information security principles applications n.
Skip this Video
Loading SlideShow in 5 Seconds..
Information Security Principles & Applications PowerPoint Presentation
Download Presentation
Information Security Principles & Applications

play fullscreen
1 / 78

Information Security Principles & Applications

560 Views Download Presentation
Download Presentation

Information Security Principles & Applications

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Information SecurityPrinciples & Applications Topic 5: Security Engineering: An Overview 虞慧群

  2. Information Security • A successful organization should have multiple layers of security in place: • Physical security • Personal security • Operations security • Communications security • Network security • Information security • The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information • Necessary tools: policy, awareness, training, education, technology

  3. NSTISSC Security Model Policy Storage Processing Transm. Education Confidentiality Technology Integrity Availability

  4. Components of an Information System • Information System (IS) is entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization

  5. Securing Components • Computer can be subject of an attack and/or the object of an attack • When the subject of an attack, computer is used as an active tool to conduct attack • When the object of an attack, computer is the entity being attacked

  6. Balancing Information Security and Access • Impossible to obtain perfect security—it is a process, not an absolute • Security should be considered balance between protection and availability • To achieve balance, level of security must allow reasonable access, yet protect against threats

  7. The Systems Development Life Cycle • Systems development life cycle (SDLC) is methodology and design for implementation of information security within an organization • Methodology is formal approach to problem-solving based on structured sequence of procedures • Using a methodology • ensures a rigorous process • avoids missing steps • Goal is creating a comprehensive security posture/program • Traditional SDLC consists of six general phases

  8. Investigation • What problem is the system being developed to solve? • Objectives, constraints and scope of project are specified • Preliminary cost-benefit analysis is developed • At the end, feasibility analysis is performed to assesses economic, technical, and behavioral feasibilities of the process

  9. Analysis • Consists of assessments of the organization, status of current systems, and capability to support proposed systems • Analysts determine what new system is expected to do and how it will interact with existing systems • Ends with documentation of findings and update of feasibility analysis

  10. Logical Design • Main factor is business need; applications capable of providing needed services are selected • Data support and structures capable of providing the needed inputs are identified • Technologies to implement physical solution are determined • Feasibility analysis performed at the end

  11. Physical Design • Technologies to support the alternatives identified and evaluated in the logical design are selected • Components evaluated on make-or-buy decision • Feasibility analysis performed; entire solution presented to end-user representatives for approval

  12. Implementation • Needed software created; components ordered, received, assembled, and tested • Users trained and documentation created • Feasibility analysis prepared; users presented with system for performance review and acceptance test

  13. Maintenance and Change • Consists of tasks necessary to support and modify system for remainder of its useful life • Life cycle continues until the process begins again from the investigation phase • When current system can no longer support the organization’s mission, a new project is implemented

  14. The Security Systems Development Life Cycle • The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project • Identification of specific threats and creating controls to counter them • SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions

  15. Investigation • Identifies process, outcomes, goals, and constraints of the project • Begins with enterprise information security policy • Organizational feasibility analysis is performed

  16. Analysis • Documents from investigation phase are studied • Analyzes existing security policies or programs, along with documented current threats and associated controls • Includes analysis of relevant legal issues that could impact design of the security solution • The risk management task begins

  17. An Overview of Risk Management • Know yourself: identify, examine, and understand the information and systems currently in place • Know the enemy: identify, examine, and understand threats facing the organization • Responsibility of each community of interest within an organization to manage risks that are encountered

  18. The Roles of the Communities of Interest • Information security, management and users, information technology all must work together • Management review: • Verify completeness/accuracy of asset inventory • Review and verify threats as well as controls and mitigation strategies • Review cost effectiveness of each control • Verify effectiveness of controls deployed

  19. Risk Identification • Assets are targets of various threats and threat agents • Risk management involves identifying organization’s assets and identifying threats/vulnerabilities • Risk identification begins with identifying organization’s assets and assessing their value

  20. Asset Identification and Valuation • Iterative process; begins with identification of assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, networking) • Assets are then classified and categorized

  21. Table 4-1 - Categorizing Components

  22. Threat Identification • Realistic threats need investigation; unimportant threats are set aside • Threat assessment: • Which threats present danger to assets? • Which threats represent the most danger to information? • How much would it cost to recover from attack? • Which threat requires greatest expenditure to prevent?

  23. Vulnerability Identification • Specific avenues threat agents can exploit to attack an information asset are called vulnerabilities • Examine how each threat could be perpetrated and list organization’s assets and vulnerabilities • Process works best when people with diverse backgrounds within organization work iteratively in a series of brainstorming sessions • At end of risk identification process, list of assets and their vulnerabilities is achieved

  24. Risk Assessment • Risk assessment evaluates the relative risk for each vulnerability • Assigns a risk rating or score to each information asset

  25. Valuation of Information Assets • Assign weighted scores for value of each asset; actual number used can vary with needs of organization • To be effective, assign values by asking questions: • Which threats present danger to assets? • Which threats represent the most danger to information? • How much would it cost to recover from attack? • Which threat requires greatest expenditure to prevent? • Finally: which of the above questions for each asset is most important to protection of organization’s information?

