Managing Info Security

Managing Information Security
Risks Across the Enterprise

Audrey Dorofee
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
Sponsored by the U.S.

Department of Defense
Operationally Critical Threat, Asset, and Vulnerability

Evaluation, OCTAVE, and OCTAVE-S are service
marks of Carnegie Mellon University. CERT Coordination
Center is registered in the U.S. Patent and Trademark Office.
© 2002 by Carnegie Mellon University
1
NSS* Program Strategies
© 2002 by Carnegie Mellon University *Networked Systems Survivability 2

Survivable Enterprise Management
Our mission is to assist organizations in attaining and
maintaining an acceptable level of information asset protection
by:
• applying information security management practices and
techniques
• identifying, initiating, and validating effective survivability
practices and protection strategies
Requires acknowledging and establishing

information survivability as a legitimate, on-going
business process
3
Agenda
Beyond Technology Vulnerability Evaluations
Overview of OCTAVE
Summary

4
Evaluation Practice in January 1999
Products and services varied widely.
Evaluations
• tended to have a technological focus
• were often conducted without a site’s direct participation
• were often precipitated by an event (reactive)
Evaluation criteria were often inconsistent or undefined.
Organizations typically did not follow through by

implementing the results of the evaluation.

5
Need to Expand the Security
Evaluation Focus
Both organizational and I/T focused
Proactive rather than reactive
Based on organization’s unique risk factors
Inclusive of security policy, practices, procedures
Foundation for continuous security improvement

6
Organizational Gap

7
Information Security Risks
• Information security risk is another type of
organizational risk that needs to be managed.
• Managing information security risks requires a
partnership among
- all levels of staff
- business units and
the IT department
- partners
- contractors
- service providers
- end users

8
You Own Your Risk
• Risk is unique to each organization.
• Risk is linked to business drivers.
• All levels of the organization need to be engaged.
• Internal expertise is required.
• External experts can be acquired as needed.
• Although you can insure for some things, your risks
cannot be completely outsourced.
Internal External
Expertise Expertise

9
Operationally Critical Threat, Asset, and
Vulnerability Evaluation

10
Founding Philosophy
You cannot mitigate all risks.
Your budget is not limitless. Neither are your other

resources.
You cannot prevent all determined, skilled incursions.
You need to determine the best use of your limited

resources to ensure the survivability of your enterprise.
• enterprise view
• focus on critical few
11
OCTAVE Approach

12
OCTAVE and Risk Management

13
Important Aspects of OCTAVE- 1
Identifies information security risks that could prevent you
from achieving your mission - ensuring business continuity.
Looks at information security enterprise-wide.
Creates a focused protection strategy

• information asset-driven threat and risk identification
• based on your organization’s
- unique operational security risks
- current security practices
- current organizational and technological weaknesses

14
Important Aspects of OCTAVE - 2
Enables you to effectively communicate critical
information security issues.
Provides a foundation for future security improvements.
Positions your organization for compliance with data

security requirements or regulations.

15
OCTAVE Approach

16
OCTAVE Principles

17
OCTAVE Process
Operationally Critical Threat, Asset, and Vulnerability Evaluation

18
Conducting OCTAVE
•An interdisciplinary team -- composed of:

-business or mission-related staff
-information technology staff
19
Scoping OCTAVE
Focus the risk evaluation to look at a cross section of the
key areas of the enterprise.
Use the knowledge and expertise across a broad range of

employees
- senior managers
- operational area managers
- staff
- information technology staff
Scale the evaluation up or down by changing the scope.

