data Integration/Segregation – Data hosting companies can put more than one company’s data on a server. You should use encryption to protect your data. Be aware that your data is only as safe as the data it is integrated with. Risks Associated with Virtualization Security risks associated with virtualization include: Breaking Out of the Virtual Machine – if you can break out of the virtualization layer you could get access to the other virtual machines and access data you shouldn’t have access to. Network and Security Controls Can Intermingle – The tools used to manage the virtual machine may not have the same granularity as those used to manage the network, which could lead to privilege escalation. Most virtualization-specific threats focus on the hypervisor, which is the virtual machine monitor, or the software that allows the virtual machine to exist. If the hypervisor can be compromised, the attacker can gain root-level access to all virtual systems. The solution to most virtualization threats is to always apply the most recent patches and keep the system(s) up to date. Developing Policies, Standards, and Guidelines Implementing Policies Reducing Risk with Security Policies (12:24) A policy consists of the rules and requirements which should be adhered to within an organization. Policies usually cover a single area, and contain conditions of expected performance, and the consequences of non-compliance. A good policy contains several key areas besides the policy: Scope statement Outlines what the policy intends to accomplish and what documents, laws, and practices the policy addresses. Policy overview statement Policy overview statements provide the goal of the policy, why it’s important, and how to comply with it. Policy statements Once the policy’s readers understand its importance, they should be informed of what the policy is. If the policy is intended to help people determine how to lock up the building at the end of the business day, it might be helpful to provide a specific checklist of the steps that should be taken. Accountability statement Who is responsible for ensuring that the policy is enforced. Who should be contacted if a problem is discovered. What are the consequences of non-compliance? Exception statement The exception statement provides specific guidance about the procedure or process that must be followed in order to deviate from the policy. This may include an escalation contact, in the event that the person dealing with a situation needs to know whom to contact. Developing Policies, Standards, and Guidelines Incorporating Standards A standard deals with specific issues or aspects of the business. Standards are derived from policies. A standard should provide enough detail that an audit can be performed to determine if the standard is being met. The following five points are the key aspects of standards documents: Scope and purpose Should explain or describe the intention. If a standard is developed for a technical implementation, the scope might include software, updates, add-ins, and any other relevant information to carry out the task. Roles and responsibilities This Outlines who is responsible for implementing, monitoring, and maintaining the standard. Reference documents Explains how the standard relates to the organization’s different policies, thereby connecting the standard to the underlying policies that have been put in place. In the event of confusion or uncertainty, it also allows people to go back to the source and figure out what the standard means. Performance criteria Outlines what or how to accomplish the task. It should include relevant baseline and technology standards. Maintenance and administrative requirements These standards outline what is required to manage and administer the systems or networks. Developing Policies, Standards, and Guidelines Following Guidelines Guidelines tend to be less formal than policies or standards. Guidelines are similar to standards, in that they too detail rules and best practices that govern an organization and how business is conducted. The difference is that guidelines are not mandatory. Guidelines are usually drawn up to streamline the implementation of security policy elements. The following four items are the minimum contents of a good guidelines document: Scope and purpose The scope and purpose provide an overview and statement of the guideline’s intent. Roles and responsibilities Identifies which individuals or departments are responsible for accomplishing specific tasks. This may include implementation, support, and administration of a system or service. Guideline statements Provide the step-by-step instructions on how to accomplish a specific task in a specific manner. Again, these are guidelines—they may not be hard-and-fast rules. Operational considerations Specify and identify what duties are required and at what intervals. This list might include daily, weekly, and monthly tasks. Guidelines for systems backup might provide specific guidance as to what files and directories must be backed up and how frequently. Business Policies Business policies address organizational and departmental business issues and have an impact on the security of an organization. Separation of duties policies describe rules that reduce the risk of fraud and other losses. These policies should define more than one person for completing business critical tasks. Multiple people conspiring to corrupt a system is less likely than a single person corrupting it. It may involve both the separation of logons, such as day-to-day and admin accounts both assigned to the same network admin, as well as the separation of roles, such as security assignment and compliance audit procedures. Business Policies Due care is the knowledge and actions that a reasonable and prudent person would possess or act upon. The objectives of due care policies are to protect and safeguard customer and/or client records. Due care is determined based on legislative requirements. The company exercises the practice of due care in the following manner: The company implements physical and logical access controls. The company ensures telecommunication security by using authentication and encryption. Information, application, and hardware backups are