here

advertisement
CSE 4482: Computer Security Management:
Assessment and Forensics
Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875
Lectures: Tues (CB 122), 7–10 PM
Office hours: Wed 3-5 pm (CSEB 3043), or by
appointment.
Textbooks:
1. "Management of Information Security", M. E. Whitman, H. J.
Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition
2. "Guide to Computer Forensics and Investigations", B. Nelson, A.
Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE
Learning, 2010, 4th Edition.
4/8/2015
1
Objectives
• Upon completion of this chapter you should
be able to:
– Define risk management and its role in the
organization
– Use risk management techniques to identify
and prioritize risk factors for information assets
– Assess risk based on the likelihood of adverse
events and the effects on information assets
when events occur
– Document the results of risk identification
2
Management of Information Security, 3rd ed.
A true story
A local company suffered a catastrophic loss one night when its
office burned to the ground.
As the employees gathered around the charred remains the next
morning, the president asked the secretary if she had been
performing the daily computer backups. To the president’s relief
she replied that yes, each day before she went home she
backed up all the financial information regarding customers,
invoices, order and payments.
The president then asked the secretary to retrieve the backup so
they could begin to determine their current financial status.
“Well”, the secretary said, “I guess I cannot do that. You see, I put
those backups in the desk drawer next to the computer in the
office. ”
M. Ciampa, “Security+Guide to Network Security Fundamentals”, pp 303
3
Risk Management
• Risk management: identification,
assessment, and prioritization of risks
• Managing risk is one of the key
responsibilities of every manager within
the organization
• In any well-developed risk management
program, two formal processes are at
work
– Risk identification and assessment
– Risk control
4
Risk Management
“If you know the enemy and know yourself,
you need not fear the result of a hundred
battles
If you know yourself but not the enemy, for
every victory gained you will also suffer a
defeat
If you know neither the enemy nor yourself,
you will succumb in every battle”
-- Sun Tzu
5
Management of Information Security, 3rd ed.
Knowing Yourself
• Identifying, examining and understanding
the information and how it is processed,
stored, and transmitted
• Armed with this knowledge, one can initiate
an in-depth risk management program
• Risk management is a process
– Safeguards and controls that are devised and
implemented are not install-and-forget devices
6
Management of Information Security, 3rd ed.
Knowing the Enemy
• Identifying, examining, and understanding
the threats facing the organization’s
information assets
– Must fully identify those threats that pose risks
to the organization and the security of its
information assets
• Risk management
– The process of assessing the risks to an
organization’s information and determining
how those risks can be controlled or mitigated
7
Management of Information Security, 3rd ed.
Risk management cycle
From http://technet.microsoft.com/en-us/library/cc750827.aspx
• Risk identification
– Identify
– Measure
– Prioritize
• Control measures
– Cost benefit analysis
8
Accountability for Risk Management
Communities of interest must work together
• Information Security – leadership role in
addressing risk
• Information Technology – role involves
building and maintaining secure systems
• Management – role involves resource allocation
and prioritization of security concerns
• Users – crucial role in (early) detection, and
proper response to threats
9
Management of Information Security, 3rd ed.
Steps in Risk Management
• Evaluating the risk controls
• Determining which control options are costeffective
• Acquiring or installing the appropriate controls
• Overseeing processes to ensure that the controls
remain effective
• Identifying risks
• Assessing risks
• Summarizing the findings
10
Management of Information Security, 3rd ed.
Risk Identification
Figure 8-1 Risk identification process
11
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Asset inventory
• Managers identify the organization’s
information assets
– Classify them into useful groups
– Prioritize them by their overall importance
12
Management of Information Security, 3rd ed.
Information Asset Inventory
creation
• Identify information assets
– Includes people, procedures, data and
information, software, hardware, and
networking elements
– This step should be done without pre-judging
the value of each asset
• Values will be assigned later in the process
• Determine which attributes of each
information asset should be tracked
13
Management of Information Security, 3rd ed.
Information Asset Inventory
creation (contd.)
Table 8-1 Organizational assets used in systems
14
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Information Asset Inventory
creation (contd.)
