Upload
peter-cruickshank
View
785
Download
0
Embed Size (px)
Citation preview
Security
Management:
Risks, controls
and incidents
PETER CRUICKSHANK
SCHOOL OF COMPUTING
EDINBURGH NAPIER UNIVERSITY
What is security?
Mordac the preventer of
information
2 Security management: risks, controls and incidents
© Dilbert.com
http://dilbert.com/search_results?terms=Mordac+The+Preventer
Background
Over a generation, internetworked systems, particularly the Internet, have gone from the
specialized realm of government and academic to being a substantial part (the basis?) of our
business and personal lives.
Enterprises maintain web sites, email, e-
commerce and collaboration tools
that are all connected to the
Internet.
Online banking, bill paying and shopping
have made online financial transactions
common.
Individuals have smartphones, tablets
and a myriad of other devices that
are always “online.”
Security management: risks, controls and incidents 3
The context
Computer systems
Computer Environment
Business and
application environment
Socio-economic-
legal environment
Security management: risks, controls and incidents 4
In a graph
Security management: risks, controls and incidents © 2014, ISACA
2016?
5
Information Security:
Attributes
Security management: risks, controls and incidents 6
• Authorised access only
• Protecting privacy Confidentiality
• Data and system • Protection from accidental or deliberate
(malicious) modification Integrity
• …for legitimate users
• DDoS attacks – prevention & recovery Availability
• who are you – supports non-deniability Authentication
• what can you do? Authorization
• Effective auditing and logging is the key to non-repudiation Auditing
Aim of the
lecture
SERIES OF 6
LECTURES AND
TUTORIALS
COURSEWORK
ASSIGNMENT
EXAM QUESTIONS
This lecture:
Discuss issues around threats
and their risk management
Covers incident handling
(a particular form of risk
mitigation)
Explains the relationship of
risks to controls
Security management: risks, controls and incidents 7
Risk
management
HOW DO YOU
PRIORITISE YOUR
WORK?
HOW DO YOU KNOW
WHAT’S IMPORTANT?
Security management: risks, controls and incidents 8
The security balance
Security
• Complex passwords are secure
• Encryption protects assets
Access
• Complex passwords prevent access
• Encryption slows things down
9 Security management: risks, controls and incidents
• Technology is not enough
• Controls often conflict with usability and business objectives
Risk
Risk is
...let’s start with Wikipedia:
The potential that a chosen (in)action will lead to a loss
[or a gain]
Implies that a choice having an influence on the outcome
exists (or existed)
Potential losses themselves may also be called “risks”
Almost any human endeavour carries some risk, but some
are much more risky than others.
11 Security management: risks, controls and incidents
Sources of risk
Processes
People
Systems
External events
13 Security management: risks, controls and incidents
Events related to
business operations
Outside factors
threatening
operations
Employee errors or
misdeeds
Non-employees
Technology
failure
Example: A fire destroying the IT system and causing disruption to the business
External event (fire) Systems (unavailable) processes (disrupted)
Or in
combination
Risk management
Risk management
Risk identification &
assessment Risk control
Risk response
15 Security management: risks, controls and incidents
Risk Control
Strategies
Avoidance Transference
Mitigation Acceptance
16 Security management: risks, controls and incidents
Risk LET’S LOOK AT THE
BASICS
Security management: risks, controls and incidents 18
x -
+
%
Risk is
19 Security management: risks, controls and incidents
The likelihood of the occurrence of a
vulnerability
X Multiplied by the value of the
information asset (or, the impact of the
loss)
Risk assessment
Likelihood
Expressed as fraction or %age
May be known (eg actuarial tables)
May need judgement (document the process)
Often reduced to High, Medium or Low
20 Security management: risks, controls and incidents
Risk assessment
Value (impact of loss)
Normally focuses on potential loss
It’s most straightforward to gather
Can be combined up the hierarchy
eg loss of HR for a week may have high value to them, but the
organisation will be able to carry on for a while…
(So long as payroll is OK)
21 Security management: risks, controls and incidents
Identify vulnerabilities
All threats
All assets
Vulner-abilities
22 Security management: risks, controls and incidents
Recorded in a TVA (threats, vulnerabilities & assets) worksheet
Risk assessment:
TVA worksheet extract
Asset Impact Vulnerability Likelihood Risk Rating
Customer
service
request via
55 Disruption due
to hardware
failure
0.04 2.2
Disruption due
to software
failure
0.3 16.5
Customer
order received
by SSL
100 Lost order due
to server
hardware failure
0.05 5
Lost order due
to ISP failure 0.1 10
23 Security management: risks, controls and incidents
Risk according to OWASP1
Risk
Likelihood
Threat agent
Skill Motive Oppor-tunity
Capacity Resour-
ces, Size
Vulnerability
Ease of disc-overy
Ease of exploit
Aware-ness
Detec-tion if
exploit-ed
Impact
Technical
Loss of C, I, A
Business
Finan-cial,
Reput-ational
Comp-liance, Privacy
OR
1 https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Security management: risks, controls and incidents 24
Risk
management
Choose a risk posture
Analyse impact of threats
business impacts and other,
non-financial impacts
Identify and analyse risks
Determine risk treatment
Determine security strategy
options based on risk profile
Steps that enterprises should
perform when implementing
(information security) steps and
measures
Security management: risks, controls and incidents 25
Security management: risks, controls and incidents 26
http://thegreatgildersleeve.tumblr.com/post/708013469/bolted-and-barricaded-door-behind-empty-k-mart
Risk Control
Risk appetite
The goal is not risk elimination
It is risk minimisation
What costs can you bear
What impact has risk control on your business
At what point are you prevented from doing anything
Leaving organisation with residual risk
Aim: reduce residual risk to match risk appetite
27 Security management: risks, controls and incidents
Choose a risk posture
Minimalist
• Reduce actions and investment to a minimum
• Comparatively high level of residual risk.
