330 likes | 501 Views
Personnel good practice. Job description; roles and responsibilities Least privilege/Need to know Compliance with need to share Separation of duties / responsibilities Job rotation Mandatory vacations. Security Awareness. Awareness training Remind employees of security responsibility
E N D
Personnel good practice Job description; roles and responsibilities Least privilege/Need to know Compliance with need to share Separation of duties / responsibilities Job rotation Mandatory vacations Summer 2008
Security Awareness Awareness training Remind employees of security responsibility Motivate personnel to comply with them Videos Newsletters Posters Key-chains Summer 2008
Training and Education Job training Provide skills to perform security functions. Focus on security-related job skills Address security requirements of the organization, etc. Professional Education Provide decision-making and security management skills important for success of security program. Summer 2008
Good training practice Address all the audience Management Data Owner and custodian Operations personnel User Support personnel Summer 2008
Risk in NIST SP 800-30 Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization Summer 2008
Risk related Definitions Vulnerability: A Flaw or weakness in system procedures, design, implementation or internal controls that could be used breach or violate the system Likelihood: probability that a vulnerability may be used in the threat environment. Threat: the Potential for a mal-actor to exercise a vulnerability. Countermeasure: risk reduction method (technical, operational, manageriaal, or combination) Summer 2008
Risk Management concept flow Summer 2008
Risk Management Definitions Asset:something valued (to accomplish goals and objectives) Threat Agent:anything that can pose or cause a threat. Exposure: situation when a threat can cause loss. Vulnerability: weakness that could be exploited. Attack:Intentional action attempting to cause harm. Risk:probability that some event can occur Residual Risk:risk remaining after countermeasures and safeguards have been applied Summer 2008
Risk Management To identify possible problems before they occur so that risk-handling activities may be planned and invoked as needed during the life of the product or project Summer 2008
The Risk Equation Summer 2008
Risk Management Identify and reduce risks Mitigating controls [Safeguards & Countermeasures] Residual Risk when countermeasures exist but are not sufficient should be at acceptable level Summer 2008
Purpose of Risk Analysis Identify and justify risk mitigation Assess threats to business processes and IS Justify use of countermeasures Describe security based on risk to the organization Summer 2008
Benefits of Risk Analysis Focus on policy and resources Identify areas with specific risk good IT Governance, supporting Business continuity Insurance and liability decisions Legitimize security awareness program Summer 2008
Emerging threats Risk Assessment must address new threats New technology Change in culture of the organization Unauthorized use of technology. May be discovered by periodic risk assessment Summer 2008
Sources of identity threats Users System administrators Security officers Auditors Operations Facility records Community and government records Vendor/security provider alerts Other threats: Natural disasters – flood, tornado, etc. Environment -- overcrowding or poor morale Facility -- physical security or location of building Summer 2008
Risk analysis key factors Obtain senior management support Establish risk assessment team Define and approve purpose and scope Select team members State their authority and responsibility Have management review findings and recommendations Risk team members to include: IS System Security, IT & Operations Management, Internal Audit, Physical security, etc Summer 2008
Use of automated tools for risk management Objective: to minimize manual effort May be time consuming in setup Perform calculations quickly Estimate future expected loss Determine benefit of security measures Summer 2008
Preliminary security evaluation Identify vulnerabilities Review existing security measures Document findings Obtain management review and approval Summer 2008
Risk analysis types Two types Quantitative Qualitative Both provide valuable metrics Both required for a full picture Summer 2008
Quantitative risk analysis Determine monetary value Fully quantitative if all elements are quantified, but this is difficult to achieve. Requires much time and personnel effort Summer 2008
