Information Security is an umbrella term for many programs and activities that assure availability of information in organizations. The 9 / 11 disaster required many companies to put their disaster recovery plans into action. 80% of businesses affected by a major incident either never reopen or close within 18 months.
Information Security is an umbrella term for many programs and activities that assure availability of information in organizations. The 9 / 11 disaster required many companies to put their disaster recovery plans into action. 80% of businesses affected by a major incident either never reopen or close within 18 months.
Information Security is an umbrella term for many programs and activities that assure availability of information in organizations. The 9 / 11 disaster required many companies to put their disaster recovery plans into action. 80% of businesses affected by a major incident either never reopen or close within 18 months.
Graduate Program in Information Technology Binus University Book Whitman, M.E., Mattoro, H.J. (2007). Principles of Incident Response and Disaster Recovery.
Jone, A, Ashenden D. (2005). Risk Management For Computer Security. Protecting Your Network and Information Assets. Elsevier Butterworth-Heinemann BFS - Binus March 2011 2 BFS - Binus March 2011 3 Objectives Define and explain information security Define and explain the basic concepts of risk management Identify and define the components of contingency planning Know and understand the role of information security policy in the development of contingency plans
BFS - Binus March 2011 4 Introduction The 9/11 disaster required many companies to put their disaster recovery plans into action In February 1993, a car bomb exploded beneath one of the WTC towers. Information Week report (2004): Almost 80% of businesses affected by a major incident either never reopen or close within 18 months BFS - Binus March 2011 5 Introduction (continued) Companies must create, implement, and test effective plans to deal with incidents and disasters Information security: an umbrella term for many programs and activities that assure availability of information in organizations Information security: Confidentiality, Integrity, Availability An overview of the entire field, understanding of the major components, and overall strategic plan. Risk management process to guide managerial and technical controls.
BFS - Binus March 2011 6 Information Security Information security: Defined by Committee on National Security Systems (CNSS) as the protection of information and its critical elements, including systems and hardware Based on the C.I.A. triangle concept C.I.A. triangle concept: based on three critical characteristics of information that give it value: Confidentiality Integrity Availability BFS - Binus March 2011 7 Information Security (continued) Confidentiality: When disclosure or exposure to unauthorized individuals or systems is prevented Ensures that only those with rights and privileges to access the information are able to do so Breaches of confidentiality may threaten the integrity of the information Integrity: Prevention of corruption, damage, destruction, or other disruption of information BFS - Binus March 2011 8 Information Security (continued) Availability: Enables authorized users or systems to access information without interference or obstruction, in the required format Information Security (InfoSec): The protection of the confidentiality, integrity, and availability of information in storage, during processing, or in transmission BFS - Binus March 2011 9 Key Information Security Concepts Threat: a category of objects, persons, or other entities that pose a potential risk of loss to an asset Asset: an organizational resource that is being protected Logical asset: Web site, information, or data Physical asset: person, computer system, other tangible object Attack: an intentional or unintentional attempt to cause damage or otherwise compromise information BFS - Binus March 2011 10 Key Information Security Concepts (continued) Vulnerability: a weakness or fault in the protection mechanisms for information assets Well-known vulnerabilities: vulnerabilities that have been examined, documented, and published Exploit: Illegal use of a system or information asset A targeted solution to misuse a specific hole or vulnerability BFS - Binus March 2011 11 Key Information Security Concepts (continued) Control, safeguard, or countermeasure: security mechanisms, policies, or procedures to successfully counter attacks, reduce risk, resolve vulnerabilities, and improve security
