1.1k likes | 1.41k Views
CBK Domain #1 Information Security and Risk Management. Chapter 1 – we will talk about. The CIA triad (out of order) Security Management Responsibilities Administrative, Technical and Physical Controls Risk Management and Risk Analysis Security Policies Information Classification
E N D
Chapter 1 – we will talk about • The CIA triad (out of order) • Security Management Responsibilities • Administrative, Technical and Physical Controls • Risk Management and Risk Analysis • Security Policies • Information Classification • Positions and Responsibilities
CIA, it’s not just a government agency (59) • The CIA triad provides for the security objectives. This is also called the AIC triad.
Confidentiality (60) • Protects the data from un-authorized disclosure • Ensures the necessary level of secrecy is enforced at each junction of data processing • Can provide via technical controls such as authentication methods, encryption methods • Attacks include shoulder surfing and social engineering, man in the middle, attempts at decryption. etc
Integrity (60) • Ensuring that the data is not modified. • Must ensure accuracy and reliability of the information and Information Systems. Must not allow unauthorized modification. (either intentional or accidental*)
Integrity Example • The trader was supposed to sell one share for 610,000 yen ($5,065). Instead, 610,000 shares valued at $3.1 billion were offered for 1 yen each. • Somebody made a typing mistake, said the brokerage unit of Mizuho Financial Group, Japan's second-largest bank. The error set off a frenzy of trades, and cost the unit at least 27 billion yen ($224 million) as it tried to buy back the shares, the bank said.
Integrity • Hashes and signed messages are examples of how to ensure integrity • Can attack with birthday attacks / hash collisions. Man in the middle attacks
Availability • The ability to access data and systems by authorized parties • This is very easy to attack and hard to defend against. • Attacks are often DoS type attacks. • Example of Availability attack: • Taking down a power grid • Stopping stock market trades
Security Management Now that we know the 3 principles of security lets talk about how we can manage security
Security Management (back to pg 53) Attempts to manage security. • Includes Risk Management, IS Policies, Procedures, Standards, Guidelines, Baselines, Information Classification, Security Organization. * • These build a security program – Purpose… protect the companies assets • A security program requires balanced application of Technical and non-technical methods!* • Process is circular, asses risks, determine needs, monitor, evaluate… start all over.
Security Management • Management is ULTIMATELY responsible for security… NOT admins, not security workers.. MANAGEMENT… let me repeat… MANAGEMENT. • Management must lead and direct all security programs. They must provide the vision AND support*
Security Management • Any good security program should be “top down” with an ultimate goal. This approach management creates the vision and lays out the framework. It does not make sense just to run about locking down machines without a vision. Though this is often how things are actually done.* • Why would a bottom up approach fail? (can you build a house by just starting to build?)
IMPORTANT REMINDER • Reminder MANAGEMENT should direct security. A security officer or groups is to ensure the managements directives are fulfilled! They do NOT create security policy*
Security Controls The following “controls” should be utilized to achieve security management directives • Administrative – policies, standards, procedures, guidelines, personnel screening, training • Technical Controls (logical controls)* - authentication, firewalls, biometrics etc. • Physical Controls – locks, monitoring, mantraps, environmental controls. • See diagram on page 57
Functional vs. Assurance • All solutions must be evaluated by it’s functional and assurance requirements • Functional: “Does the solution carry out the required tasks”* • Assurance: “How sure are we of the level of protection this solution provides”*
Security Definitions* • You need to know these! • These terms are on pages 61-63. You should all memorize and internalize these terms! Read them again and again till you understand them.. We’ll cover them in the next couple slides
Vulnerability* (61) • A software hardware or procedural weakness that may provide an attacker the opportunity to obtain unauthorized access. • Could be an un-patched application • Open modems • Lax physical security • Weak protocol* (let’s define protocol)
Threat * A natural or man-made event that could have some type of negative impact on the organization. • A threat usually requires a vulnerability • A threat might also be natural such as a hurricane
Threat Agent • An actual person that takes advantage of a vulnerability
Risk This likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact • Risk ties the vulnerability, threat and likelihood of exploitation together.
Exposure An instance of being exposed to losses from a threat agent. • Example: A public web server that has a known vulnerability that is not patched, is an exposure.
Countermeasure or Safeguard Some control or countermeasure put into place to mitigate the potential risk. A countermeasure reduces the possibility that a threat agent will be able to exploit a vulnerability. (You can NEVER 100% safeguard something)*
Organizational Security Models • Each organization will create it’s own security model which will have many entities, protection mechanisms, logical, administrative and physical components, procedures, business processes and configurations that all support the end goal. • A model is a framework made up of many entities protection mechanisms, processes, procedures that all work together and rely on each other to protect the company (see diagram pg 65) (more)
Organization Security Models • Each company will have it’s own methods for the above to accomplish their own security model. • Has multiple layers and Multiple GOALS (talk about next)
Goals* • Operational goal – These are DAILY goals, very short term goals. • Example: installs security patch released today. • Tactical goals – mid term goals that help to achieve a final goal. • Example: create managed domain and move all workstations into the domain • Strategic Goals – long term objectives. • Example: Have all workstations in a domain with centralized security management, auditing, encrypted data access and PKI.
Security Program Development (pg 76 in book) • A program is more than just a policy! It’s everything that protects data. • Security Program development is a LIFECYCLE!!! • Plan and Organize • Implement • Operate and Maintain • Monitor and Evaluate • Then start all over again!
Business Requirements Private vs. Military • Which security model an organization uses depends on it’s goals and objectives. • Military is generally concerned with CONFIDENTIALITY • Private business is generally concerned with either availability (ex. Netflix, eBay etc) OR integrity (ex. Banks). Some private sector companies are concerned with confidentiality (ex. Drug companies)
Break? • This is probably time for a break… you probably are asleep now… don’t worry it will get more interesting in a bit.
