We’ve updated our privacy policy so that we are compliant with changing global privacy regulations and to provide you with insight into the limited ways in which we use your data. Show
You can read the details below. By accepting, you agree to the updated privacy policy. Thank you! View updated privacy policy We've encountered a problem, please try again. Presentation on theme: "Information Security Principles & Applications"— Presentation transcript: 1 Information Security Principles & Applications 2 Information Security A successful organization should have multiple layers of security in place: Physical
security Personal security Operations security Communications security Network security Information security The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information Necessary tools: policy, awareness, training, education, technology What Is Security? In general, security is “the quality or state of
being secure--to be free from danger.” It means to be protected from adversaries--from those who would do harm, intentionally or otherwise. A successful organization should have the following multiple layers of security in place for the protection of its operations: Physical security - to protect the physical items, objects, or areas of an organization from unauthorized access and misuse. Personal security – to protect the individual or group
of individuals who are authorized to access the organization and its operations. Operations security – to protect the details of a particular operation or series of activities. Communications security – to protect an organization’s communications media, technology, and content. Network security – to protect networking components, connections, and contents.
3 NSTISSC Security Model
4 Components of an Information System
5 Securing Components Computer can be subject of an attack and/or the object of an attack When the subject of an attack, computer is used as an active tool to conduct attack
When the object of an attack, computer is the entity being attacked Securing The Components When considering the security of information systems components, it is important to understand the concept of the computer as the subject of an attack as opposed to the computer as the object of an attack. When a computer is the subject of an attack, it is used as an active tool to conduct the attack. When a computer is the object of an attack, it is the entity
being attacked. 6 It is important to note that the same computer can be both the subject and object of an
attack, especially in multi-user systems. 7 Balancing Information Security and Access 8 This graphic intends to show that tradeoffs between security and access.
9 The Systems Development Life Cycle 10 Very much a traditional SDLC diagram.
11 Investigation What problem is the system being developed to solve?
12 Analysis Consists of assessments of the organization, status of current systems, and capability to support proposed
systems Analysts determine what new system is expected to do and how it will interact with existing systems Ends with documentation of findings and update of feasibility analysis Analysis The analysis phase begins with the information learned during the investigation phase. This phase consists primarily of assessments of the organization, the status of current systems, and the capability to support the proposed systems.
Analysts begin to determine what the new system is expected to do, and how it will interact with existing systems. This phase ends with the documentation of the findings and a feasibility analysis update.
13 Logical Design Main factor is business need; applications capable of providing needed services are selected Data support and structures capable
of providing the needed inputs are identified Technologies to implement physical solution are determined Feasibility analysis performed at the end Logical Design In the logical design phase, the information gained from the analysis phase is used to begin creating a solution system for a business problem. Then, based on the business need, select applications capable of providing needed services. Based on the
applications needed, select data support and structures capable of providing the needed inputs. Finally, based on all of the above, select specific technologies to implement the physical solution. In the end, another feasibility analysis is performed.
14 Physical Design Technologies to support the alternatives identified and evaluated in the logical design are selected Components
evaluated on make-or-buy decision Feasibility analysis performed; entire solution presented to end-user representatives for approval Physical Design During the physical design phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design. The selected components are evaluated based on a make-or-buy decision (develop in-house or purchase from a vendor). Final designs integrate
various components and technologies. After yet another feasibility analysis, the entire solution is presented to the end-user representatives for approval.
15 Implementation Needed software created; components ordered, received, assembled, and tested
Users trained and documentation created Feasibility analysis prepared; users presented with system for performance review and acceptance test Implementation In the implementation phase, any needed software is created or purchased Components are ordered, received and tested. Afterwards, users are trained and supporting documentation created. Again a feasibility analysis is prepared, and the users are then
presented with the system for a performance review and acceptance test. 16 Maintenance and Change 17 The Security Systems Development Life
Cycle
18 Investigation Identifies process, outcomes, goals, and constraints of the project
Begins with enterprise information security policy Organizational feasibility analysis is performed Investigation The investigation of the SecSDLC begins with a directive from upper management, dictating the process, outcomes and goals of the project, as well as the constraints placed on the activity. Frequently, this phase begins with a statement of program security policy that outlines the implementation of security. Teams
of responsible managers, employees and contractors are organized, problems analyzed, and scope defined, including goals objectives, and constraints not covered in the program policy. Finally, an organizational feasibility analysis is performed to determine whether the organization has the resources and commitment necessary to conduct a successful security analysis and design.
