my budget/time/manpower is limited to X, which parts of my networked IT system should I first protect?

the secret(answer) lies within risk management

Risk Management
a guide towards designing an optimal security architecture (based on NIST SP 800-30)

David Snchez david.sanchezs@upf.edu 21/10/2009

Overview: Risk Management Process

1. risk assessment
identification and evaluation of risks and risk impacts recommendation of risk-reducing measures

2. risk mitigation
prioritizing, implementing, and maintaining the appropriate risk-reducing measures Security architecture and policy as outputs

3. evaluation and assessment

continual evaluation process and keys for implementing a successful risk management program

Participants

Senior Management Chief Information Officer (CIO) Information system security officer System and Information Owners Business and Functional Managers IT Security Practitioners Security Awareness Trainers

Definitions
Availability Service
protection against Intentional or accidental attempts to perform unauthorized deletion of data or otherwise cause a denial of service or data unauthorized use of system resources

Confidentiality Service
Covers intentional or accidental attempts to perform unauthorized data reads.

Integrity Service
protection against either intentional or accidental attempts to violate data integrity (the property that data has when it has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation).

More Definitions
Threat
The potential to exercise (accidentally trigger or intentionally exploit) a specific vulnerability

Attack
exercise (accidentally or intentionally) a specific vulnerability The actual occurrence of a threat

Vulnerability
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach No vulnerability, then no successful attack

Yet More Definitions

Impact
The effect of a threat occurrence on an asset, e.g. loss of value, a function stops working

(IT-Related) Risk
The net mission impact considering (1) the probability that a particular threat will exercise a particular information system vulnerability and (2) the resulting impact if this should occur

The Last Definitions

Risk Management
The total process of identifying, controlling, and mitigating risks

Risk Assessment (Analysis)

identifying the risks of an IT system

Threat Analysis
The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment

Risk Assessment

Goal: determine the extent of potential threats and the risk associated with an IT system

Risk Assessment Overview I

Risk Assessment Overview II

Step 1: System Characterization (Scope)

boundaries of the IT system are identified, along with the resources and the information that constitute the system establishes the scope of the risk assessment effort, delineates the operational authorization (or accreditation) boundaries, provides information essential to defining the risk
(e.g., hardware, software, system connectivity, and responsible division or support personnel)

System-Related Information I
Hardware Software System interfaces (e.g., internal and external connectivity) Data and information Persons who support and use the IT system System mission (e.g., the processes performed by the IT system) System and data criticality (e.g., the systems value or importance to an organization) System and data sensitivity The functional requirements of the IT system

System-Related Information II
Users of the system e.g., system users who provide technical support to the IT system; application users who use the IT system to perform business functions System security policies governing the IT system (organizational policies, federal requirements, laws, industry practices) System security architecture Current network topology e.g., network diagram Flow of information pertaining to the IT system e.g., system interfaces, system input and output flowchart

System-Related Information III

Technical controls used for the IT system Management controls used for the IT system
e.g., rules of behavior, security planning

Operational controls used for the IT system

e.g., personnel security, backup, contingency, and resumption and recovery operations; system maintenance; off-site storage; user account establishment and deletion procedures; controls for segregation of user functions, such as privileged user access versus standard user access

Physical security environment of the IT system

e.g., facility security, data center policies

Environmental security implemented for the IT system processing environment

e.g., controls for humidity, water, power, pollution, temperature, and chemicals

Information Assets
Processes and services:
including business processes, application specific activities, computing and communications services and other technical services supporting the processing of information (heating, lighting, power, air-conditioning services);

Software:
including application software, system software, development tools and utilities;

Physical items:
including computer and communications equipment, media (paper, tapes, CDs and disks), and other technical equipment (power supplies, air-conditioning units), furniture and accommodation that are used to support the processing of information;

People:
including personnel, customers, subscribers, and any other person within the ISMS that is involved with storing or processing of information.

Information-Gathering Techniques
Questionnaire for applicable technical and nontechnical management
concerning the management and operational controls planned or used for the IT system

On-site Interviews with IT system support and management personnel

Allows also to risk analyzers to observe and gather information about the physical, environmental, and operational security of the IT system

Document Review
Policy documents, system documentation, system design and requirement document, and security-related documentation

Use of Automated Scanning Tool

Step 2: Threat Identification

consider all potential threats (natural, human and environmental) that could cause harm to the IT system and its processing environment Use an existing list of threats and match those that apply to the IT System in your Scope A comprehensive list of threats is found in BS7799-3:2006