• Potential asset attributes
–
–
–
–
–
–
–
–
–
–
–
Name
Asset tag
IP address
MAC address
asset type
Serial number
manufacturer name
Manufacturer’s model or part number
Software version, update revision, or FCO number
Physical location, logical location
Controlling entity
Management of Information Security, 3rd ed.
15
Example: Network Asset tracker
•
http://www.misutilities.com/network-asset-tracker/howtouse.html
16
Information Asset Inventory
creation (contd.)
Identifying people, procedures and data assets.
Sample attributes for people, procedures, and
data assets
– People
•
•
•
•
Position name/number/ID
Supervisor name/number/ID
Security clearance level
Special skills
17
Management of Information Security, 3rd ed.
Information Asset Inventory
creation (contd.)
• Sample attributes for people, procedures, and
data assets (cont’d.)
– Procedures
• Description
• Intended purpose Software/hardware/networking
elements to which it is tied
• Location where it is stored for reference
• Location where it is stored for update purposes
18
Management of Information Security, 3rd ed.
Information Asset Inventory
creation (contd.)
• Sample attributes for people, procedures, and
data assets (cont’d.)
– Data
•
•
•
•
•
•
•
Classification
Owner/creator/manager
Size of data structure
Data structure used
Online or offline
Location
Backup procedures
19
Management of Information Security, 3rd ed.
Next: Asset ranking
• Determine the values of assets
• Prioritize according to value
20
Classifying and Categorizing Assets
• Determine/refine an asset classification scheme
• A classification scheme categorizes information
assets based on their sensitivity, security needs
• Each category designates the level of protection
needed for a particular information asset
• Some asset types, such as personnel, may
require an alternative classification scheme
• Classification categories must be comprehensive
and mutually exclusive
21
Management of Information Security, 3rd ed.
Assessing Values for
Information Assets
• Assign a relative value: Comparative
judgments made to ensure that the most
valuable information assets are given the
highest priority
22
Management of Information Security, 3rd ed.
Assessing Values for
Information Assets - Questions
1. Which asset is the most critical to the success of
the organization?
2. Which asset generates the most revenue?
3. Which asset generates the highest profitability?
4. Which asset is the most expensive to replace?
5. Which asset is the most expensive to protect?
6. Which asset’s loss or compromise would be the
most embarrassing or cause the greatest
liability?
23
Management of Information Security, 3rd ed.
Figure 8-2 Sample asset classification worksheet
24
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Listing Assets in Order of
Importance
Final step: list the assets in order of importance
•achieved by using a weighted factor analysis worksheet
Table 8-2 Example weighted factor analysis worksheet
25
Management of Information Security, 3rd ed.
Next step: Threat Identification
• Typically: wide variety of threats; each threat
presents a unique challenge to information
security
Questions:
• Which threats present a danger to your
company’s information assets?
– reduce scope and cost of risk management
• Which threats present the gravest danger to
your company’s information assets?
– Rough assessment of severity of threat
26
Management of Information Security, 3rd ed.
Threat Identification (cont’d.)
Table 8-3 Threats to information security
27
Management of Information Security, 3rd ed.
Source: ©2003 ACM, inc., included here by permission
Prioritizing threats
1000 top computing executives rated threats on a 5 point scale, from
not significant to very significant
Weighted ranks of threats to information security
Management of Information Security, 3rd ed.
Source: Adapted from M. E. Whitman. Enemy at
the gates: Threats to information
28 security.
Communications of the ACM, August
2003. Reprinted with permission
Prioritizing threats (contd.)
• Severity of threat: catastrophic, major,
moderate, minor, insignificant
29
Prioritizing threats (contd.)
• Probability of threat: negligible to
extreme
Next: Vulnerability analysis
30
Vulnerability Assessment
• Vulnerability: flaw or weakness in an asset that
can be exploited to breach security
– Begin to review every information asset for each threat
– leads to the creation of a list of vulnerabilities that
remain potential risks to the organization
– At the end of the risk identification process, a list of
assets and their vulnerabilities has been developed
– This list serves as the starting point for the next step in
the risk management process - risk assessment
31
Management of Information Security, 3rd ed.
Vulnerability Assessment (contd.)
Table 8-4 Vulnerability assessment of a DMZ router
Management of Information Security, 3rd ed.