20
OCTAVE Method
Focused on large-scale organizations
Is a systematic, context-sensitive method for evaluating risks

• series of workshops
• conducted by analysis team
Defined by
• method implementation guide (procedures, guidance,
worksheets, information catalogs)
• method training
• Managing Information Security Risks (Addison-Wesley
book)

21
OCTAVE-S
Currently in pilot testing, this method defines a more
structured method for evaluating risks in small organizations.
• requires less security expertise, if any, in analysis team
• analysis team has a full, or nearly full, understanding of
the organization and what is important
• uses “fill-in-the-blank” as opposed to “essay” style
Will be defined by
• detailed procedures for each process
• worksheets and templates for each process
• information catalogs
22
OCTAVE Process

23
Phase 1 Questions
What are your organization’s critical information-related
assets?
What is important about each critical asset?
Who or what threatens each critical asset?
What is your organization currently doing to protect its

critical assets?
What weaknesses in policy and practice currently exist

in your organization?

24
OCTAVE Catalog of Practices -1
Strategic
Practice Areas
Security Security Security Security Collaborative Contingency

Awareness Strategy Management Policies and Security Planning/
and Training Regulations Management Disaster
Recovery

25
OCTAVE Catalog of Practices -2
Operational
Practice Areas
Physical Information Staff Security

Security Technology
Security
Physical Security Plans System and Network Management Incident Management
and Procedures System Administration Tools General Staff
Physical Access Control Monitoring and Auditing IT Security Practices
Monitoring and Auditing Authentication and Authorization
Physical Security
Vulnerability Management
Encryption
Security Architecture and Design
26
Critical Assets
The most important assets to the organization
• information
• systems
• services and applications
• people
There will be a large adverse impact to the organization if

• the asset is disclosed to unauthorized people.
• the asset is modified without authorization.
• the asset is lost or destroyed.
• access to the asset is interrupted.
27
Threat Profile
A threat profile contains a range of threat scenarios for a
critical asset using the following sources of threats:
• human actors using network access
• human actors using physical access
• system problems
• other problems
The threat profile is visually represented using asset-based

threat trees, one for each of the four sources of threats.

28
Threat Properties
Asset
Actor
Motive (optional)
Access (optional)
Outcome

29
Human Actors - Network Access
disclosure
accidental modification
loss/destruction
interruption
inside
disclosure
modification
deliberate
loss/destruction
network interruption
asset
disclosure
loss/destruction
interruption
outside
disclosure
deliberate modification Note: heavy
loss/destruction red line
interruption indicates a
perceived
threat
asset access actor motive outcome
30
Human Actors - Physical Access
disclosure
loss/destruction
inside interruption
disclosure
deliberate modification
physical loss/destruction
asset interruption
disclosure
loss/destruction
interruption
outside
disclosure
loss/destruction
interruption

31
System Problems
disclosure
modification
software defects
loss/destruction
interruption
disclosure
malicious code modification
loss/destruction
asset interruption
disclosure
system crashes modification
loss/destruction
interruption
disclosure
modification
LAN instability
loss/destruction
interruption
asset actor outcome

32
Other Problems
disclosure
modification
natural disasters
loss/destruction
interruption
disclosure
modification
ISP unavailable
loss/destruction
asset interruption
disclosure
telecommunications modification
problems or loss/destruction
unavailability interruption
disclosure
modification
power supply
loss/destruction
problems
interruption
asset actor outcome

33
OCTAVE Process

34
Phase 2 Questions
How do people access each critical asset?
What infrastructure components are related to each

critical asset? What are the key components of the
computing infrastructure?
What technological weaknesses expose your critical

assets to threats?
Which technological weaknesses need to be addressed

immediately?
35
Vulnerability Evaluation Strategy
Phase 2 Strategy
Conduct a vulnerability Make a long-term

evaluation that is recommendation to eventually
focused on where build, or contract for, a
critical assets live vulnerability management
capability
Identify key components and review
previous evaluation results or
contract for a vulnerability evaluation
of those components

36
Vulnerability Evaluations and
Tools
Vulnerability evaluation tools identify
• known weaknesses in technology
• misconfigurations of ‘well known’ administrative
functions, such as
- file permissions on certain files
- accounts with null passwords
• what an attacker can determine about your systems
and networks

