1 / 23

Unit Outline Information Security Risk Assessment

Unit Outline Information Security Risk Assessment. Module 1: Introduction to Risk Module 2: Definitions and Nomenclature  Module 3: Security Risk Assessment Module 4-5: Methodology and Objectives Module 6: Case Study Module 7: Summary. Module 3 Security Risk Assessment.

conan
Télécharger la présentation

Unit Outline Information Security Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unit OutlineInformation Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature  Module 3: Security Risk Assessment Module 4-5: Methodology and Objectives Module 6: Case Study Module 7: Summary

  2. Module 3Security Risk Assessment

  3. Security Risk AssessmentLearning Objectives • Students should be able to: • Define security risk assessment • Understand and choose between assessment types • Types of risk reduction • Metrics of effective security • Understand limitations to security risk assessment

  4. Security Risk AssessmentOverview • Definition • Security risk assessment identifies existing IT vulnerabilities and recommends countermeasures for mitigating potential risks • Goal • Make the infrastructure more secure • Identify risks and reduce them • Consequences of Failure • Loss of services • Financial loss • Loss of reputation • Legal consequences

  5. Security Risk AssessmentTypes • Intrusive • Vulnerability Scan • Penetration Testing (Ethical Hacking) • Non-Intrusive • Security Audit • Vulnerability Assessment • Risk Analysis • All have the goal of identifying vulnerabilities and improving security • Differ in rules of engagement and limited purpose of the specific engagement (what is allowed, legal liability, purpose of analysis, etc.).

  6. Security Risk Assessment: Non-Intrusive 1. Security Audit • Security Audit - Independent review and examination of system records & activities to determine adequacy of system controls, ensure compliance of security policy & operational procedures, detect breaches in security, and recommend changes in these processes.1 • Features • Formal Process • Paper Oriented (Review Policies for Compliance and Best Practices) • Review System Configurations (Questionnaire, or Console based) • Automated Scanning • Checklists 1 http://www.atis.org/tg2k/_security_audit.html

  7. Security Risk Assessment: Non-Intrusive 2. Vulnerability Assessment • Vulnerability Assessment is: • determination of state of risk associated with a system based upon thorough analysis • includes recommendations to support subsequent security controls/decisions. • takes into account business, as well as legal constraints. • Involves more testing than traditional paper audit • Primarily required to identify weaknesses in the information system • Steps • Identify security holes in the infrastructure • Look but not intrude into the systems • Focus on best practices (company policy is secondary)

  8. Security Risk Assessment: Non-Intrusive 3. Risk Analysis • Risk Analysis – identification or study of: • an organization’s assets • threats to these assets • system’svulnerability to the threats • Risk Analysis is done in order to determine exposure of the assets and potential loss. • Computationally intensive & requires data to: • Compute probabilities of attack • Valuation of assets • Efficacy of the controls • More cumbersome than audit or • assessment and usually requires an • analytically trained person

  9. Security Risk AssessmentVarious Types

  10. Security Risk AssessmentHow to Choose • Security audit, vulnerability assessment and risk analysis have similar goals. • The method is selected based on • Organizational Objectives • Available Resources • Time Horizon • Process • Capability Matrix • Resource Matrix • Cost/Asset Analysis • In general the cost of the analysis should not be more that the perceived benefits

  11. Security Risk AssessmentHow to Choose: Capability Matrix • Capability matrix matches the methods to their capabilities • Expand the matrix to include all the requirements of the organization • Match the capabilities to the requirement

  12. Security Risk AssessmentHow to Choose: Resource Matrix • Resource matrix matches the resources available to resources required • Data, Manpower • Organizations differ in the resources required (and available) based on its specific needs

  13. Security Risk Assessment: Intrusive1. Vulnerability Scan • Definition • Scan the network using automated tools to identify security holes in the network • Usually a highly automated process • Fast and cheap • Limitations • False findings • System disruptions (due to improperly run tools) • Differences in regular scans can often identify new vulnerabilities

  14. Security Risk Assessment: Intrusive2. Penetration Testing • Definition (Ethical Hacking) • Simulated attacks on computer networks to identify weaknesses in the network. • Steps • Find a vulnerability • Exploit the vulnerability to get deeper access • Explore the potential damage that the hacker can cause • Example • Scan web server: Exploit buffer overflow to get account • Scan database (from web server) • Find weakness in database: Retrieve password • Use password to compromise firewall

  15. Security Risk AssessmentRisk Reduction Three strategies for risk reduction: • Avoiding the risk • by changing requirements for security or other system characteristics • Transferring the risk • by allocating risk to other systems, people, organizations assets or by buying insurance • Assuming the risk • by accepting and controlling it with available resources

  16. Security Risk AssessmentEffective Security • Effective security relies on several factors • Security Risk Assessments • Policies & Procedures • Education (of IT staff, users, & managers) • Configuration Standards/Guidelines • OS Hardening • Network Design • Firewall Configuration • Router Configuration • Web Server Configuration • Secure Coding Practices

  17. Security Risk AssessmentLimitations • Often locates previously known issues • Provides false sense of security • Just the first step • Needs due diligence in applying the recommendation of the assessment • Becomes obsolete rapidly • Needs to be repeated periodically

  18. What is Security Risk Assessment?Case • Consider the three cases that are provided to you and determine the type of security analysis approach you would choose. • A worksheet is provided with the matrices that you can fill out. • An example solution is in the following slides.

  19. Solution

  20. Security Risk AssessmentSmall Business Case • The Natural Soap case has been given the following assessment in the capability and resource matrices:

  21. Security Risk AssessmentLarge Corporation Case • The GE Energy case has been given the following assessment in the capability and resource matrices:

  22. Security Risk AssessmentGovernment Agency Case • The State Agency case has been given the following assessment in the capability and resource matrices:

  23. Security Risk AssessmentSummary • Security risk assessment is the process of identifying vulnerabilities in order to determine controls and can be intrusive or non-intrusive. • Intrusive methods involve actual testing of the system (e.g. vulnerability scanning and penetration testing). • Non-intrusive methods are security audit, risk analysis, and vulnerability assessment. • To determine when to use a particular non-intrusive method, it is important to consider the goals of the assessment as well as the resources necessary.

More Related