ISO 17799 Project Review OWASP AppSec June 2004 NYC Stan Guzik, CISSP, MCP Chief Technology Officer Immediatech Corp. ISO 17799 Project Lead sguzik@immediatech.com Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation http://www.owasp.org What Will Be Covered? Background On The ISO 17799 Project What Is Information Security? Information Security Threats Developing Security Management Policies/Procedures What Is The ISO 17799? ISO 17799 OWASP Project Details Implementation Example Critical Success Factors OWASP Needs Your Feedback References OWASP AppSec 2004 2 Background On The ISO 17799 Project OWASP Holistic Approach To Security Top Ten Guide Testing WebGoat ISO 17799 Challenges Of Today’s Web Applications Security - CIA 24x7x365 uptime Fast and easy to use Integration with external systems Fast SDLC due to market pressures Bug free Customers expect it at no/low cost OWASP AppSec 2004 3 Background On The ISO 17799 Project Management Of Web Applications In Production Traditional IT organizations are not familiar with web app security management Auditors as head of IT (EDP) Internet applications 20 Year old policy/procedures do not apply Benefits Of Applying ISO 17799 Increased security Increased uptime ROI – Fighting Fires Keep your job OWASP AppSec 2004 4 What Is Information Security? Information Is An Asset – Value Information Protection – Ensure Business Continuity, minimize damage, legal requirements Information Forms – Electronic, Paper, Spoken, and etc… Information Preservation Confidentiality – Information is not disclosed to unauthorized subjects Integrity – Accuracy and completeness of information and only modified by authorized subjects Availability – Authorized subjects are granted assess to information. (SLA) Information Security Controls organizational structure, and HW/SW. – Policies, procedures, practices, OWASP AppSec 2004 5 Information Security Threats Viruses Hackers Espionage Sabotage Vandalism Fire Flood Employee With A Big Mouth (HR Info) OWASP AppSec 2004 6 Information Security Threats Today Organizations Are More Vulnerable Interconnected public and private networks System complexities in achieving access controls Lack of security conscious developers – focus on functionality & performance. Shorter Time To Market Supplement Secure Applications With Appropriate Security Management Policies/Procedures Secure applications running in an unsecured environments Secure applications and a secured environment running with insecure operations Etc… OWASP AppSec 2004 7 Develop Security Management Policies/Procedures Legal, Regulatory, Contractual Requirements, Due Diligence Risk Assessment – Threats to Assets The likelihood a threat will occur and evaluate its impact on an asset Quantitative Risk Assessment – Annual Loss Expectancy (ALE) – Yearly cost of all instances of a specific realized threat against a specific asset: » ALE = ARO * SLE – Annual Rate of Occurrence (ARO) – Expected frequency that a specific threat or risk will occur (probability determination) – Single Loss Expectancy (SLE) –- Cost associated with a single realized risk against a specific asset. » SLE = Asset Value * EF – Exposure Factor (EF) – Loss Potential of a specific asset by a realized risk – Example – DOS Web Application (Input Validation) » Asset Values = $2,000,000 » EF = 20% » SLE =$2,000,000 * 20% = $400,000 » ARO = 10% » ALE = 10% * $400,000 = $40,000 OWASP AppSec 2004 8 Develop Security Management Policies/Procedures Qualitative Risk Assessment – Scenario/Judgment Based – Experience Based … Risk Assessment Results Determine the appropriate management actions Set priorities for managing information security risk Implement controls to protect against realized risk OWASP AppSec 2004 9 Develop Security Management Policies/Procedures Select Appropriate Security Controls Implement controls to ensure risks are reduced to an acceptable level. Controls should be selected based on the cost of implementation in relation to the risk being reduced and the potential losses if a security breach occurs. OWASP AppSec 2004 10 What Is The ISO 17799 Standard? ISO – International Organization for Standardization Complete Set Of Controls To Ensure The Best Practices For Information Security The Major Standard - Internationally Recognized Information Security Standard Guideline - Guiding principle providing a good starting point for implementing information security. They are either based on essential legislative requirements or considered to be common best practices for information security. Legislative Controls 12.1.4 – Data Protection and Privacy of Personal Information 12.1.3 – Safeguarding of Organizational Records 12.1.2 – Intellectual Property Rights Best Practices 3.1 – Information Security Policy Document 4.1.3 – Allocation of Information Security Responsibilities 6.2.1 – Information Security Education and Training 6.3.1 – Reporting Security Incidents 11.1 Business Continuity Management OWASP AppSec 2004 11 What Is The ISO 17799 Standard? 10 Sections Security Policy – To provide management direction & support for information security Organizational Security – Manage information security within the organization Asset Classification and Control – To maintain appropriate protection of organizational assets Personnel Security – To reduce the risk of human error, theft, fraud or misuse of facilities Physical & Environmental Security – To prevent unauthorized access, damage and interference to business premises and information Communications and Operations Management – To ensure the correct and secure operations of information processing facilities Access Control – Control access to information System Development and Maintenance – To ensure security is built into information systems Business Continuity Management – To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual OWASP AppSec 2004 12 ISO 17799 OWASP Project Details Documentation Project Toolbox Of Sample Templates Of ISO 17799 Policies & Procedures What Exists Today ISO 17799 Is A Standard Not a tool Not Many Publicly Available Templates Commercial Licensed Templates Are Poor Quality OWASP AppSec 2004 13 Implementation Example 8.1.2 Operational Change Control Inadequate control may cause system or security failures Formal management responsibilities and procedures should be in place Operational programs subject to strict change control Current State Of Project Many templates Todo: Pull all templates together into a consistent format and publish OWASP AppSec 2004 14 Critical Success Factors Targeted Risk Assessment Implement Good Controls Use Already Proven Policies & Procedures Training & Awareness Get Some More Sleep At Night!!! OWASP AppSec 2004 15 OWASP Needs Your Feedback! Send Us Your Templates Modifications To Existing Templates Can you get involved? OWASP AppSec 2004 16 References ISO/IEC 17799:2000(E) CISSP:Certified Information Systems Security Professional Study Guide, Ed Tittel OWASP ISO 17799 Project OWASP AppSec 2004 17