BFS - Binus March 2011 12 Key Information Security Concepts (continued) BFS - Binus March 2011 13 Threat Categories Acts of human error or failure: Acts performed without intent or malicious purpose by authorized users Compromises to intellectual property (IP): Breaches in the controls placed around IP such as copyrights, trade secrets, trademarks, patents Most common IP breach: software piracy Deliberate acts of trespass: unauthorized individual gains access to information being protected Hacker: uses software to gain access to information illegally BFS - Binus March 2011 14 Threat Categories (continued) Deliberate acts of information extortion: Demanding compensation for the return or nondisclosure of information obtained by attacker or trusted insider Deliberate acts of sabotage or vandalism: Attempts to destroy an asset or damage the image of an organization Cyberterrorist: hacks systems to conduct terrorist activities through network or Internet pathways Deliberate acts of theft: Illegal taking of anothers property BFS - Binus March 2011 15 Threat Categories (continued) Deliberate Software Attacks: Malware: Malicious code or malicious software components designed to damage, destroy, or deny service to the target system Includes viruses, worms, Trojan horses, logic bombs, backdoors, denial of service (DoS), and distributed denial of service (DDoS) attacks BFS - Binus March 2011 16 Threat Categories (continued) Viruses: Segments of code that perform malicious actions Attached to existing programs Macro virus: embedded in automatically executing macrocode; common in word processing documents, spreadsheets, database applications Boot virus: infects key operating system files Worms: Malicious programs that replicate themselves without requiring another program Can replicate through email, Web servers, network shares BFS - Binus March 2011 17 Threat Categories (continued) Backdoors and Trapdoors: A payload carried by a virus or worm that installs on a system allowing penetration and control of the system remotely Examples: Subseven, Back Orifice Polymorphism: Virus or worm that evolves, changing its size and appearance over time
BFS - Binus March 2011 18 Threat Categories (continued) Propagation Vectors: Ways that malicious code is spread from one system to another Trojan: a common propagation method in which the infected program appears to be a desirable program Social engineering: getting the user to perform an action that enables the attack or infection Virus and Worm Hoaxes: Require as much time and effort to combat as real virus and worm threats BFS - Binus March 2011 19 Threat Categories (continued) Forces of Nature (force majeure): Unexpected and often unpredictable Includes fire, flood, earthquake, lightning, hurricanes, volcanic eruption, insect infestation Often affect personnel as well as equipment Deviations in Quality of Service, by Service Providers: Products or services not delivered (electricity, water, network bandwidth, etc.) BFS - Binus March 2011 20 Threat Categories (continued) Technical Hardware Failures or Errors: Defects that cause a system to perform outside of expected parameters Causes unreliable service or lack of availability Errors can be intermittent or terminal Technical Software Failures or Errors: Includes bugs and untested failure conditions May include intentional shortcuts left by programmers for benign or malicious reasons Technical Obsolescence: Antiquated or outdated infrastructure leads to unreliable and untrustworthy systems BFS - Binus March 2011 21 Overview of Risk Management Risk Management: Formal process of identifying and controlling risks to an organizations information assets Risk Identification: Process of examining and documenting the security posture of an organizations information technology Risk Control: Process of applying controls to reduce the risks to data and information systems BFS - Binus March 2011 22 Overview of Risk Management (continued) BFS - Binus March 2011 23 Overview of Risk Management (continued) Risk management: Process of identifying vulnerabilities and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of the information system
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. - Chinese General Sun Tzu BFS - Binus March 2011 24 Know Yourself Know Yourself: Identify, examine, and understand the information and systems currently in place Assets = information and systems that use, store, and transmit information What are they? How do they add value to the organization? To which vulnerabilities are they susceptible? Have periodic review, revision, and maintenance of control mechanisms
BFS - Binus March 2011 25 Know the Enemy Know the Enemy: Identify, examine, and understand the threats facing the organization Conduct periodic management reviews to create an asset inventory Identify current controls and mitigation strategies, including cost effectiveness and deployment issues