  26. Risk Determination • For the purpose of relative risk assessment, risk equals: • Likelihood of vulnerability occurrence TIMES value (or impact) • MINUS percentage risk already controlled • PLUS an element of uncertainty

  27. Identify Possible Controls • For each threat and associated vulnerabilities that have residual risk, create preliminary list of control ideas • Residual risk is risk that remains to information asset even after existing control has been applied

  28. Access Controls • Specifically address admission of a user into a trusted area of organization • Types of Access Control • Mandatory access controls (MAC): give users and data owners limited control over access to information • Nondiscretionary controls: managed by a central authority in organization; can be based on individual’s role (role-based controls) or a specified set of assigned tasks (task-based controls) • Discretionary access controls (DAC): implemented at discretion or option of data user • Lattice-based access control: variation of MAC; users assigned matrix of authorizations for areas of access

  29. Documenting the Results of Risk Assessment • Final summary comprised in ranked vulnerability risk worksheet • Worksheet details asset, asset impact, vulnerability, vulnerability likelihood, and risk-rating factor • Ranked vulnerability risk worksheet is initial working document for next step in risk management process: assessing and controlling risk

  30. Risk Control Strategies • Once ranked vulnerability risk worksheet complete, must choose one of four strategies to control each risk: • Apply safeguards (avoidance) • Transfer the risk (transference) • Reduce impact (mitigation) • Understand consequences and accept risk (acceptance)

  31. Avoidance • Attempts to prevent exploitation of the vulnerability • Preferred approach; accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards • Three common methods of risk avoidance: • Application of policy • Training and education • Applying technology

  32. Transference • Control approach that attempts to shift risk to other assets, processes, or organizations • If lacking, organization should hire individuals/firms thatprovide security management and administration expertise • Organization may then transfer risk associated with management of complex systems to another organization experienced in dealing with those risks

  33. Mitigation • Attempts to reduce impact of vulnerability exploitation through planning and preparation • Approach includes three types of plans: • Incident response plan (IRP) • Disaster recovery plan (DRP) • Business continuity plan (BCP)

  34. Mitigation (continued) • DRP is most common mitigation procedure • The actions to take while incident is in progress is defined in IRP • BCP encompasses continuation of business activities if catastrophic event occurs

  35. Acceptance • Doing nothing to protect a vulnerability and accepting the outcome of its exploitation • Valid only when the particular function, service, information, or asset does not justify cost of protection • Risk appetite describes the degree to which organization is willing to accept risk as trade-off to the expense of applying controls

  36. Characteristics of Secure Information • Controls can be classified according to the characteristics of secure information they are intended to assure • These characteristics include: confidentiality; integrity; availability; authentication; authorization; accountability; privacy

  37. Feasibility Studies • Before deciding on strategy, all information about economic/non-economic consequences of vulnerability of information asset must be explored • A number of ways exist to determine advantage of a specific control

  38. Cost Benefit Analysis (CBA) • Most common approach for information security controls is economic feasibility of implementation • CBA is begun by evaluating worth of assets to be protected and the loss in value if those assets are compromised • The formal process to document this is called cost benefit analysis or economic feasibility study

  39. Cost Benefit Analysis (CBA) (continued) • Items that impact cost of a control or safeguard include: cost of development; training fees; implementation cost; service costs; cost of maintenance • Benefit is the value an organization realizes by using controls to prevent losses associated with a vulnerability • Asset valuation is process of assigning financial value or worth to each information asset; there are many components to asset valuation

  40. Cost Benefit Analysis (CBA) (continued) • Once worth of various assets is estimated, potential loss from exploitation of vulnerability is examined • Process results in estimate of potential loss per risk • Expected loss per risk stated in the following equation: Annualized loss expectancy (ALE) equals Single loss expectancy (SLE) TIMES Annualized rate of occurrence (ARO) • SLE is equal to asset value times exposure factor (EF)

  41. The Cost Benefit Analysis (CBA) Formula • CBA determines whether or not control alternative being evaluated is worth cost incurred to control vulnerability • CBA most easily calculated using ALE from earlier assessments, before implementation of proposed control: CBA = ALE(prior) – ALE(post) – ACS • ALE(prior) is annualized loss expectancy of risk before implementation of control • ALE(post) is estimated ALE based on control being in place for a period of time • ACS is the annualized cost of the safeguard

  42. Benchmarking • An alternative approach to risk management • Benchmarking is process of seeking out and studying practices in other organizations that one’s own organization desires to duplicate • One of two measures typically used to compare practices: • Metrics-based measures • Process-based measures

  43. Benchmarking (continued) • Standard of due care: when adopting levels of security for a legal defense, organization shows it has done what any prudent organization would do in similar circumstances • Due diligence: demonstration that organization is diligent in ensuring that implemented standards continue to provide required level of protection • Failure to support standard of due care or due diligence can leave organization open to legal liability

  44. Benchmarking (continued) • Best business practices: security efforts that provide a superior level protection of information • When considering best practices for adoption in an organization, consider: • Does organization resemble identified target with best practice? • Are resources at hand similar? • Is organization in a similar threat environment?

  45. Problems with Benchmarking and Best Practices • Organizations don’t talk to each other (biggest problem) • No two organizations are identical • Best practices are a moving target • Knowing what was going on in information security industry in recent years through benchmarking doesn’t necessarily prepare for what’s next