Information Risk Management • IRM is the process of identifying and assessing risk and reducing it to an acceptable level* • There is no such thing as 100% security!* • You must identify risks and mitigate them with either countermeasure (ex. Firewalls) or by transferring risk (ex. Insurance)*
What are risks* • Physical Damage – building burns down • Human Interaction – accidental or intentional action • Equipment malfunction – Failure of systems (hard drives failure) • Inside and Outsides attacks – CRACKERS! (not hackers) • Misuse of Data – Sharing Trade secrets, fraud • Loss of Data – intentional or unintentional loss of data • Application Error – (integrity) computation errors, input errors, poor code/bugs. (superman/office space example)
Risks • Risks MUST be identified, classified and analyzed to asses potential damage (loss) to company. Risk is impossible to totally measure, but we must prioritize the risks and attempt to address them!
Risk management • Did I mention that IRM is ULTIMATELY the responsibility of MANAGEMENT* (I really cannot stress this enough) • Should support the organizations mission. • Should have an IRM policy. • Should have an IRM team. • IRM should be a subset of the companies total Risk Management Policy.
IRM policy Should include the following items • (see top of page 82) • Goal if IRM is to ensure the company is protected in the most COST EFFECTIVE manner!* (doesn’t make sense to spend more to protect something than the “something” is worth)
IRM team (83) • Remember goal is to keep things cost effective. Many companies will not have a large IRM team. Government might have small armies dedicated simply to IRM goals. • IRM team members usually have other full time jobs! • Not just IT staff! (ex IT staff may not understand legal or physical concerns) • Senior Management Support is NECESSARY for success*
Risk Analysis (83) IRM team will need to analyze risk, what is risk analysis? • A tool for risk management, which identifies assets, vulnerabilities and threats (What are these again?) • Access possible damage and determine where to implement safeguards We will talk about RA goals next.
Risk Analysis Goals (83) • Identify assets and their values • Identify Vulnerabilities and threats • Quantify the probability of damage and cost of damage • Implement cost effective countermeasures! • ULTIMATE GOAL is to be cost effective. That is: ensure that your assets are safe, at the same time don’t spend more to protect something than it’s worth*
who is ultimately responsible for risk? • MANAGEMENT! • Management may delegate to data custodians or business units that shoulder some of the risk. However ultimately it is senior management that is responsible for the companies health and as such they are ultimately responsible for the risk. (you really need to understand this for the exam)
Value of information and assets? (85) It is important to understand an assets value if you plan on doing risk analysis. So what is something worth? • See pg 86 bullet items Note value can be measured both quantitatively and qualitatively*
2 types of analysis • Quantitative analysis • Qualitative analysis Lets talk in detail about Qualitative vs. Quantitative specifically in the next couple slides
Quantitative (92) Quantitative analysis attempts to assign real values to all elements of the risk analysis process. Including • Asset value • Safeguards' costs • Threat frequency • Probability of incident (more)
Quantitative Analysis (93) • Purely quantitative risk analysis is impossible as there are always unknown values, and there are always “qualitative” values. (what is the value of a reputation?) • You can automate quantitative analysis with software and tools. These require tons of data to be collected though, as such require along time and effort to complete, but the tools help speed that up.
Overview of steps in a quantitative analysis (94) • Assign value to an asset • Estimate actual cost for each asset and threat combination. (see SLE later) • Perform a threat analysis – determine the probability of each threat occurring. • Derive the Overall loss potential per threat per year. • Reduce, Transfer Avoid or Accept the Risk.
Steps in Quantitative Analysis (94) Now lets’ break each step out more
Step 1:Assign value to assets (94) What is something worth? • Cost to obtain • Money an asset brings in • Value to competitors • Cost to re-create • Legal liabilities
Step 2:Estimate Loss Potential* (94) For Each threat we need to determine how much could a threat damage/cost us • Physical damage • Loss of productivity • Cost of repairing • Amount of Damage (EF – next slide)* We need to determine “Single Loss Expectancy” per asset and threat* • Example: if you have a virus outbreak and each outbreak costs $50K in lost revenue and repair costs. Your SLE = 50K
Step 2: Estimate of Loss potential When determining SLE, you may hear the term EF (exposure factor) For some items loss is a percentage of a value, this is where EF comes in If you have a warehouse with $1,000,000 of value, and the threat is a fires, your fire suppression systems might stop a fire at 25%, this is your EF, and must be calculated in SLE SLE= total value/cost * EF In this case the fire SLE = $1,000,000 * .25 = $250,000
Step 3:Perform a Threat Analysis (95) Figure out the likely hood of an incident. • Analyze vulnerabilities and rate of exploits. • Analyze probabilities of natural disasters to your location • Review old records of incidents. In this step we need to calculate the Annualized Rate of Occurrence (ARO)* Example: chance of a virus outbreak in any month=75% then the ARO = .75 * 12 (1 year) So we can expect an ARO=9
Step 4: Derive the ALE (95) Derive the Annual Loss Expectancy • SLE * ARO = ALE • Example: 50K cost of virus outbreak (SLE) * 9 occurrences per year (ARO) = $450K cost for this threat • Be able to do these calculation for the exam
Step 5: Reduce, Transfer, Avoid or Accept the Risk (95) For each risk you can do the following • Reduce risk* (install countermeasures to lessen the risk, or mitigate EF (exposure factor) (well go in depth on next slide) • Transfer Risk* (buy insurance) • Accept Risk* (do nothing to minimizing risk) • Avoid Risk (stop doing activity that causes risk)*