ISA 562 1 Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory & Practice.

ISA 562 1

Information Security Information Security ManagementManagement

CISSP Topic 1CISSP Topic 1

ISA 562ISA 562Internet Security Internet Security Theory & PracticeTheory & Practice

2

ObjectivesObjectives• Roles of and responsibilities of

individuals in a security program• Security planning in an organization• Security awareness in the

organization • Differences between policies,

standards, guidelines and procedures as related to security

• Risk Management practices and tools

IntroductionIntroduction• Purpose of information security is to

protect an organization's valuable resources, such as information, hardware and software.

• Should be designed to increase organizational success.

• Information systems are often critical assets that support the mission of an organization

3

4

Information Security TRIADInformation Security TRIAD

• The Overhanging goals of information security are addressed through the AIC TRIAD.

5

IT Security Requirements - IIT Security Requirements - I

• Security Solutions should be designed with two main focus areas:

1. Functional Requirements: – Defines security behavior of the control

measures– Selected based on risk Assessment– Properties:– They should not depend on another control:

• Why?

– They should fail safe by marinating security of the system in an event of a failure:

• Why?

6

IT Security Requirements -IIIT Security Requirements -II2. Assurance Requirements:• Provides confidence that security

functions is performing as expected.• Examples :

– Internal/External Audit.– Threat Risk Assessments– Third Party reviews– Compliance to best practices

3. Example for Functional vs. Assurance: – Functional Requirement: a network Firewall

Permits or denies traffic.– Assurance requirement: logs are generated

and monitored

7

Organizational & Business Organizational & Business RequirementsRequirements

• Focus on organizational mission: – Business driven

• Depends upon organizational type:– Example: Military , government and

commercial.• Must be sensible and cost effective

– Solutions must be developed with due consideration of the mission and environment of business

8

IT Security GovernanceIT Security Governance

• Integral part of overall corporate governance: – Must be fully integrated into the overall risk-based

threat analysis, it also

• Ensures that the IT infrastructure of the company:– Meets the AIC requirements.– Supports the strategies and objectives of the company.– Includes service level agreements when outsourced.

9

Security Governance Major Security Governance Major partsparts

1. Leadership: 1. Security leaders must be fully integrated into the

company leadership where they can be heard.

2. Structure:1. it occurs at many different levels of the organization

and is in a layered approach.

3. Processes: 1. by following internationally accepted “best practices”:2. Job rotation , Separation of duties, least privilege, mandatory

vacations …etc.3. Some Examples for standards : ISO 17799 & ISO 27001:2005

10

Security BlueprintsSecurity Blueprints

• Provide a structure for organizing requirements and solutions.– they are used to ensure that security is

considered from a holistic view.

• Used to identify and design security requirements

• Infrastructure Security Blueprints

11

Policy overview Policy overview 1. Operational environment is a complex web of

laws, regulations, requirements, competitors and partners

2. Change frequently and interact with each other , within this environment

3. Management must develop and publish overall security statements addressing

1. Security policies and their supporting elements such as standards , baselines and guidelines.

12

Policy overview Policy overview

13

Functions of Security policy - IFunctions of Security policy - I

1. Provides Management’s Goals and objectives in writing

2. Documents compliance 3. Creates the security culture 4. Anticipates and protects others from

surprises 5. Establishes the security activity/function6. Holds individuals personally

responsible/accountable

14

Functions of Security policy-IIFunctions of Security policy-II

• Address foreseeable conflicts• Ensures employees and contractors are

aware of organizational policy and changes

• Mandates an incident response plan• Establishes process for exception handling

, rewards, discipline

15

Policy InfrastructurePolicy Infrastructure1. High level policies are

interpreted into a number of functional policies.

2. Functional polices are derived from overarching policy of the organizations and

1. create the foundation for the procedures, standards, and baselines to accomplish the security objectives

3. Functional polices gain their credibility from senior management’s buy-in.

16

Example Functional PoliciesExample Functional Policies

1. Data classification2. Certification and accreditation3. Access control4. Outsourcing 5. Remote access6. Acceptable Internet usage7. Privacy8. Dissemination control9. Sharing control

17

Policy Implementation Policy Implementation • Standards, procedures, baselines,

and guidelines turn the objectives and goals established by management in the overarching and functional policies into actionable and enforceable actions for the employees.