Balanced
• comprehensive security investment
• Moderate level of residual risk
Conservative
• Aim for a precautionary, comparatively high, investment
• Little or no tolerance for residual risk.
Security management: risks, controls and incidents 28
This is also known
as ‘Risk Appetite’
Threats
30 Security management: risks, controls and incidents
http://www.justsaypictures.com/verbal-threat.html
Threat actors:
categorisation
Location
Internal
Staff
Cont-ractors Should they be internal?
External
Busi-ness
part-ner
Regu-lator
Com-petitor
& their governm
ents
Motivation
Friendly Hostile
Capability &
expertise
Script kiddies
GCHQ, the
NSA, the PLA
Security management: risks, controls and incidents 31
Building risk scenario
Risk scenario
Actor
• Internal
•External
Threat type
•Malicious
•Accidental / error
•Failure /nature
•External requirement
Event
•Disclosure
• Interruption
•Modification
•Theft
•Destruction
• Ineffective design/execution
•New rules
• Inappropriate use
Asset / resource
•People & skills
•Organisation structures
•Process
•Facilities
• IT infrastructure
• Information
•Application
Time
•Duration
•Criticality
•To detection
•Time lag to respond
Security management: risks, controls and incidents 34
Scenario-based
approaches are
sometimes preferred
over ‘pure’ risk
catalogues
Analyse Business Impact
What could go wrong?
How would it affect the business?
• Discard if impact is negligible
Judge likelihoods
• Discard if unlikely
Plan for what’s left
Security management: risks, controls and incidents 35
Analyse Business Impact
Security management: risks, controls and incidents 36
x -
+
%
Risk is (therefore)
40 Security management: risks, controls and incidents
The likelihood of the occurrence of a
vulnerability
X Multiplied by the value of the
information asset
- Minus the percentage of the risk
mitigated by current controls
+ Plus the uncertainty of current
knowledge of the vulnerability
Risk analysis cycle
41 Security management: risks, controls and incidents
Asset
identification
& valuation
Threat
assessment Counter-
measures
Vulnerability
assessment
Risk
assessment
Control
evaluation
Residual
risk
Action
Plan Review
Source: ITGI IT Governance Implementation Guide, 2 ed, 2007
Risk management
concepts
Risk management
Risk identification &
assessment
Inventory
Classification
Threat Identification
Risk control
Risk avoidance
Reduce and mitigate
Risk reduction Risk transfer
Risk sharing
Risk retention
Risk response
Incident handling
Disaster recovery
42 Security management: risks, controls and incidents
44
Security management: risks, controls and
incidents
Back to controls
Controls
Control activities are:
actions, supported by policies and procedures that,
when carried out properly and in a timely manner,
manage or reduce risks.
45 Security management: risks, controls and incidents
Controls
Prevent Controls Preventive controls attempt to
deter or prevent undesirable events from occurring.
They are proactive controls that help to prevent a loss.
Examples of preventive controls are separation of duties, proper authorisation, adequate documentation, and physical control over assets.
Detect Controls Detective controls, on the other
hand, attempt to detect undesirable acts.
They provide evidence that a loss has occurred but do not prevent a loss from occurring.
Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.
Security management: risks, controls and incidents 46
These examples are from general business:
Can you think of the equivalent in information systems?