19 Analysis Documents from investigation phase are studied 20 An Overview of Risk Management 21 The Roles of the Communities of Interest 22 Risk Identification Assets are targets of various threats and threat agents Risk management involves identifying organization’s assets and identifying
threats/vulnerabilities Risk identification begins with identifying organization’s assets and assessing their value Risk Identification A risk management strategy calls on us to “know ourselves” by identifying, classifying, and prioritizing the organization’s information assets. These assets are the targets of various threats and threat agents and our goal is to protect them from these threats. Once we have gone through the process
of self-examination, we then move into threat identification. We must assess the circumstances and setting of each information asset. To begin managing the risk from the vulnerabilities, we must identify those vulnerabilities and begin exploring the controls that might be used to manage the risks. We begin the process by identifying and assessing the value of our information assets.
23 Asset Identification and Valuation
24 Table 4-1 - Categorizing Components 25 Threat Identification 26
27 Vulnerability Identification 28 Risk Assessment Risk assessment
evaluates the relative risk for each vulnerability Assigns a risk rating or score to each information asset Risk Assessment We can determine the relative risk for each of the vulnerabilities through a process called risk assessment. Risk assessment assigns a risk rating or score to each specific information asset, useful in gauging the relative risk introduced by each vulnerable information asset and making comparative ratings later in the risk
control process. 29 Valuation of Information Assets
30 Risk Determination For the purpose of relative risk assessment, risk equals:
Likelihood of vulnerability occurrence TIMES value (or impact) MINUS percentage risk already controlled PLUS an element of uncertainty Risk Determination For the purpose of relative risk assessment: risk = likelihood of vulnerability occurrence times value (or impact) minus percentage risk already controlled plus an element of uncertainty
31 Identify Possible Controls 32 Access Controls Specifically address admission of a user into a trusted area of organization Types of Access Control Mandatory access controls (MAC): give users and data owners limited control over access to information Nondiscretionary controls: managed by a central authority in organization; can
be based on individual’s role (role-based controls) or a specified set of assigned tasks (task-based controls) Discretionary access controls (DAC): implemented at discretion or option of data user Lattice-based access control: variation of MAC; users assigned matrix of authorizations for areas of access Types of Access Controls Discretionary Access Controls (DAC) are implemented at the discretion or option of the data user.
Mandatory Access Controls (MACs) - are structured and coordinated with a data classification scheme, and are required. Non-discretionary Controls are those determined by a central authority in the organization and can be based on that individual’s role (Role-Based Controls) or a specified set of duties or tasks the individual is assigned (Task-Based Controls) or can be based on specified lists maintained on subjects or objects.
33 Documenting the Results of Risk Assessment 34 35 Risk Control
Strategies
36 Avoidance Attempts to prevent exploitation of the vulnerability
37 Transference Control approach that attempts to shift risk to other assets, processes, or organizations If lacking, organization should hire
individuals/firms that provide security management and administration expertise Organization may then transfer risk associated with management of complex systems to another organization experienced in dealing with those risks Transference Transference is the control approach that attempts to shift the risk to other assets, other processes, or other organizations. If an organization does not already have quality security management and
administration experience, it should hire individuals or firms that provide such expertise. This allows the organization to transfer the risk associated with the management of these complex systems to another organization with established experience in dealing with those risks. 38 Mitigation Attempts to reduce impact of vulnerability exploitation through planning and preparation Approach includes three types of plans: Incident response plan (IRP) Disaster recovery plan (DRP) Business continuity plan (BCP) Mitigation Mitigation is the control approach
that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. This approach includes three types of plans: disaster recovery planning (DRP), business continuity planning (BCP), and incident response planning (IRP). Mitigation begins with the early detection that an attack is in progress. The most common of the mitigation procedures is the disaster recovery plan. The DRP includes the entire
spectrum of activities to recover from an incident. The DRP can include strategies to limit losses before and during the disaster. DRPs usually include all preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow when the disaster has ended. The actions an organization can and perhaps should take while the incident is in progress should be defined in a document referred to as the incident response plan or
IRP. The IRP provides answers to questions victims might pose in the midst of a disaster. It answers the questions: What do I do NOW?! What should the administrators do first? Who should they contact? What should they document? DRP and IRP planning overlap to a degree. In many regards, the DRP is the subsection of the IRP that covers disastrous events. While some DRP and IRP decisions and
actions are the same, their urgency and results can differ dramatically. The DRP focuses more on preparations completed before and actions taken after the incident, while the IRP focuses on intelligence gathering, information analysis, coordinated decision making and urgent, concrete actions. The third type of planning document under mitigation is the business continuity plan or BCP. The BCP is most strategic and long-term plan of the three plans. It
encompasses the continuation of business activities if a catastrophic event occurs, such as the loss of an entire database, building or operations center. The BCP includes planning for the steps to insure the continuation of the organization when the scope or scale of a disaster exceeds the DRPs ability to restore operations.