BFS - Binus March 2011 26 Risk Identification Identify, classify, and prioritize information assets Goal: protect assets from threats Identify threats Identify vulnerabilities of each asset Identify controls that will limit possible losses in the event of attack BFS - Binus March 2011 27 Risk Identification (continued) BFS - Binus March 2011 28 Risk Identification (continued) Asset Identification and Valuation: Identify each asset and assess its value Include people, procedures, data and information , software, hardware, and networking elements Classify and categorize the assets Information Asset Classification: Classify the sensitivity and security priority of the data and devices that store, transmit, or process the data Classify the personnel security clearance structure who is authorized to view what data Categories must be comprehensive and mutually exclusive BFS - Binus March 2011 29 Risk Identification (continued) Information Asset Valuation: Determine the criteria for valuation of assets or impact evaluation Which asset is most critical to the success of the organization? Which asset generates the most revenue? Most profitability? Which asset is most expensive to replace? To protect? If revealed, which asset would be most embarrassing or cause greatest liability? BFS - Binus March 2011 30 Risk Identification (continued) Calculate the relative importance of each asset using weighted factor analysis Weighted factor analysis: Assign each asset a score from 0.1 to 1.0 for each critical factor Assign each critical factor a weight from 1 to 100 BFS - Binus March 2011 31 Risk Identification (continued) BFS - Binus March 2011 32 Risk Identification (continued) Data Classification and Management: Public: information for general public dissemination For official use: information that is not particularly sensitive but is not for public release Sensitive: information important to the business that could cause embarrassment or loss of market share if revealed Classified: information that requires utmost security; disclosure could severely impact the organization Personnel security clearances for information should be on a need-to-know basis BFS - Binus March 2011 33 Risk Identification (continued) Threat Identification: Conduct a threat assessment Which threats present a danger to the assets in the given environment? Which threats represent the most danger? What is the cost to recover from a successful attack? Which threats require the greatest expenditure to prevent? BFS - Binus March 2011 34 Risk Identification (continued) Vulnerability Identification: Examine each threat and list the assets and their vulnerabilities A threat may yield multiple vulnerabilities Diverse members of the organization should participate in this activity
BFS - Binus March 2011 35 Risk Assessment Risk assessment: Process of assigning a risk rating or score to each information asset Goal is to determine the relative risk of each vulnerability using various factors Likelihood: Probability that a specific vulnerability will be successfully attacked Many asset/vulnerability combinations have external references for likelihood values
BFS - Binus March 2011 36 Risk Assessment (continued) BFS - Binus March 2011 37 Risk Assessment (continued) Valuation of Information Assets: Assign weighted scores to each assets value to the organization Which threats present a danger to the organizations assets in the given environment? Which threats represent the most danger? What is the cost to recover from a successful attack? Which threats require the greatest expenditure to prevent? Which of the above questions is most important? BFS - Binus March 2011 38 Risk Assessment (continued) Risk Determination: Risk = [likelihood of vulnerability x value] x [1 - % risk already controlled + uncertainty]
For Example: information asset A has a value score 50 and has one vulnerability that has a likelihood of 1.0 with no current control, and the estimate is that assumptions and data are 90% accurate.
BFS - Binus March 2011 39 Identify Possible Controls: Create a list of control ideas Residual risk: risk that remains after a control has been applied Three general categories of controls: Policies Programs Technologies Risk Assessment (continued) BFS - Binus March 2011 40 Risk Assessment (continued) Policies: Documents that specify an approach to security 3 types of policies: Enterprise information security policy Issue-specific policies Systems-specific policies Programs: activities performed within the organization to improve security Security technologies: implementations of policies using technology-based mechanisms BFS - Binus March 2011 41 Risk Control Strategies Four basic strategies: Avoidance: Apply safeguards that eliminate or reduce the remaining uncontrolled risks Transference: Transfer the risk to other areas or to outside entities Mitigation: Reduce the impact should the vulnerability be exploited Acceptance: Understand the consequences and accept the risk without controls or mitigation
BFS - Binus March 2011 42 Risk Control Strategies (continued) Avoidance: Attempts to prevent the exploitation of the vulnerability Preferred approach Methods of avoidance: Application of policy Training and education Application of technology BFS - Binus March 2011 43 Risk Control Strategies (continued) Transference: Attempts to shift the risk to other assets, processes, or organizations Methods of transference: Rethink how services are offered Revise deployment models Outsource to other organizations Purchase insurance Implement service contracts with providers