37
Vulnerability Tools and Practices
Operational
Practice Areas
Physical Information Staff Security

Security Technology
Security
Physical Security Plans System and Network Management Incident Management
and Procedures Monitoring and Auditing IT Security General Staff
Physical Access Control Authentication and Authorization Practices
Monitoring and Auditing Encryption
Physical Security
Vulnerability Management
System Administration Tools
Security Architecture and Design
38
Threats Driven by Vulnerabilities -1
disclosure
loss/destruction
interruption
inside
disclosure
loss/destruction
network interruption
asset
disclosure
loss/destruction
interruption
outside
disclosure
loss/destruction
interruption

39
Threats Driven by Vulnerabilities -2
disclosure
modification
software defects
loss/destruction
interruption
disclosure
malicious code modification
loss/destruction
asset interruption
disclosure
system crashes modification
loss/destruction
interruption
disclosure
modification
LAN instability
loss/destruction
interruption
asset actor outcome

40
OCTAVE Process

41
Phase 3 Questions
What is the potential impact on your organization due to
each threat? (What are your risks?)
Which are the highest-priority risks to your organization?
What policies and practices does your organization need to

address?
What can your organization do to recognize, resist, and

recover from its highest-priority risks?

42
Impact on the Organization
When something negative occurs, it can have an impact
on your company.
Impact is described using either qualitative or quantitative

values for several areas of potential impact.
Values for each area are defined by a set of evaluation

criteria.
Once you define a good set of impact evaluation criteria,

they tend to remain stable from one evaluation to the next.

43
Impact Criteria
A basic set of impact areas includes:
• reputation/customer confidence
• life/health of customers
• fines/legal penalties
• financial
• productivity
• other
Examples:
• To a hospital, a medium life/health impact is a patient
death; a high impact is permanently disabling a patient
• $1 million is a low impact to some, a high to others
44
Risk
Risk comprises
• an event (a threat scenario)
• consequence (impact on the organization)
• uncertainty (whether the threat scenario will occur)
Risks are evaluated to held determine:

• relative priority
• which risks to actually mitigate
Impact evaluation is required in OCTAVE; qualitative

probability is being tested in OCTAVE-S.

45
Evaluating Risks
disclosure
loss/destruction High
interruption Low
inside
disclosure Medium
modification High
deliberate
network interruption Low
asset
disclosure
loss/destruction
interruption
outside
disclosure Medium
deliberate modification High
Vulnerability assessment results interruption Low
asset access actor motive outcome impact

46
Outputs of OCTAVE
Defines
Protection organizational
Strategy direction
Plans
Mitigation designed to
Plan reduce risk
Action Near-term
List action items

47
Putting It All Together

48
From Assets to Mitigation Plans
Mitigation Plan
Risks Mitigation Approach Practices to Improve
Risk A Accept
Critical
Asset Training and Security
Risk B Mitigate
Architecture related
tasks
Risk C Mitigate Monitoring IT Security
related tasks
Risk D Defer

49
50
After OCTAVE
Steps required to implement the results of this evaluation
and improve the organization’s security posture.
• getting management sponsorship for security
improvement
• monitoring implementation of the results of the
current evaluation
• expanding the current evaluation, if needed
• scheduling the next information security risk
evaluation

51
Summary

52
Findings - 1
OCTAVE produces usable results at each phase.
• identifying critical assets can change the focus of
many other activities and alter resource allocations
• surveys alone produce institutional learning
• vulnerability assessments become more useful
Other interesting results

• one IT department found effective justification for
increased budgets
• one company used it to start long-term improvements
in their third-party relations and contracting
53
Findings - 2
Workshops produce a strong side effect of team building
and increased security awareness.
• IT staff realize what users are really doing
• users have a better appreciation for security measures
• managers have a better sense of what’s really going
on in the organization
Some immediate actions that occurred