18

Standards and procedureStandards and procedure1. Standards: Adoption of common

hardware and software mechanism and products throughout the enterprise.

1. Examples: Desktop, Anti-Virus, Firewall2. Procedures: required step by step

actions which must be followed to accomplish a task.

3. Guidelines: recommendations for security product implementations, procurement and planning, etc.

1. Examples: ISO17799, Common Criteria, ITIL

19

BaselinesBaselines• Benchmarks used to ensure that a

minimum level of security configuration is provided across multiple implementations and systems.– They establish consistent implementation of

security mechanisms.– Platform unique

• Examples: – VPN Setup, – IDS Configuration, – Password rules

20

Three Levels of security planningThree Levels of security planning

1. Strategic Planning: long term1. Focuses on the high-level, long-range

organizational requirements 2. Examples: overarching security policy

2. Tactical Level Planning: medium-term1. Focus on events that will affect the entire

organization.2. Examples: functional plans

3. Operational planning: short-term1. Fighting fires at the keyboard level, this2. Directly affects the ability of the organization to

accomplish its objectives.

21

Organizational roles and Organizational roles and responsibilities responsibilities

• Every actor has a role:– Entails responsibility:– must be clearly communicated and– understood by all actors.

• Duties associated with the role Specific must be assigned

• Examples:– Securing email– Reviewing violation reports – Attending awareness training

22

Specific Roles and Specific Roles and Responsibilities (duties)- 1Responsibilities (duties)- 1

• Executive Management:– Publish and endorse security policy– establishing goals, objectives– overall responsibility for asset protection.

• Information systems security professionals:– Security design, implementation,

management, – Review of the organization security

policies.

23

Specific Roles and Specific Roles and responsibilities - 2responsibilities - 2

• Owners:– information classification – set user access conditions– decide on business continuality priorities

• Custodians:– Security of the information entrusted to them

• Information System Auditor– Auditing assurance guarantees.

• Users– Compliance with procedures (AIC) and policies

24

Personal Security: Hiring staffPersonal Security: Hiring staff• Background checks/Security clearances• Check references/ educational records• Sign Employment agreement

– Examples:• Non-disclosure agreements• Non-compete agreements

• Low level Checks• Consult the Human Resources (H.R.)

department• Termination procedures

25

Third party considerations Third party considerations

• Established procedures to address these groups on an individual basis.

• Examples of third party are:– Vendors/Suppliers– Contractors– Temporary Employees– Customers

26

Personnel good practicesPersonnel good practices• Job description and defended roles

and responsibilities• Least privilege/Need to know• Compliance with need to share• Separation of duties• Job rotation• Mandatory vacations

27

Security AwarenessSecurity Awareness

• Awareness training– Provides employees with a reminder of

their security responsibilities.– Motivate personnel to comply with

requirements– Examples:

• Videos• Newsletters• Posters• Key-chains, etc.

28

Training and EducationTraining and Education

• Job training– Provides skills needed to perform the

security functions in their jobs.– Focus on security-related job skills – Specifically address security

requirements of the organization, etc.• Professional Education

– Provides decision-making, and security management skills that are important for the success of an organizations security program.

29

Good training practicesGood training practices

• Address the audience– Management– Data Owner and custodian– Operations personnel– User– Support personnel

30

Risk from NIST SP 800-30Risk from NIST SP 800-30

• Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability,

and the resulting impact of that adverse event on the organization (SP800-30)

31

Definitions Related to RiskDefinitions Related to Risk• Threat: the Potential for a mal-actor to

exercise a specific vulnerability.• Vulnerability: A Flaw or weakness in system

security procedures, design, implementation or internal controls that could be exercised and could result in a security breach or violation of systems security policy.

• Likelihood: the probability that a potential vulnerability may be exercised within the threat environment.

• Countermeasures: A risk reduction control– maybe technical, operational or management

controls or a combination of these type

32

Risk Management concept Risk Management concept flowflow

33

Risk Management Risk Management DefinitionsDefinitions

• Asset: Something that is valued by the organization to accomplish its goals and objectives

• Threat: Any potential danger to information or an information systems.– Examples:

• Unauthorized access, Hardware failure, Loss of key personnel

• Threat Agent: Anything that has the potential of causing a threat.

