Professional Documents
Culture Documents
TOPICS
SECURITY DEFINITIONS
Vulnerability
Weakness in a mechanism that can threaten the confidentiality, integrity or availability of an asset
Threat
An action or event that might compromise security by exploiting the vulnerability.
Risk
Probability of a threat becoming real and the corresponding potential damages
Exposure
An instance of being exposed to losses from a threat agent
Countermeasure
A control put into place to mitigate potential losses
3
Integrity
Accuracy, completeness Prevents unauthorized modification
Confidentiality
Secrecy, sensitivity, privacy Prevents unauthorized disclosure of data
SOCIAL ENGINEERING
Definition: technique used by people for obtaining information from other individuals by trickery Shoulder Surfing
Someone look over your shoulder
INFORMATION SECURITY?
Definition: A state of well-being of information and infrastructure in which the possibility of successful yet undetected theft, tampering, and disruption of information and services is kept low and tolerable
CONTROL CATEGORY
Administrative Control
Risk management, security policy, awareness training
Technical Control
Routers, IDS, encryption, firewall
Physical Control
Security guards, locks
WHAT IS FIRST
Legal requirement Business Driver
Help business thrive
RISK MANAGEMENT
Risk: Probability of a vulnerabilities being exploited by a threat and the resulting business impact Risk management
Define vulnerabilities Associate threats to vulnerabilities Calculate the risk
RISK MANAGEMENT
Why Risk Management is difficult? What is enough security? Security Team/Committee
Assess risk level for the organization People
Security Internal audit Administrator HR, Legal Custodian
10
RISK MANAGEMENT
Process Plan
1. 2. 3. 4. 5. 1. 2. 3. 4. 5. 6.
Identify team Identify scope Identify method Identify tools Understand acceptable risk level Identify assets Assign value to assets Identify vulnerabilities and threats Calculate risks Cost/Benefit analysis Uncertainty analysis Risk mitigation Risk transference Risk acceptance Risk avoidance
Collection information
Define Recommendation
11
Quantitative: monetary-based
13
QUANTITATIVE ANALYSIS
Step 1: Calculate SLE (Single Loss Expectancy)
SLE = Asset value Exposure Factor Exposure Factor: percentage of damage that will take place if the vulnerability is exploited
ALE EXAMPLE
If an e-commerce site is attacked (value = $300,000), it is estimated cause 40% in damages to a company. Based on current safeguards, this threat is estimated to happen twice a year. How much the management should spend to protect this asset? 1. SLE = Asset Value EF 300,000 0.4 = 120,000 2. ALE = SLE ARO 120,000 2.0 = 240,000
15
COST/BENEFIT ANALYSIS
Cost/Benefit Analysis
The annualized cost of countermeasure should not be more than potential risk How do you determine the cost of a countermeasure?
how much of the countermeasure: ALE before putting the countermeasure ALE after putting the countermeasure
16
CALCULATING COST/BENEFIT
If ALE for a specific asset is $78,000, and after implementation of the control the new ALE is $20,000 and the annual cost of the control is $60,000, what is the value of the control to the company? Should the company implement this control?
78,000 20,000 60,000 = -2,000
17
18
MANAGEMENTS RESPONSE TO
IDENTIFIED RISKS Risk mitigation
Implement countermeasure
Risk transference
insurance
Risk acceptance
No action taken
Risk avoidance
Stop the activity that causes the risk
19
Security program (enterprise security architecture) A Layered Approach Blueprint for a security program
20
SECURITY FRAMEWORK
BS 7799 British standard ISO (International Standard Organization) framework
ISO 17799 ISO 27001
21
SECURITY FRAMEWORK
COBIT (The Control Objectives for Information and Related Technology)
Set up a whole IT infrastructure A portion of security
SECURITY PROGRAM
Security Program Components
Security policy Security standard Security guideline Security baseline Information classification Security organization Security training
23
SECURITY POLICY
Definition: a security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays with an organization. Types
Organizational policy Issue-specific policy (or functional implementation policy) System-specific policy
24
Guideline:
Recommended actions and operational guides to users.
Procedure:
Step by step instructions on how to do things
25
26
Bottom-up Approach
Staff member or group drives initiative
27
Custodian
Who are responsible for protecting the data Data backup, system configuration and s/w installation
Auditor
Ensure the appropriateness of security
28
INFORMATION CLASSIFICATION
Classification goals Classification levels
Normally 3 or 4 levels:
Confidential Private Sensitive public
EMPLOYEE MANAGEMENT
Weakest link in security is people Proper management of employee is very important Security responsibilities should be written in the job description Hiring and firing issues
30
31