• reallocation of information across servers
• removal of private information from web sites
• immediate purchase of insurance
• building access restrictions
• review of arrangements with building managers
54
Keys for Success with the
OCTAVE Approach
Getting senior management sponsorship
Selecting the right analysis team
Setting the scope of the evaluation
Selecting participants (for OCTAVE Method)

55
Some OCTAVE Users -1
The Security Working Integrated Project Team (Security
WIPT), Office of the Assistant Secretary of
Defense/Health Affairs (OASD/HA), endorses OCTAVE
as the preferred information security risk assessment to
prepare for complying with the Administrative
Simplification subsection of the Health Insurance
Portability and Accountability Act of 1996.
• analysis teams have been trained in all international
regions of the Department of Defense healthcare domain
• additional teams are scheduled to be trained in 2003

56
Some OCTAVE Users -2
FirstGov (now the Office of Citizen Services and
Communication)
Small companies in Western Pennsylvania
County government
Variety of national and international companies and

consulting organizations are now using all or part of
OCTAVE

57
Questions?

58
OCTAVE Approach

59
For Additional Information
OCTAVE
Internet octave-info@sei.cmu.edu
WWW http://www.cert.org/octave
Telephone 412 / 268-5800 Fax 412 / 268-5758

Internet customer-relations@sei.cmu.edu
U.S. mail Customer Relations

Carnegie Mellon University
Pittsburgh, PA 15213-3890
60

Managing Info Security

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Managing Info Security

Uploaded by

Copyright:

Available Formats

Managing Information Security

Risks Across the Enterprise

Sponsored by the U.S.

Operationally Critical Threat, Asset, and Vulnerability

© 2002 by Carnegie Mellon University *Networked Systems Survivability 2

Requires acknowledging and establishing

© 2002 by Carnegie Mellon University

Evaluation criteria were often inconsistent or undefined.

Organizations typically did not follow through by

© 2002 by Carnegie Mellon University

Proactive rather than reactive

Based on organization’s unique risk factors

Inclusive of security policy, practices, procedures

Foundation for continuous security improvement

© 2002 by Carnegie Mellon University

© 2002 by Carnegie Mellon University

© 2002 by Carnegie Mellon University

© 2002 by Carnegie Mellon University

© 2002 by Carnegie Mellon University

Your budget is not limitless. Neither are your other

You cannot prevent all determined, skilled incursions.

You need to determine the best use of your limited

© 2002 by Carnegie Mellon University

© 2002 by Carnegie Mellon University

Looks at information security enterprise-wide.

Creates a focused protection strategy

© 2002 by Carnegie Mellon University

Provides a foundation for future security improvements.

Positions your organization for compliance with data

© 2002 by Carnegie Mellon University

© 2002 by Carnegie Mellon University

© 2002 by Carnegie Mellon University

Operationally Critical Threat, Asset, and Vulnerability Evaluation

•An interdisciplinary team -- composed of:

Use the knowledge and expertise across a broad range of

Scale the evaluation up or down by changing the scope.

Is a systematic, context-sensitive method for evaluating risks

© 2002 by Carnegie Mellon University

Operationally Critical Threat, Asset, and Vulnerability Evaluation

What is important about each critical asset?

Who or what threatens each critical asset?

What is your organization currently doing to protect its

What weaknesses in policy and practice currently exist

© 2002 by Carnegie Mellon University

Security Security Security Security Collaborative Contingency

© 2002 by Carnegie Mellon University

Physical Information Staff Security

There will be a large adverse impact to the organization if

The threat profile is visually represented using asset-based

© 2002 by Carnegie Mellon University

© 2002 by Carnegie Mellon University

asset access actor motive outcome

asset actor outcome

asset actor outcome

Operationally Critical Threat, Asset, and Vulnerability Evaluation

What infrastructure components are related to each

What technological weaknesses expose your critical

Which technological weaknesses need to be addressed

Conduct a vulnerability Make a long-term

© 2002 by Carnegie Mellon University

© 2002 by Carnegie Mellon University

Physical Information Staff Security

asset access actor motive outcome