39 Mitigation (continued)
40 Acceptance Doing nothing to protect a vulnerability and accepting the outcome of its exploitation Valid only when the particular function, service, information, or
asset does not justify cost of protection Risk appetite describes the degree to which organization is willing to accept risk as trade-off to the expense of applying controls Acceptance With the Acceptance control approach, an organization evaluates the risk of a vulnerability and allows the risky state to continue as is. The only acceptance strategy that is recognized as valid occurs when the organization has: Determined the level
of risk Assessed the probability of attack Estimated the potential damage that could occur from these attacks Performed a thorough cost benefit analysis Evaluated controls using each appropriate type of feasibility Decided that the particular function, service, information, or asset did not justify the cost of protection Acceptance of risk is the choice to do nothing to protect a vulnerability and to accept the outcome
of its exploitation. This control, or rather lack of control, is based on the assumption that it may be a prudent business decision to examine the alternatives and determine that the cost of protecting an asset does not justify the security expenditure. The term, risk appetite is used to describe the degree to which an organization is willing to accept risk as a trade-off to the expense of applying controls.
41 Characteristics of Secure Information 42
Feasibility Studies Before deciding on strategy, all information about economic/non-economic consequences of vulnerability of information asset must be explored A number of ways exist to determine advantage of a specific control Feasibility Studies and the Cost Benefit Analysis Before deciding on the strategy for a specific vulnerability all information about the economic and non-economic consequences of the vulnerability
facing the information asset must be explored. Fundamentally we are asking, “What are the actual and perceived advantages of implementing a control contrasted with the actual and perceived disadvantages of implementing the control?” 43 Cost Benefit Analysis (CBA)
44 Cost Benefit Analysis (CBA) (continued)
45 Cost Benefit Analysis (CBA) (continued)
46 The Cost Benefit Analysis (CBA) Formula
47 Benchmarking An alternative approach to risk management
48 Benchmarking (continued) 49 Benchmarking (continued) 50 Problems with Benchmarking and Best Practices 51 Risk Management Discussion Points 52
53 Logical Design Creates and develops blueprints for information security Incident response actions planned: Continuity
planning Incident response Disaster recovery Feasibility analysis to determine whether project should continue or be outsourced Logical Design The logical design phase creates and develops the blueprints for security, and examines and implements key policies that influence later decisions. Also at this stage, critical planning is developed for incident response actions to be taken in the event of partial or
catastrophic loss. Next, a feasibility analysis determines whether or not the project should continue or should be outsourced. Physical Design In the physical design phase, the security technology needed to support the blueprint outlined in the logical design is evaluated, alternative solutions generated, and a final design agreed upon. The security blueprint may be revisited to keep it synchronized with the changes needed when the physical
design is completed. Criteria needed to determine the definition of successful solutions is also prepared during this phase. Included at this time are the designs for physical security measures to support the proposed technological solutions. At the end of this phase, a feasibility study should determine the readiness of the organization for the proposed project, and then the champion and users are presented with the design. At this time, all
parties involved have a chance to approve the project before implementation begins. 54 Hybrid Framework for a Blueprint of an Information Security System 55 Figure 5-15 – Spheres of Security 56 Physical Design The physical design process: 57 Implementation SecSDLC implementation phase accomplished through changing configuration and operation of organization’s information systems Implementation includes changes to procedures, people, hardware, software, and data Organization translates blueprint for information security into a concrete project plan Organization should avoid
overconfidence after implementation of improved information security profile as time passes by Implementation The implementation phase is similar to the traditional SDLC. The security solutions are acquired (made or bought), tested, and implemented, and tested again. Personnel issues are evaluated and specific training and education programs conducted. Finally, the entire tested package is presented to upper management for final
approval. 58 Project Management for Information Security 59 Developing the Project Plan
60 Project Planning Considerations
61 Executing the Plan Negative feedback ensures project progress is measured periodically
Measured results compared against expected results When significant deviation occurs, corrective action taken Often, project manager can adjust one of three parameters for task being corrected: effort and money allocated; scheduling impact; quality or quantity of deliverable Executing the Plan Once a project is underway, it is managed to completion using a process known as a negative feedback loop or cybernetic loop, which ensures that