BFS - Binus March 2011 44 Risk Control Strategies (continued) Mitigation: Attempts to reduce the impact caused by exploitation of a vulnerability through planning and preparation Methods of mitigation: Contingency planning, which includes: Business impact analysis Incident response plan Disaster recovery plan Business continuity plan Requires: Early detection that an attack is in progress Ability to respond quickly, efficiently, and effectively BFS - Binus March 2011 45 Risk Control Strategies (continued) Acceptance: The choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation Only valid when the organization has: Determined the level of a risk Assessed the probability of attack Estimated the potential damage that could occur Performed a thorough cost-benefit analysis Evaluated controls Decided that the asset did not justify the cost of protection BFS - Binus March 2011 46 Contingency Planning and its Components Contingency plan: Is prepared to anticipate, react to, and recover from events that threaten assets Focuses on steps required to restore normal operations Four subordinate functions in a contingency plan: Business impact assessment Incident response planning Disaster recovery planning Business continuity planning
BFS - Binus March 2011 47 Contingency Planning Timeline (continued) BFS - Binus March 2011 48 Contingency Planning and its Components (continued) Business Impact Analysis (BIA): Investigation and assessment of the impact of attacks Adds detail to the prioritized list of threats and vulnerabilities created in the risk management process Provides detailed scenarios of potential impact of each type of attack BFS - Binus March 2011 49 Contingency Planning and its Components (continued) Incident Response Plan (IRP): Deals with the identification, classification, response, and recovery from an incident Details the specific steps to be taken when responding to a specific type of attack Incident: any clearly identified attack on assets Absence of an IR plan can lead to: Extensive damage to data, systems, and networks Additional damage due to uneducated staff Negative exposure in the news media Possible legal liability BFS - Binus March 2011 50 Contingency Planning and its Components (continued) Disaster Recovery Plan (DRP): Deals with preparation for and recovery from a natural or man-made disaster Can include strategies to limit losses before and during the disaster Includes: Preparations for the recovery process Strategies to limit losses during the disaster Detailed steps to follow when immediate danger has passed DRP focuses on preparation actions after the incident; IRP focuses on actions during the incident BFS - Binus March 2011 51 Contingency Planning and its Components (continued) Business Continuity Plan (BCP): Expresses how to ensure that critical business functions continue at an alternate location after a catastrophic incident or disaster Used when the DRP cannot restore operations at the primary site Is the most strategic and long-term plan Business Resumption Plan (BRP): Emerging new concept in contingency planning Merges the DRP and BCP into a single process
BFS - Binus March 2011 52 Contingency Planning Timeline Steps in Contingency Planning: IRP focuses on immediate response; if attack is disastrous, the process moves to the DRP and BCP DRP focuses on restoration at the original site BCP runs concurrently with DRP when damage is major or long-term, or requires an alternate site Can distinguish the IRP, DRP, and BCP by examining when each comes into play during the life of an incident
BFS - Binus March 2011 53 Contingency Planning Timeline (continued) BFS - Binus March 2011 54 Contingency Planning Timeline (continued) BFS - Binus March 2011 55 Contingency Planning Timeline (continued) 7 steps in NIST-sanctioned contingency planning: 1. Develop the contingency planning policy statement 2. Conduct the business impact analysis (BIA) 3. Identify preventative measures and controls 4. Develop recovery strategies 5. Develop an IT contingency plan 6. Plan testing, training, and exercises 7. Plan maintenance BFS - Binus March 2011 56 Contingency Planning Timeline (continued) BFS - Binus March 2011 57 Information Security Policy in Developing Contingency Plans Policy is needed to enforce requirements for protection of information before, during, and after an incident Information security is primarily a management problem, not a technical one Shaping policy is difficult because : It must never conflict with laws It must be properly administered BFS - Binus March 2011 58 Key Policy Definitions Policy: A plan or course of action used to convey instructions from senior management to those who make decisions, take actions, and perform duties An organizational law that dictates acceptable and unacceptable behavior, and defines penalties for violations Standard: Detailed statement of what must be done to comply with policy De facto standard informal standard De jure