Step 3: Vulnerability Identification

develop a list of system vulnerabilities (flaws or weaknesses) that could be exploited by the potential threats Search them in
organizations security policies, planned security procedures, and system requirement definitions, and the vendors or developers security product analyses (e.g., white papers) an analysis of the IT system security features and the security controls, technical and procedural, used to protect the system

Vulnerability Identification Methods and Tools

Previous risk assessment documentation of the IT system assessed The IT systems audit reports, system anomaly reports, security review reports, and system test and evaluation reports Vulnerability lists, such as the NIST I-CAT vulnerability database (http://icat.nist.gov) Security advisories
, such as FedCIRC and the Department of Energys Computer Incident Advisory Capability bulletins

Vendor advisories
Commercial computer incident/emergency response teams and post lists (e.g., SecurityFocus.com forum mailings)

Information Assurance Vulnerability Alerts and bulletins for military systems System software security analyses Security Requirements Checklist (identify security controls of a list not complied by the IT System)

Step 4: Control Analysis

analyze the controls that have been implemented, or are planned for implementation, by the organization to minimize or eliminate the likelihood (or probability) of a threats exercising a system vulnerability Control Methods
Technical: safeguards that are incorporated into computer hardware, software, or firmware (e.g., access control mechanisms, identification and authentication mechanisms, encryption methods, intrusion detection software) Non technical: management and operational controls, such as security policies; operational procedures; and personnel, physical, and environmental security

Control Categories
Preventive: inhibit attempts to violate security policy Detective: warn of violations or attempted violations of security policy

Control Analysis Technique

Validate compliance with Security Requirements Checklist

Step 5: Likelihood Determination

Classify threats by their likelihood Likelihood criteria (example):

Step 6: Impact Analysis

determine the adverse impact resulting from a successful threat exercise of a vulnerability Three planes: loss of confidentiality/integrity/availability Measures: Quantitative vs. Qualitative (see table below)

Step 7: Risk Determination

Risk = threat likelihood impact ( vulnerability severity) Below: risk level matrix

Risk Scale and Necessary Actions

Step 8: Control Recommendations

Recommend controls that could mitigate to an acceptable level or eliminate the identified risks Requirements for the controls
Effectiveness of recommended options (e.g., system compatibility) Legislation and regulation compliance Organizational policy compliance Operational impact (do not disturb business operations) Safety and reliability

Step 9: Results Documentation

Document results of the risk assessment process in a (series of) report(s)

Risk Mitigation

Goals: to prioritize, evaluate, and implement the appropriate risk-reducing controls recommended from the risk assessment process.

Risk Mitigation Options

Risk Reduction
to implement controls to lower the risk to an acceptable level

Risk Acceptance
To accept the potential risk and continue operating the IT system

Risk Avoidance
To avoid the risk by eliminating the risk cause and/or consequence (e.g., shut down the system when risks are identified)

Risk Transference
To transfer the risk by using other options to compensate for the loss, such as purchasing insurance

Risk Mitigation Strategy

When and under what circumstances should I take action? When shall I implement these controls to mitigate the risk and protect our organization?

Control Implementation I

Control Implementation II

Control Categories

Technical Management Operational

Technical Security Controls

Management Security Controls

Preventive
Assign security responsibility Develop and maintain system security plans Implement personnel security controls Conduct security awareness and technical training Implement personnel security controls Conduct periodic review of security controls Perform periodic system audits Conduct ongoing risk management Authorize IT systems to address and accept residual risk

Detective

Recovery
Develop, test, and maintain the business continuity plan Establish an incident response capability

Operational Security Controls

Preventive
Control data media access and disposal Limit external data distribution Control software viruses Safeguard computing facility Secure wiring closets that house hubs and cables Protect IT assets from fire damage Provide emergency power source Control the humidity and temperature of the computing facility

Detective
Provide physical security Ensure environmental security

Cost-benefit Analysis
Determine the impact of implementing the new or enhanced controls Determine the impact of NOT implementing the new or enhanced controls Estimate the costs of the implementation
Hardware and software purchases Reduced operational effectiveness if system performance or functionality is reduced for increased security Cost of implementing additional policies and procedures Cost of hiring additional personnel to implement proposed policies, procedures, or services Training costs Maintenance costs

determine the importance to the organization of implementing the new controls, given their costs and relative impact

Residual Risk
Risk is a function of
Vulnerability severity Asset valuation (impact to the organization) Threat likelihood

Options to mitigate risk

Eliminate vulnerability Add targeted control to reduce capacity or motivation of threat-source Eliminate or reduce business dependancy on IT system

Risk remaining after the implementation of controls is the residual risk Check residual risk is below risk acceptance threshold

Evaluation and Assessment

Goal: to address risk changes when IT system evolves Approach: repeat risk assessment and mitigation periodically