32
Source: Course Technology/Cengage Learning
Examples
1. Asset: email servers,
– vulnerability: antivirus software not updated,
– threat: virus attack
2. Asset: router,
– vulnerability: incorrect router configuration,
– threat: network susceptible to reduction or loss of
connectivity
33
Likelihood and Consequences
(contd.)
• Consequences and likelihoods are combined
• The resulting rankings can then be inserted into
the TVA tables for use in risk assessment
34
Management of Information Security, 3rd ed.
The TVA Worksheet
• At the end of the risk identification process,
a list of assets and their vulnerabilities has
been developed
• Another list prioritizes threats facing the
organization based on the weighted table
discussed earlier
• These lists can be combined into a single
worksheet
35
Management of Information Security, 3rd ed.
The TVA Worksheet (cont’d.)
Table 8-5 Sample TVA spreadsheet
Management of Information Security, 3rd ed.
36
Source: Course Technology/Cengage Learning
Introduction to Risk Assessment
• The goal is to create a method to evaluate
the relative risk of each listed vulnerability
• It is not the presence of a vulnerability that
matters but the associated risk
• Simple model – risk R, probability of risk
event P and value lost by risk event V
satisfy R = PV
Figure 8-3 Risk identification estimate factors
37
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
More complex model
• Extended risk formula
R = Pa Ps V
• Where Pa = Probability of attack and
Ps = Probability that the attack
successfully exploits the vulnerability
V = value lost by successful
exploitation of vulnerability
38
Another formula
• Extended Whitman’s Risk Formula
R = P*V*(1 – CC + UK)
where P = probability that a vulnerability is
exploited,
V = value of asset,
CC = fraction of risk mitigated by current
control,
UK = fraction of risk not fully known
(uncertainty of knowledge)
39
In words…
Uncertainty: Impossible to know everything about every vulnerability
•The degree to which a current control can reduce risk is also subject
to estimation error
•Uncertainty is estimated by the manager using judgment/experience
Figure 8-3 Risk identification estimate factors
40
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Risk Determination Example
– Asset A has a value of 50 and has one vulnerability, which has a
likelihood of 1.0 with no current controls. Your assumptions and
data are 90% accurate
– Asset B has a value of 100 and has two vulnerabilities:
vulnerability #2 has a likelihood of 0.5 with a current control that
addresses 50% of its risk; vulnerability # 3 has a likelihood of 0.1
with no current controls. Your assumptions and data are 80%
accurate
– The resulting ranked list of risk ratings for the three vulnerabilities
is as follows:
• Asset A: Vulnerability 1 rated as 55 = (50 × 1.0) – 0% + 10%
• Asset B: Vulnerability 2 rated as 35 = (100 × 0.5) – 50% + 20%
• Asset B: Vulnerability 3 rated as 12 = (100 × 0.1) – 0 % + 20%
41
Management of Information Security, 3rd ed.
Documenting the Results
of Risk Assessment
• Goals of the risk management process
– To identify information assets and their vulnerabilities
– To rank them according to the need for protection
• In preparing this list, a wealth of factual
information about the assets and the threats they
face is collected
• Information about the controls that are already in
place is also collected
• The final summarized document is the ranked
vulnerability risk worksheet
42
Management of Information Security, 3rd ed.
Table 8-9 Ranked vulnerability risk worksheet
43
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Documenting the Results of Risk
Assessment (cont’d.)
• What should the documentation package
look like?
• What are the deliverables from this stage of
the risk management project?
• The risk identification process should
designate what function the reports serve,
who is responsible for preparing them, and
who reviews them
44
Management of Information Security, 3rd ed.
Summary
•
•
•
•
•
Introduction
Risk management
Risk identification
Risk assessment
Documenting the results of risk assessment
45
Management of Information Security, 3rd ed.
Risk Control (Ch 9)
Identify Possible Controls
• For each threat and its associated
vulnerabilities that have residual risk,
create a preliminary list of control ideas
• Three general categories of controls exist:
– Policies
– Programs
– Technical controls
46
Management of Information Security, 3rd ed.
Objectives
• Upon completion of this chapter, you
should be able to:
– Recognize and select from the risk mitigation
strategy options to control risk
– Evaluate risk controls and formulate a costbenefit analysis using existing conceptual
frameworks
– Explain how to maintain and perpetuate risk
controls
– Describe the OCTAVE Method and other
approaches to managing risk
47
Management of Information Security, 3rd ed.