Controls
Both types of controls are essential to an effective internal
control system
From a quality standpoint, preventive controls are
essential because they are proactive and emphasize
quality
However, detective/corrective controls play a critical role providing evidence that the
preventive controls are functioning and preventing
losses
47 Security management: risks, controls and incidents
Controls and audit:
Key facts
Controls are an expense
Controls that aren’t consistently used are no good
An audit is basically a check that the controls are • Well designed (and cost effective)
• Have been operated consistently & correctly
Security management: risks, controls and incidents 48
Controls: Take 10
Prevent Detect Recover /
mitigate
People
Process
Technology
Physical
Security management: risks, controls and incidents 49
Think of one IT-related control to go in each box
Risk assessment
Effect of controls
Current controls mitigate the threat
Possible controls can be identified
Different types of control
eg Access control: role-based, task-based
Security management: risks, controls and incidents 50
People Process Tech
Prevent
Detect
Recover/
mitigate
This is one way of reviewing
how you are controlling a risk
in depth
Incident
response
Security management: risks, controls and incidents 51
Context: Resilience
In the traditional sense, ‘resilience’ means the ability of a
material to revert to its original shape after it has been
deformed.
In information security (and in business continuity),
resilience describes the ability of an enterprise to recover
and absorb external shocks or events and their internal
impacts.
Incident handling is a type of risk mitigation
Security management: risks, controls and incidents 52
Business impact analysis
Results of business impact analysis (BIA) and risk assessment
specific risks and scenarios, threats and vulnerabilities analysis, etc.
clustered (aggregated) risk
potential impacts and strategic options (with residual risk)
Key technologies
Cloud, network interconnections, supervisory control and data acquisition (SCADA) and other industrial control systems.
Focus is: what if they fail?
Security management: risks, controls and incidents 53
Incident strategy: two
aspects
Knowing what do to
Incident reporting
Policies, reporting lines, authorities, etc.
Testing it
Participation in & integration with
exercises
(EU/national/ industry wide)
Security management: risks, controls and incidents 54
Not all events are incidents
Distinguish between events and incidents.
NIST defines an event as “any observable occurrence in
a network or system.”
This includes normal network operations, such as
connections to servers, email transactions and database
updates.
A computer security incident is “a violation or imminent
threat of violation of computer security policies,
acceptable use policies, or standard security practices.”
Security management: risks, controls and incidents 55
Incident response
Despite an organisation’s best efforts, attackers are
sometimes successful.
When this happens, an incident occurs.
When incidents occur, it is essential to have a plan in
place to handle them
The purpose of incident response.
Terminology:
The people trained to deal with incidents are called incident
handlers
They are part of an incident response team.
Security management: risks, controls and incidents 56
Incident response phases
Preparation
Detection & analysis
Containment, eradication,
recovery
Post incident activity
Preparation to establish roles, responsibilities and plans for how an incident will be handled
Detection and Analysis capabilities to identify incidents as early as possible and effectively assess the nature of the incident
Investigation capability if identifying an adversary is required
Mitigation and Recovery procedures to contain the incident, reduce losses and return operations to normal
Post-incident Analysis to determine corrective actions to prevent similar incidents in the future
Security management: risks, controls and incidents 57
Conclusion
The principles of risk
management
How risks and controls relate
An outline of an incident
handling plan
Today, we have covered
Security management: risks, controls and incidents 63
Final though:
What is security?
If we make security trade-offs based on the feeling of security rather than the
reality, we choose security that makes us feel more secure over security that
actually makes us more secure. And that’s what governments, companies,
family members, and everyone else provide. Of course, there are two ways to
make people feel more secure.
The first is to make people actually more secure, and hope they notice.
The second is to make people feel more secure without making them
actually more secure, and hope they don’t notice.
The key here is whether we notice. The feeling and reality of security tend to
converge when we take notice, and diverge when we don’t. People notice
when 1) there are enough positive and negative examples to draw a conclusion,
and 2) there isn’t too much emotion clouding the issue.
The feeling and the reality of security Schneier 2008
64 Security management: risks, controls and incidents
“
”
65
Security management: risks, controls and
incidents
…Watch for Security theatre
that iS…
“
”
Thank you
PETER CRUICKSHANK
Lecturer in Information Systems. School of Computing,
Edinburgh Napier University
@spartakan | [email protected]
Security management: risks, controls and incidents 66
Sources and references
A good general source on this material is
Whitman & Mattord’s Management of Information Security (many editions)
Some of the material in this lecture is sourced from the following ISACA documents:
• Cybersecurity Student Book (2014)
• European Cybersecurity Implementation: Overview (2014)
Security management: risks, controls and incidents 67