Determining Asset Value Cost to acquire, develop, and maintain Value to owners, custodians, or users Liability for protection Recognize real world cost and value Price others are willing to pay for it Value of intellectual property Convertibility/negotiability Summer 2008
Quantitative analysis steps Estimate potential single loss expectancy SLE = Asset Value ($) * Exposure Factor Exposure Factor=% of asset loss when threat succeeds Types of loss Physical destruction, theft, Loss of data, etc Conduct threat analysis ARO-Annual Rate of Occurrence Expected number of exposures/incidents per year Likelihood of unwanted event happening Determine Annual Loss Expectancy (ALE) Magnitude of risk = Annual Loss Expectancy Purpose to justify security countermeasures ALE=SLE * ARO Summer 2008
Qualitative Risk analysis Scenario oriented Does not assign numeric values to risk components Qualitative risk analysis is possible Qualitative risk analysis factors Rank seriousness of threats and sensitivity of assets Perform a reasoned risk assessment Summer 2008
Other risk analysis methods Failure modes and effects analysis Potential failures of each part or module Examine effects of failure at three levels Immediate (part or module) Intermediate (process or package) System-wide Fault tree or spanning tree analysis Create a “tree” of all possible threats and faults “Branches” are general categories [network threats, physical threats, component failures, etc.] Prune “branches” that do not apply Concentrate on remaining threats. Summer 2008
Risk mitigation options Risk Acceptance Risk Reduction Risk Transference Risk Avoidance Summer 2008
The right amount of security Cost/Benefit analysis- balance cost of protection versus asset value Need to assess: Threats, Adversary, means , motives, and opportunity. Vulnerabilities and Resulting risk Risk tolerance Summer 2008
Countermeasures Selection Principles Based on cost/benefit analysis, cost of safeguard Selection and acquisition Construction and placement Environment modification Nontrivial operating cost Maintenance, testing Potential side effects Cost justified by potential loss Accountability At least one person for each safeguard Associate directly with performance review Absence of design secrecy Summer 2008
Countermeasures Selection Principles (Cont.) Audit capability Must be testable Include auditors in design and implementation Vendor Trustworthiness Review past performance Independence of control and subject Safeguards control/constrain subjects Controllers administer safeguards Controllers and subject have different populations Universal application Impose safeguards uniformly Minimize exceptions Summer 2008
Countermeasures Selection Principles (Cont.) Compartmentalization and defense in depth Role of Safeguards to improve security through layers Isolation, economy, and least common mechanism Isolate from other safeguards Simple design is cost effective and reliable, etc Acceptance and tolerance by personnel Care taken to avoid implementing controls that pose unreasonable constraints Less intrusive controls more acceptable Minimize human intervention Reduce possibility of errors and “exceptions” by reducing reliance on administrative staff to maintain control Summer 2008 29
Countermeasures Selection Principles (Cont.) Sustainability Reaction and recovery Countermeasures, when activated, should: Avoids asset destruction and stop further damage Prevent disclosure of sensitive information through a covert channel Maintain confidence in system security Capture information related to the attack and attacker Override and fail-safe defaults Residual and reset Summer 2008
Basis and Origin of Ethics Religion, law, tradition, culture National interest Individual rights Enlightened self interest Common good/interest Professional ethics/practices Standards of good practice Summer 2008
Ethics Formal ethical theories Teleology: Ethics in terms of goals, purposes, or ends Deontology: Ethical behavior is duty Common ethical fallacies Computers are a game Law-abiding citizen, Gentlemanly conduct, Free information Shatterproof Candy-from-a-baby Hackers Difficult to define Start with senior management Summer 2008
Professional Codes of ethics Internet Activities Board (IAB) Any activity is unethical & unacceptable that purposely: Seeks to gain unauthorized access to the internet resources Disrupts the intended use of the internet Wastes resources through such actions Destroys the integrity of computer-based information Compromises the privacy of users Involves negligence in the conduct of internet-wide experiments ACM and IEEE (look them up) (ISC)2 Protect society, the commonwealth, and the infrastructure Provide diligent and competent services to principals, etc Auditors Professional codes may have legal importance Summer 2008