• Exposure: An opportunity for a threat to cause loss.• Vulnerability: Is a weakness that could be exploited.• Attack: An Intentional action trying to cause harm. • Countermeasures and safeguards: Are those measures and

actions that are taken to protect systems.• Risk: The probability that some unwanted event could

occur• Residual Risk: The amount of risk remaining after

countermeasures and safeguards are applied

34

Risk ManagementRisk Management• The purpose of risk management is

to identify potential problems– Before they occur– So that risk-handling activities may be

planned and invoked as needed– Across the life of the product or project

35

The Risk EquationThe Risk Equation

36

Risk FactorsRisk Factors• The Risk arises when threat-agent

attack assets and vulnerabilities are present

• Residual Risk happens when threat-agent attack assets and countermeasures are in place but are not sufficient

37

Risk ManagementRisk Management• Risk Management identifies and

reduces total risks ( threats, vulnerabilities, & asset value)

• Mitigating controls: Safeguards & Countermeasures reduce risk

• Residual Risk should be set to an acceptable level

38

Purpose of risk AnalysisPurpose of risk Analysis• Identifies and justifies risk mitigation

efforts– Identifies the threats to business

processes and information systems– Justifies the implementation of specific

countermeasures to mitigate risk• Describes current security posture• Conducted based on risk to the

organization's objectives/mission

39

Benefits of Risk Analysis Benefits of Risk Analysis • Focuses policy and resources• Identifies areas with specific risk

requirements • Part of good IT Governance• Supports

– Business continuity process– Insurance and liability decisions– Legitimizes security awareness

programs

40

Emerging threats factorsEmerging threats factors• Risk Assessment must also address

emerging threats– New technology– Change in culture of the organization or

environment – Unauthorized use of technology, etc.

• Can come from many different areas• May be discovered by periodic risk

assessments

41

Sources to identity threatsSources to identity threats• Users• Systems administrators• Security officers• Auditors• Operations • Facility records• Community and government records• Vendor/security provider alerts• Other types of threats :

– Natural disasters – flood, tornado, etc.– Environment-overcrowding or poor moral– Facility -physical security or location of

building

42

Risk analysis key factorsRisk analysis key factors• Obtain senior management support• Establish the risk assessment team

– Define and approve the purpose and scope of the risk assessment team

– Select team members– State the official authority and responsibility of

the team– Have management review findings and

recommendations

• Risk team members– Some of the areas which should be included:

• Information System Security, IT & Operations Management, Internal Audit, Physical security, etc

43

Use of automated tools for risk Use of automated tools for risk managementmanagement

• Objectives is to minimize manual effort

• Can be time consuming to setup

• Perform calculations quickly– Estimate future expected losses– Determine the benefit of security

measures

44

Preliminary security Preliminary security evaluation evaluation

• Identify vulnerabilities

• Review existing security measures

• Document findings

• Obtain management review and approval

45

Risk analysis typesRisk analysis types• Two types of Risk analysis

– Quantitative Risk analysis– Qualitative Risk analysis

• Both provide valuable metrics

• Both are often required to get a full picture

46

Quantitative risk analysisQuantitative risk analysis

• Assign independently objective numeric monetary values

• Fully quantitative if all elements of the risk analysis are quantified

• difficult to achieve• Requires substantial time and

personnel resources

47

Determining asset valueDetermining asset value• Cost to acquire, develop, and

maintain• Value to owners, custodians, or users• Liability for protection• Recognize cost and value in the real

world– Price others are willing to pay – Value of intellectual property– Convertibility/negotiability

48

Quantitative analysis stepsQuantitative analysis steps1. Estimate potential losses

– SLE – Single Loss Expectancy• SLE = Asset Value ($) X Exposure Factor (%)• Exposure Factor=% of asset loss when threat is successful• Types of loss to consider

– Physical destruction/theft, Loss data, etc

2. Conduct threat analysis – ARO-Annual Rate of Occurrence

• Expected number of exposures/incidents per year• Likelihood of an unwanted event happening

3. Determine Annual Loss Expectancy (ALE)– Combine potential loss and rate/year– Magnitude of risk = Annual Loss Expectancy– Purpose of ALE– Justify security countermeasures– ALE=SLE * ARO