Introduction
• To keep up with the competition,
organizations must design and create a
safe environment in which business
processes and procedures can function
– This environment must maintain confidentiality
and privacy and assure the integrity and
availability of organizational data
– These objectives are met via the application of
the principles of risk management
48
Management of Information Security, 3rd ed.
Risk Control Strategies
• four basic strategies to control risks
– Avoidance
• Applying safeguards that eliminate or reduce the
remaining uncontrolled risks for the vulnerability
– Transference
• Shifting the risk to other areas or to outside entities
– Mitigation
• Reducing the impact if the vulnerability is exploited
– Acceptance
• Understanding the consequences and accepting the
risk without control or mitigation
49
Management of Information Security, 3rd ed.
Avoidance
• The risk control strategy that attempts to
prevent the exploitation of the vulnerability
• Avoidance is accomplished through:
– Application of policy
– Application of training and education
– Countering threats
– Implementation of technical security controls
and safeguards
50
Management of Information Security, 3rd ed.
Transference
• The control approach that attempts to shift
the risk to other assets, other processes, or
other organizations
• May be accomplished by rethinking how
services are offered
– Revising deployment models
– Outsourcing to other organizations
– Purchasing insurance
– Implementing service contracts with providers
51
Management of Information Security, 3rd ed.
Mitigation
• The control approach that attempts to
reduce the damage caused by the
exploitation of vulnerability
– Using planning and preparation
– Depends upon the ability to detect and
respond to an attack as quickly as possible
• Types of mitigation plans
– Disaster recovery plan (DRP)
– Incident response plan (IRP)
– Business continuity plan (BCP)
52
Management of Information Security, 3rd ed.
Mitigation (cont’d.)
Table 9-1 Summaries of mitigation plans
53
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Acceptance
• do nothing to protect an information asset
– To accept the loss when it occurs
• assumes that it may be a prudent business
decision to examine the alternatives and
conclude that the cost of protecting an
asset does not justify the security
expenditure
54
Management of Information Security, 3rd ed.
Acceptance (contd.)
• the organization must:
– Determine the level of risk to the information asset
– Assess the probability of attack and the likelihood of a
successful exploitation of a vulnerability
– Approximate the ARO of the exploit
– Estimate the potential loss from attacks
– Perform a thorough cost benefit analysis
– Evaluate controls using each appropriate type of
feasibility
– Decide that the particular asset did not justify the cost
of protection
55
Management of Information Security, 3rd ed.
Managing Risk
• Risk appetite (also known as risk tolerance)
– The quantity and nature of risk that
organizations are willing to accept
• As they evaluate the trade-offs between perfect
security and unlimited accessibility
• The reasoned approach to risk is one that
balances the expense (in terms of finance
and the usability of information assets)
against the possible losses if exploited
56
Management of Information Security, 3rd ed.
Managing Risk (contd.)
• Residual risk
– When vulnerabilities have been controlled as much as
possible, there is often remaining risk that has not
been completely removed, shifted, or planned for
• Residual Risk is a combined function of:
– Threats, vulnerabilities and assets, less the effects of
the safeguards in place
• The goal of information security is not to bring
residual risk to zero, but to bring it in line with an
organization’s risk appetite
57
Management of Information Security, 3rd ed.
Managing Risk (contd.)
• If decision makers have been informed of
uncontrolled risks and the proper authority groups
within the communities of interest decide to leave
residual risk in place, then the information
security program has accomplished its primary
goal
• Once a control strategy has been selected and
implemented:
– The effectiveness of controls should be monitored and
measured on an ongoing basis to determine its
effectiveness and the accuracy of the estimate of the
residual risk
58
Management of Information Security, 3rd ed.
Managing Risk (contd.)
Figure 9-1 Residual risk
59
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Managing Risk (cont’d.)
• Risk control involves selecting one of the
four risk control strategies
– For the vulnerabilities present
• If the loss is within the range of losses the
organization can absorb, or if the attacker’s
gain is less than expected costs of the
attack, the organization may choose to
accept the risk
– Otherwise, one of the other control strategies
will have to be selected
60
Management of Information Security, 3rd ed.