performed at regular intervals. Disaster recovery and business continuity plans are in place within the company. Periodic reviews, drills, and tests are performed by the company to test and improve the disaster recovery and business continuity plans. The company’s employees are informed regarding the anticipated behavior and implications of not following the expected standards. The company has security policies, standards, procedures, and guidelines for effective security management. The company performs security awareness training for its employees. The company network runs updated antivirus definitions at all times. The administrator periodically performs penetration tests from outside and inside the network. The company implements either a call-back or a preset dialing feature on remote access applications. The company abides by and updates external service level agreements (SLAs). The company ensures that downstream security responsibilities are being met. The company implements counter measures that ensure that software piracy is not taking place within the company. The company ensures that proper auditing and reviewing of the audit logs is taking place. The company conducts background checks on potential employees. If a company does not exercise due care, the company’s senior management can be held legally accountable for negligence and might have to pay damages under the principle of culpable negligence legislation for the loss suffered because of insufficient security controls. Business Policies Physical Access Control Policies refer to the authorization of individuals to access facilities or systems that contain information. They limit issues such as unauthorized disclosure of information, unauthorized access to the company facilities, and data theft. Document Disposal and Destruction Policies detail the methods on how information that is no longer needed gets disposed. Data in all forms must be properly disposed of. Some data and data sources must be destroyed or thoroughly erased. Because many sophisticated recovery techniques exist, destroying all data and data sources may be more appropriate. Discarded hard drives might need to be physically destroyed. Business Policies Privacy policies must clearly define: Which information can be disclosed What information cannot be disclosed What types of information employees are provided The policy must clearly state that employees should have no expectations of privacy. Employers are allowed to search desks, computers, files, and any other items brought into the building. By explicitly stating your policies, you can avoid misunderstandings and potentially prevent employees from embarrassing themselves. Acceptable-use policies (AUP) deal primarily with computers and information provided by the company. An acceptable use policy provides details that specify what users may do with their network access, including email and instant messaging usage for personal purposes, limitations on access times, and the storage space available to each user. It dictates how computers can be used within an organization. It should also outline the consequences of misuse. Employees are commonly asked to sign such a document, which is a binding agreement to adhere to the policy. Business Policies Security Policies define what controls are required to implement and maintain the security of systems, users, and networks. Should be used as a guide in system implementation and evaluation. Mandatory Vacations This policy requires all users to take time away from work and refresh. An employee who don’t take time off can be a detriment to himself or the company. Mandatory vacations give the company the chance to make sure others can fill the void in skills. They give the company a chance to discover fraud. Job Rotation policies define intervals at which employees must rotate through positions. It helps to ensure that companies don’t become to dependent on one person. They also give the company a chance to discover fraud. Least Privilege should be used when assigning permissions. Give users only the permission they need to do their work and no more. Every OS includes the ability to limit users based on groups and individual permissions. Apply only those permissions users need and block all others. Understanding Control Types, False Positives, and Change and Incident Management Risk assessment/analysis involves calculating potential risks and making decisions based on the variables associated with those risks. Once risks are identified, you put controls in place to address those risks. Control types fall into three categories: Management, Operational, and Technical. Understanding Control Types, False Positives, and Change and Incident Management Risk assessment/analysis involves calculating potential risks and making decisions based on the variables associated with those risks. Once risks are identified, you put controls in place to address those risks. Control types fall into three categories: Management Operational Technical Control Types Control Type Controls Management Risk Assessment Management Planning Management System and Services Acquisition Management Certification, Accreditation, and Security Assessment Operational Personnel Security Operational Physical and Environmental Protection Operational Contingency Planning Operational Configuration Management Operational Maintenance Operational System and Information Integrity Operational Media Protection Operational Incident Response Operational Awareness and Training Technical Identification and Authentication Technical Access Contol Control Types, False Positives, and Change and Incident Management Control Type Controls Technical Audit and Accountability Technical System and Communication Protection After implementing controls based on risk you must perform audits which include reviews of user rights and permissions as well as events that occur. False Positives are events that aren’t really incidents. If the rules are not set up properly, normal traffic may set off the analyzer and generate an event. Your audits should address change management, which is the structured approach that is followed to secure the company’s assets, and incident management, which are the steps followed when events occur. The End