49

Qualitative Risk analysis Qualitative Risk analysis • Scenario oriented

– Does not attempt to assign absolute numeric values to risk components

• Purely qualitative risk analysis is possible

• Qualitative risk analysis factors– Rank seriousness of the threats and

sensitivity of assets– Perform a carefully reasoned risk

assessment

50

Other risk analysis methodsOther risk analysis methods• Failure modes and effects analysis

– Potential failures of each part or module– Examine effects of failure at three levels

• Immediate level (part or module)• Intermediate level (process or package)• System-wide

• Fault tree analysis– Sometimes called “spanning tree analysis”– Create a “tree” of all possible threats to, or

faults of the system• “Branches” are general categories such as network

threats, physical threats, component failures, etc.• Prune “branches” that do not apply• Concentrate on remaining threats.

51

Risk mitigation optionsRisk mitigation options• Risk Acceptance

• Risk Reduction

• Risk Transference

• Risk Avoidance

52

The right amount of securityThe right amount of security

• Cost/Benefit analysis- balance between the cost to protect and asset value

• To estimate, need to know:• Asset value• Threats, Adversary, means , motives, and

opportunity.• Vulnerabilities and Resulting risk • Countermeasures • Risk tolerance

53

Countermeasures selection Countermeasures selection principlesprinciples

• Based on cost/benefit analysis, total cost of safeguard

• Selection and acquisition• Construction and placement• Environment modification• Nontrivial operating cost• Maintenance, testing• Potential side effects

• Cost must be justified by the potential loss• Accountability

– At least one person for each safeguard– Associate directly with performance reviews

• Absence of design secrecy

54

Countermeasures selection Countermeasures selection principles (Continued)principles (Continued)

• Audit capability– Must be testable– Include auditors in design and implementation

• Vendor Trustworthiness– Review past performance

• Independence of control and subject– Safeguards control/constrain subjects– Controllers administer the safeguards– Controllers and subject are from different populations

• Universal application – Impose safeguards uniformly– Minimize exceptions

55

Countermeasures selection Countermeasures selection principles (Continued)principles (Continued)

• Compartmentalization and defense in depth– Safeguard’s role– Consider to improve security through layers of security

• Isolation, economy and least common mechanism– Isolate from other safeguards– Simple design is more cost effective and reliable, etc

• Acceptance and tolerance by personnel– Care must be taken to avoid implementing controls that

pose an unreasonable constrains– Less intrusive controls are more acceptable

• Minimize human intervention– Reduces the possibility of errors and “exceptions” by

reducing the reliance on administrative staff to maintain the control

56

Countermeasures selection Countermeasures selection principles (Continued)principles (Continued)

• Sustainability• Reaction and recovery

– Countermeasures should do the following when activated

• Avoids asset destruction and stops further damage• Prevents disclosure of sensitive information through a

covert channel• Maintains confidence in system security• Captures information related to the attack and attacker

• Override and fail-safe defaults • Residual and reset

57

Basis and origin of ethicsBasis and origin of ethics• Religion, law, tradition, culture• National interest• Individual rights• Enlightened self interest • Common good/interest• Professional ethics/practices• Standards of good practice

58

EthicsEthics• Formal ethical theories

– Teleology: Ethics in terms of goals, purposes, or ends

– Deontology: Ethical behavior is duty• Common ethical fallacies

– Computers are a game– Law-abiding citizen, Free information– Shatterproof– Candy-from-a-baby– Hackers

• Difficult to define– Start with senior management

59

Codes of ethics - examplesCodes of ethics - examples• Relevant professional codes of ethics

include:• Internet Activities Board (IAB)

– Any activity is unethical & unacceptable that purposely:» Seeks to gain unauthorized access to the internet

resources» Disrupts the intended use of the internet» Wastes resources through such actions» Destroys the integrity of computer-based information» Compromises the privacy of users» Involves negligence in the conduct of internet-wide

experiments

60

Codes of ethics - examplesCodes of ethics - examples• Relevant professional codes of ethics

include:– (ISC)2 and other professional codes:

• ISC2 Code of ethics preamble– Protect society, the commonwealth, and the infrastructure – Provide diligent and competent services to principals,etc

• Auditors

• Professional codes may have legal importance

ReferencesReferences• ISC2 CBK Material• ISC2 official Guide• CISSP All-in-one

61