Risk handling action points
Figure 9-2 Risk-handling action points
Management of Information Security, 3rd ed.
61
Source: Course Technology/Cengage Learning
Guidelines for risk control
strategy selection
• When a vulnerability exists
– Implement security controls to reduce the likelihood of a
vulnerability being exercised
• When a vulnerability can be exploited
– Apply layered controls to minimize the risk or prevent occurrence
• When the attacker’s potential gain is greater than the
costs of attack
– Apply technical or managerial controls to increase the attacker’s
cost, or reduce his gain
• When potential loss is substantial
– Apply design controls to limit the extent of the attack, thereby
reducing the potential for loss
62
Management of Information Security, 3rd ed.
Risk control cycle
Figure 9-3 Risk control cycle
63
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Feasibility and Cost-Benefit Analysis
• Before deciding on the strategy for a specific
vulnerability
– All readily accessible information about the
consequences of the vulnerability must be explored
– Ask “what are the advantages of implementing a
control as opposed to the disadvantages of
implementing the control?”
• There are a number of ways to determine the
advantage or disadvantage of a specific control
• The primary means are based on the value of the
information assets that it is designed to protect
64
Management of Information Security, 3rd ed.
Cost-Benefit Analysis
• Economic feasibility
– The criterion most commonly used when
evaluating a project that implements
information security controls and safeguards
• It is difficult to determine the value of
information
– It is also difficult to determine the cost of
safeguarding it
65
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• Factors that affect the cost of a safeguard
– Cost of development or acquisition of
hardware, software, and services
– Training fees
– Cost of implementation
– Service and maintenance costs
66
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• Benefit
– The value to the organization of using controls
to prevent losses associated with a specific
vulnerability
– Usually determined by valuing the information
assets exposed by the vulnerability and then
determining how much of that value is at risk
and how much risk there is for the asset
– This is expressed as the annualized loss
expectancy (ALE)
67
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• Asset valuation
– The process of assigning financial value or
worth to each information asset
– The value of information differs within and
between organizations
• Based on the characteristics of information and the
perceived value of that information
– Involves estimation of real and perceived costs
associated with the design, development,
installation, maintenance, protection, recovery,
and defense against loss and litigation
68
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• Asset valuation components
– Value retained from the cost of creating the
information asset
– Value retained from past maintenance of the
information asset
– Value implied by the cost of replacing the
information
– Value from providing the information
– Value acquired from the cost of protecting the
information
69
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• Asset valuation components (cont’d.)
– Value to owners
– Value of intellectual property
– Value to adversaries
– Loss of productivity while the information
assets are unavailable
– Loss of revenue while information assets are
unavailable
70
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• Potential loss is that which could occur
from the exploitation of vulnerability or a
threat occurrence
• Ask these questions:
– What loss could occur, and what financial
impact would it have?
– What would it cost to recover from the attack,
in addition to the financial impact of damage?
– What is the single loss expectancy for each
risk?
71
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• A single loss expectancy (SLE)
– The calculation of the value associated with
the most likely loss from an attack
– SLE is based on the value of the asset and the
expected percentage of loss that would occur
from a particular attack
– SLE = asset value (AV) x exposure factor (EF)
• Where EF is the percentage loss that would occur
from a given vulnerability being exploited
– This information is usually estimated
72
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• In most cases, the probability of a threat
occurring is the probability of loss from an
attack within a given time frame
• This value is commonly referred to as the
annualized rate of occurrence (ARO)
ALE = SLE * ARO
73
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• CBA determines whether or not a control
alternative is worth its associated cost
• CBAs may be calculated before a control or
safeguard is implemented
– To determine if the control is worth
implementing
• Or calculated after controls have been
implemented and have been functioning for
a time
74
Management of Information Security, 3rd ed.
Cost-Benefit Analysis (cont’d.)
• Cost-benefit analysis formula
CBA = ALE(prior) – ALE(post) – ACS
– ALE (prior to control) is the annualized loss
expectancy of the risk before the
implementation of the control
– ALE (post-control) is the ALE examined after
the control has been in place for a period of
time
– ACS is the annual cost of the safeguard
75
Management of Information Security, 3rd ed.
Download