standard formal standard BFS - Binus March 2011 59 Key Policy Definitions (continued) BFS - Binus March 2011 60 Key Policy Definitions (continued) Mission: written statement of an organizations purpose Vision: written statement about organizations goals Strategic planning: process of moving the organization toward its vision Information security policy: provides rules for the protection of information assets 3 types of security policy: Enterprise information security policy Issue-specific security policies Systems-specific security policies BFS - Binus March 2011 61 Enterprise Information Security Policy Enterprise Information Security Policy (EISP): Also called general security policy, IT security policy, or information security policy An executive-level document that sets the strategic direction, scope, and tone for all security efforts Contains the requirements to be met Assigns responsibilities for areas of security Addresses legal compliance BFS - Binus March 2011 62 Issue-Specific Security Policy Issue-Specific Security Policy (ISSP): Addresses specific areas of technology 3 common approaches to creating ISSPs: Independent ISSP documents, each tailored to a specific issue Single comprehensive ISSP document covering all issues Modular ISSP document that unifies policy creation and administration while maintaining each specific issues requirements BFS - Binus March 2011 63 Issue-Specific Security Policy (continued) BFS - Binus March 2011 64 Issue-Specific Security Policy (continued) Statement of Policy: defines scope, who is responsible for implementation, and the technologies and issues being addressed Authorized Access and Usage of Equipment: defines who can use the technology and how it can be used Prohibited Usage of Equipment: defines what the technology cannot be used for Systems Management: defines what responsibilities belong to management and to users BFS - Binus March 2011 65 Issue-Specific Security Policy (continued) Violations of Policy: specifies penalties and how to report suspected violations Policy Review and Modification: procedures and timetable for periodic review to keep it relevant Limitations of Liability: indicates that the company will not protect nor be liable for users unauthorized use of equipment BFS - Binus March 2011 66 Systems-Specific Policy Systems-Specific Security Policies (SysSPs): Standards and procedures to be used when configuring or maintaining systems Two general groups: Access control lists (ACLs): define rights and privileges of a particular user to a particular system Configuration rules: specific configuration codes entered into security systems BFS - Binus March 2011 67 Systems-Specific Policy (continued) ACL Policies: Are translated into sets of configurations to control access to systems Regulate who, what, when, and where access can occur Also called capability tables, user profiles, or user policies Rule Policies: Specific to the operation of a system, such as configuration for firewalls, intrusion detection systems, and proxy servers BFS - Binus March 2011 68 Policy Management Policies are dynamic documents that change and grow, and must be disseminated in the organization Security policies must contain: Individual responsible for the policy Schedule of reviews to ensure currency and accuracy Mechanism for revision recommendations to be made (preferably anonymously) Optionally, policy management software to manage creation, revision, and dissemination of policy
BFS - Binus March 2011 69 BFS - Binus March 2011 70 Summary Information security: protection of information and its critical elements C.I.A. triangle: confidentiality, integrity, availability Threat: object or person that poses a potential for loss to an asset Asset: tangible or intangible object that has value to the organization Vulnerability: weakness or fault in protection mechanisms Risk management: process of identifying vulnerabilities and taking steps to protect assets BFS - Binus March 2011 71 Summary (continued) Risk identification: process of identifying risks Risk control: process of applying controls to reduce risk Contingency planning: includes avoidance, transference, mitigation, and acceptance strategies Business impact analysis: assesses the impact of various types of attacks Incident response plan: actions that should be taken when an incident is in progress Disaster recovery plan: preparation for and recovery from a disaster BFS - Binus March 2011 72 Summary (continued) Business continuity plan: ensures that critical business functions continue after a disaster Policies: organizational laws that dictate acceptable and unacceptable behavior Enterprise information security policy: sets strategic scope, direction, and tone for all security efforts Issue-specific security policy: addresses specific areas of technology Systems-specific security policy: policy used when configuring or maintaining systems BFS - Binus March 2011 73 From week 1
Risk Management Information asset classification Information asset Valuation