progress is measured periodically. The measured results are compared against expected results. When significant deviation occurs, corrective action is taken to bring the task that is deviating from plan back into compliance with the projection, or else the estimate is revised in light of new information. When corrective action is required, there are two basic situations: either the estimate was flawed or performance has lagged. When an estimate
is flawed, for example a faulty estimate for effort hours is discovered, the plan should be corrected and downstream tasks updated to reflect the change. When performance has lagged, for example due to high turnover of skilled employees, correction is required by adding resources, lengthening the schedule, or by reducing the quality or quantity of the deliverable. The decisions are usually expressed in terms of trade-offs. Often a project manager can adjust
one of the three planning parameters for the task being corrected: 1. Effort and money allocated 2. Elapsed time or scheduling impact 3. Quality or quantity of the deliverable 62 Figure 10-1
63 Project Wrap-up Project wrap-up usually handled as procedural task and assigned to mid-level IT or information
security manager Collect documentation, finalize status reports, and deliver final report and presentation at wrap-up meeting Goal of wrap-up to resolve any pending issues, critique overall project effort, and draw conclusions about how to improve process Wrap-up Project wrap-up is usually handled as a procedural task assigned to a mid-level IT or information security manager. These managers collect documentation, finalize status
reports, and deliver a final report and a presentation at a wrap-up meeting. The goal of the wrap-up is to resolve any pending issues, critique the overall effort of the project, and draw conclusions about how to improve the process for the future. 64 Conversion Strategies 65 The Maintenance Model Designed to focus organizational effort on maintaining systems Recommended maintenance model based on five subject areas External monitoring Internal monitoring Planning and risk assessment Vulnerability assessment and remediation Readiness and review The Maintenance Model A maintenance model is intended to complement the
chosen management model and focus organizational effort on maintenance. This figure diagrams a full maintenance program and forms a framework for the discussion of maintenance that follows. External monitoring Internal monitoring Planning and risk assessment Vulnerability assessment and remediation Readiness and review
66 Figure 12-1 - The Maintenance Model 67 Monitoring the External Environment 68
69 Monitoring the Internal Environment 70
71 Planning and Risk Assessment 72 Planning and Risk Assessment (continued) 73 74 Vulnerability Assessment and Remediation 75
76 Readiness and Review Primary goal to keep information security program functioning as designed and continuously improving
Accomplished by: Policy review: for policy to be sound Program review: for major planning components to be current, accurate, and appropriate Rehearsals: for major plan elements to be effective Readiness And Review The primary goal of the readiness and review domain is to keep the information security program functioning as designed and continuously improving over time. This is accomplished by:
Policy review: Sound policy needs to be reviewed and refreshed from time to time to provide a current foundation for the information security program. Readiness review: Major planning components should be reviewed on a periodic basis to ensure they are current, accurate, and appropriate. Rehearsals: When possible, major plan elements should be rehearsed. Policy review is the primary initiator of the readiness and review domain. As policy
is revised or current policy is confirmed, the various planning elements are reviewed for compliance, the information security program is reviewed, and rehearsals are held to make sure all participants are capable of responding as needed. 77 78
Summary Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information. Security should be considered a balance between protection and availability Information security must be managed similar to any major system implemented in an organization using a methodology like SecSDLC Implementation of information security often described as a combination of
art and science What is a formal approach to solving a problem based on a structured sequence of procedures?A methodology is a formal approach to solving a problem based on a structured sequence of procedures. Using a methodology ensures a rigorous process, and increases the likelihood of achieving the desired final objective.
What are the three most commonly encountered communities of interest that have roles and responsibilities in information security?Rather, the process should involve three distinct groups of decision makers, or communities of interest: Information security managers and professionals. Information technology managers and professionals. Nontechnical business managers and professionals.
Which type of security addresses the protection of all communications/media technology and content?Cybersecurity primarily addresses technology-related threats, with practices and tools that can prevent or mitigate them. Another related category is data security, which focuses on protecting an organization's data from accidental or malicious exposure to unauthorized parties.
In which phase of the development of an InfoSec Policy Must a plan to distribute the policies be developed Why is this important?In which phase of the development of an InfoSec policy must a plan to distribute the policies be developed? Why is this important? During the implementation phase, the team must create a plan to distribute and verify the distribution of the policies.
|