1 / 36

Information Security Risk Evaluations and OCTAVE

Information Security Risk Evaluations and OCTAVE. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense. Current State of Evaluations. Products and services vary widely Technological focus

tiara
Download Presentation

Information Security Risk Evaluations and OCTAVE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Risk Evaluationsand OCTAVE • Software Engineering Institute • Carnegie Mellon University • Pittsburgh, PA 15213 • Sponsored by the U.S. Department of Defense

  2. Current State of Evaluations • Products and services vary widely • Technological focus • Often conducted without a site’s direct participation • Precipitated by an event • Evaluation criteria are often inconsistent or undefined

  3. OCTAVESM • Operationally Critical Threat, Asset, and Vulnerability EvaluationSM • Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University

  4. Goals of OCTAVE Approach • Organizations are able to • direct and manage risk assessments for themselves • make the best decisions based on their unique risks • focus on protecting key information assets • effectively communicate key security information

  5. OCTAVE Criteria Other Methods • for small organizations • Method Imp. Guide • Method Training • Method Imp. Guide • Method Training OCTAVE Approach OCTAVE-S Method OCTAVE Method

  6. OCTAVE Method • Defines a systematic, context-sensitive method for evaluating risks for large organizations. • Defines implementation • detailed procedures for each process • worksheets and templates for each process • information catalogs • preparation and tailoring guidance • briefing slides

  7. Conducting OCTAVE time Analysis Team • An interdisciplinary team of an organization’spersonnel who facilitate the process and analyze data • business or mission-related staff • information technology staff

  8. Asset • Something of value to the organization • information • systems • software • hardware • people • Examples: Personnel data base, your local network and office workstations, etc. • What types of assets are critical to you?

  9. Critical Assets • The most important information assets to the organization • There will be a large adverse impact to the organization if one of the following occurs: • The asset is disclosed to unauthorized people. • The asset is modified without authorization. • The asset is lost or destroyed. • Access to the asset in interrupted.

  10. Security Requirements • Outline the qualities of an asset that are important to protect: • confidentiality • integrity • availability • Example: Your personnel records must be kept confidential and they must be correct and complete. • Do you know what the security requirements are for the assets you work with?

  11. Security Practices • Actions that help initiate, implement, and maintain security in an organization. • Example: Security awareness is provided for all new employees. • Do you know what security practices you are supposed to follow?

  12. Catalog of Practices Operational Practice Areas Strategic Practice Areas OCTAVE Catalog of Practices

  13. Strategic Practice Areas Strategic Practice Areas Contingency Planning/ Disaster Recovery Security Management Collaborative Security Management Security Awareness and Training Security Policies and Regulations Security Strategy

  14. Operational Practice Areas Operational Practice Areas Information Technology Security Staff Security Physical Security Physical Security Plans and Procedures Physical Access Control Monitoring and Auditing Physical Security System and Network Management System Administration Tools Monitoring and Auditing IT Security Authentication and Authorization Vulnerability Management Encryption Security Architecture and Design Incident Management General Staff Practices

  15. What is a Threat? • An indication of a potential undesirable event • Threat properties • Asset • Actor • Motive (or objective) • Access • Outcome

  16. Threat Profile • One threat profile per critical asset • visually represented using asset-based threat trees. • A threat profile contains a range of threat scenarios for the following sources of threats: • human actors using network access • human actors using physical access • system problems • other problems • How are your critical assets threatened?

  17. Human Actors - Network Access disclosuremodificationloss/destructioninterruption accidental inside disclosuremodificationloss/destructioninterruption deliberate network asset disclosuremodificationloss/destructioninterruption accidental outside disclosuremodificationloss/destructioninterruption deliberate asset access actor motive outcome

  18. Other Problems disclosuremodificationloss/destructioninterruption natural disasters disclosuremodificationloss/destructioninterruption ISP unavailable asset disclosuremodificationloss/destructioninterruption telecommunications problems or unavailability disclosuremodificationloss/destructioninterruption power supply problems asset actor outcome

  19. Vulnerability Evaluations and Tools • Vulnerability evaluations evaluate systems and components with tools • Vulnerability tools identify • known weaknesses in technology • misconfigurations of ‘well known’ administrative functions, such as • file permissions on certain files • accounts with null passwords • what an attacker can determine about your systems and networks

  20. What Vulnerability Tools Identify Operational Practice Areas Information Technology Security Staff Security Physical Security Physical Security Plans and Procedures Physical Access Control Monitoring and Auditing Physical Security System and Network Management Monitoring and Auditing IT Security Authentication and Authorization Encryption Vulnerability Management System Administration Tools Security Architecture and Design Incident Management General Staff Practices

  21. What Vulnerability Identification Tools Do Not Identify • Misapplied or improper system administration (users, accounts, configuration settings) • Unknown vulnerabilities in operating systems, services, applications, and infrastructure • Incorrect adoption or implementation of organizational procedures

  22. Which Systems? Which Components? • For your critical assets, identify • related systems • key components on those systems • Select an approach for evaluating each system/ component. • Gain approvals or contract for the evaluation • who will perform the evaluation? • which tool(s) will be used? • when?

  23. Sample Report Data

  24. Risk • Risk is a combination of the threat and the impact to the organization resulting from the following outcomes: • disclosure • modification • destruction /loss • interruption • Example: If a person with a home PCs brings a file with a virus to their office, they could corrupt every other PC and the network. At best, a few hours to clean up the system; at worst, days to recover damaged files.

  25. Evaluating Risks • Risks are evaluated to provide key information needed by decision makers: • which risks to actually mitigate • relative priority • Impact and probability are two attributes of risks that are often evaluated. • Only impact is evaluated in OCTAVE.

  26. Risk Mitigation Plan • Defines the activities required to mitigate risks/threats • A mitigation plan focuses on activities to • actions to recognize or detect this threat type as it occurs • actions to resist this threat type or prevent it from occurring • actions to recover from this threat type if it occurs • other actions to address this threat type • Draw from the catalog of practices to help define the activities

  27. Catalog of Practices Operational Practice Areas Strategic Practice Areas OCTAVE Catalog of Practices

  28. Protection Strategy Development • The analysis team uses the results of the surveys and the mitigation plans to build a organization-wide strategy for improving security. • practices to improve • new practices to add • practices to keep doing • A key artifact is OCTAVE’s Catalog of Practices • strategic practices • operational practices

  29. Some Keys to Success • Getting senior management sponsorship • Selecting the right analysis team • Scoping the evaluation • Selecting participant

  30. Where Is OCTAVE Going? • Monitoring pilots in DoD, Government, and industry sectors • Public release of OCTAVE Method Implementation Guide - 3Q 2001 • Public release of the OCTAVEcriteria - 4Q 2001 • OCTAVE Method Training – 1Q FY 2002 • Prototyping OCTAVE-S for small organizations

  31. Questions?

  32. For Additional Information • Telephone 412 / 268-5800 • Fax 412 / 268-5758 • Internet customer-relations@sei.cmu.edu • security-improvement@cert.org octave-info@sei.cmu.edu • WWW http://www.cert.org/octave • U.S. mail Customer Relations Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890

More Related