CHAPTER 3: INFORMATION SECURITY AND RISK MANAGEMENT

January 11, 2010

TOPICS

Basic definition Information security Security management

Risk management Security Framework Security program
2

SECURITY DEFINITIONS
Vulnerability
Weakness in a mechanism that can threaten the confidentiality, integrity or availability of an asset

Threat
An action or event that might compromise security by exploiting the vulnerability.

Risk
Probability of a threat becoming real and the corresponding potential damages

Exposure
An instance of being exposed to losses from a threat agent

Countermeasure
A control put into place to mitigate potential losses
3

AIC (OR CIA) TRIAD

Availability
Usability, timeliness Prevents disruption of service

Integrity
Accuracy, completeness Prevents unauthorized modification

Confidentiality
Secrecy, sensitivity, privacy Prevents unauthorized disclosure of data

SOCIAL ENGINEERING
Definition: technique used by people for obtaining information from other individuals by trickery Shoulder Surfing
Someone look over your shoulder

INFORMATION SECURITY?
Definition: A state of well-being of information and infrastructure in which the possibility of successful yet undetected theft, tampering, and disruption of information and services is kept low and tolerable

CONTROL CATEGORY
Administrative Control
Risk management, security policy, awareness training

Technical Control
Routers, IDS, encryption, firewall

Physical Control
Security guards, locks

WHAT IS FIRST
Legal requirement Business Driver
Help business thrive

Due Diligence and Due Care

Due diligence: the act of investigating and understanding the risks the company faces Due Care: the act of developing and implementing security policies, procedures and standards

Prudent Person Rule

RISK MANAGEMENT
Risk: Probability of a vulnerabilities being exploited by a threat and the resulting business impact Risk management
Define vulnerabilities Associate threats to vulnerabilities Calculate the risk

RISK MANAGEMENT
Why Risk Management is difficult? What is enough security? Security Team/Committee
Assess risk level for the organization People
Security Internal audit Administrator HR, Legal Custodian

10

RISK MANAGEMENT
Process Plan
1. 2. 3. 4. 5. 1. 2. 3. 4. 5. 6.

Identify team Identify scope Identify method Identify tools Understand acceptable risk level Identify assets Assign value to assets Identify vulnerabilities and threats Calculate risks Cost/Benefit analysis Uncertainty analysis Risk mitigation Risk transference Risk acceptance Risk avoidance

Collection information

Define Recommendation
11

DATA COLLECTION CALCULATE RISKS

Qualitative: opinion-based
Benefits: Assigning rating values are simplistic, less work Disadvantages: subjective, hard to measure the budget, no cost/benefit analysis Most used Dephi method: qualitative analysis method Collect data anomalously Benefits: report with monetary value, objective Disadvantages:
Large amount of work, Hard to carry out manually,
12

Quantitative: monetary-based

QUALITATIVE ANALYSIS EXAMPLE

Risk Level = Impact Rating Probability Rating

13

QUANTITATIVE ANALYSIS
Step 1: Calculate SLE (Single Loss Expectancy)
SLE = Asset value Exposure Factor Exposure Factor: percentage of damage that will take place if the vulnerability is exploited

Step 2: Threat analysis ARO (Annual Rate of Occurrence)

ARO = Number of expected incidents annually

Step 3: Calculate ALE (Annual Loss Expectancy)

ALE = SLE ARO ALE: potential loss that can occur to the company for one asset in 12 months period if one specific threat comes
twice a year: aro=2 Once every two years: aro=0.5 Once every ten years: aro=0.1
14

ALE EXAMPLE
If an e-commerce site is attacked (value = $300,000), it is estimated cause 40% in damages to a company. Based on current safeguards, this threat is estimated to happen twice a year. How much the management should spend to protect this asset? 1. SLE = Asset Value EF 300,000 0.4 = 120,000 2. ALE = SLE ARO 120,000 2.0 = 240,000

15

COST/BENEFIT ANALYSIS
Cost/Benefit Analysis
The annualized cost of countermeasure should not be more than potential risk How do you determine the cost of a countermeasure?
how much of the countermeasure: ALE before putting the countermeasure ALE after putting the countermeasure

16

CALCULATING COST/BENEFIT
If ALE for a specific asset is $78,000, and after implementation of the control the new ALE is $20,000 and the annual cost of the control is $60,000, what is the value of the control to the company? Should the company implement this control?
78,000 20,000 60,000 = -2,000

17

CAN YOU GET RID OF ALL RISK?

Total Risk versus Residual Risk Total risk: total amount of risk that exists before a safeguard is put into place Residual Risk: after a safeguard is implemented, the remaining risk is called residual risk Conceptual formula: 1) Threats Vulnerability Asset Value = Total Risk 2) (Threats Vulnerability Asset Value ) Control Gap = Residual Risk Control gap: what the control cannot protect against 3) Total Risk Controls = Residual Risk

18

MANAGEMENTS RESPONSE TO
IDENTIFIED RISKS Risk mitigation
Implement countermeasure

Risk transference
insurance

Risk acceptance
No action taken

Risk avoidance
Stop the activity that causes the risk

19

BUILD FOUNDATION SECURITY MANAGEMENT

Security program (enterprise security architecture) A Layered Approach Blueprint for a security program

20

SECURITY FRAMEWORK
BS 7799 British standard ISO (International Standard Organization) framework
ISO 17799 ISO 27001

21

SECURITY FRAMEWORK
COBIT (The Control Objectives for Information and Related Technology)
Set up a whole IT infrastructure A portion of security

ITIL (Information Technology Infrastructure Library)

Objective: Run IT department in a very efficient way to perform service to customers
22

SECURITY PROGRAM
Security Program Components
Security policy Security standard Security guideline Security baseline Information classification Security organization Security training

23

SECURITY POLICY
Definition: a security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays with an organization. Types
Organizational policy Issue-specific policy (or functional implementation policy) System-specific policy

24

STANDARD, BASELINE, GUIDELINE AND PROCEDURE

Standard: refer to mandatory activities, actions, or rules Baseline:
Minimum level of protection required

Guideline:
Recommended actions and operational guides to users.

Procedure:
Step by step instructions on how to do things

25

HOLISTIC APPROACH SECURITY ORGANIZATION

26

APPROACH TO SECURITY MANAGEMENT

Top-down Approach
Security is directed, driven, and supported by senior management Senior management is ultimately responsible

Bottom-up Approach
Staff member or group drives initiative

27

ROLES AND RESPONSIBILITIES

Data owner
Who are Responsible for a set of classified data Set the classification of data

Custodian
Who are responsible for protecting the data Data backup, system configuration and s/w installation

Auditor
Ensure the appropriateness of security

28

INFORMATION CLASSIFICATION
Classification goals Classification levels
Normally 3 or 4 levels:
Confidential Private Sensitive public

Classification policy, standard, guideline, procedure

29

EMPLOYEE MANAGEMENT

Weakest link in security is people Proper management of employee is very important Security responsibilities should be written in the job description Hiring and firing issues

30

SECURITY TRAINING CHARACTERISTICS

31