47
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software Engineering Institute Carnegie Mellon University

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software

Embed Size (px)

Citation preview

© 2003 by Carnegie Mellon University page 1

Information Security Risk Evaluation for Colleges and

Universities

Carol WoodySenior Technical StaffSoftware Engineering InstituteCarnegie Mellon University

© 2003 by Carnegie Mellon University page 2

Copyright Statement

Copyright Carol Woody 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided

that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of

the author. To disseminate otherwise or to republish requires written permission from the author.

© 2003 by Carnegie Mellon University page 3

Objectives

Internet Context

Security Risk Management

Information Security Risk Evaluation using the OCTAVE® Approach

© 2003 by Carnegie Mellon University page 4

Internet Context

© 2003 by Carnegie Mellon University page 5

The Old ’Net

© 2003 by Carnegie Mellon University page 6

The New ’Net

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

© 2003 by Carnegie Mellon University page 7

Unwarranted Trust

•Address spoofing

•Viruses & worms

•Denial of service attacks

•Packet sniffing

•Password cracking

© 2003 by Carnegie Mellon University page 8

All Sites are Potentially Vulnerable

•Design Vulnerabilities

•Implementation Vulnerabilities

•Configuration Vulnerabilities

•Resource Vulnerabilities

•User Vulnerabilities

•Business Process Vulnerabilities

© 2003 by Carnegie Mellon University page 9

Growth in Number of Vulnerabilities Reported to the CERT/CC

© 2003 by Carnegie Mellon University page 10

Attack Impact v Intruder Knowledge

Source: www.cert.org

© 2003 by Carnegie Mellon University page 11

Statistics from IT Security

CSI & FBI 2003 Computer Crime and Security Survey

•78% of 530 respondents detected Internet security breaches

•30% detected internal security breaches

© 2003 by Carnegie Mellon University page 12

Statistics from IT Security

Likely sources of attack

•Independent hackers

•Disgruntled employees (current & former)

•Competitors

•Foreign governments & corporations

© 2003 by Carnegie Mellon University page 13

Protection Responses

Implement effective security practices

•Fire walls

•Intrusion detection

•Encryption and authentication

•Software upgrades and patching

•Self-hacking

© 2003 by Carnegie Mellon University page 14

Protection is Incomplete

Security management requires a plan to recognize, resist, and recover

•Hackers are running programs on the Internet at all times looking for security holes (technical vulnerabilities).

•People using the Internet are unaware of the risks (organizational vulnerabilities)

© 2003 by Carnegie Mellon University page 15

Selecting Security Practices - 1

What do you need to protect?

What will protection failure mean?

What vulnerabilities exist in your environment?

How much protection can you afford?

© 2003 by Carnegie Mellon University page 16

Selecting Security Practices - 2

Technical Vulnerability Management• Focus is primarily on technology • Led by external experts• Driven by software vendor information• Accurate for a very limited timeframe

© 2003 by Carnegie Mellon University page 17

Selecting Security Practices - 3

Security Risk Management• Led by the organization• Defines and prioritizes the risks based on organizational goals

• Includes security issues in the planning, policy and procedures of the organization

• Considers a wider range of risks

© 2003 by Carnegie Mellon University page 18

Security Risk Management

© 2003 by Carnegie Mellon University page 19

Risk Management

Each organization must “own” its risk.• Each organization has a unique set of information security risks.

• Information security risks can affect an organization’s ability to meet its mission.

© 2003 by Carnegie Mellon University page 20

Organizational Gap

© 2003 by Carnegie Mellon University page 21

Multiple Perspectives of Security

Internal and external participants• Information technology (IT) staff• Employees• Managers• Contractors• Service providers• Partners and collaborators

© 2003 by Carnegie Mellon University page 22

Risk Management Regulations

Regulations may mandate security risk management:• Health Insurance Portability and Accountability Act (HIPAA) for health care organizations

• Gramm-Leach-Bliley Act for financial organizations

© 2003 by Carnegie Mellon University page 23

Risk Aware Culture

Information security risks cannot be addressed if they aren’t communicated to and understood by the organization’s decision makers.

Everyone must be able to identify and respond to security risks.

© 2003 by Carnegie Mellon University page 24

Risk - 1

The possibility of suffering harm or loss

Risk consists of• an event • consequence• uncertainty

© 2003 by Carnegie Mellon University page 25

Risk - 2

Event Consequence

Uncertainty

© 2003 by Carnegie Mellon University page 26

Risk - 3

Threat Actor Asset

Organizational vulnerabilities Technology vulnerabilities

Impact on organization

Event Consequence

Uncertainty

© 2003 by Carnegie Mellon University page 27

Effective Risk Management

Effective information security risk management requires: • a systematic process • experience and expertise • information (e.g., risks, lessons learned)• a risk-aware culture

© 2003 by Carnegie Mellon University page 28

Information Security Risk Management Framework

© 2003 by Carnegie Mellon University page 29

The OCTAVE® Approach

Operationally Critical Threat, Asset, and Vulnerability Evaluation SM

® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon University

SM Operationally Critical Threat, Asset, and Vulnerability Evaluation is a service mark of Carnegie Mellon University.

© 2003 by Carnegie Mellon University page 30

Establish a Shared Risk Language

© 2003 by Carnegie Mellon University page 31

OCTAVE Approach

Use OCTAVE to identify, analyze, and plan security risk management.

© 2003 by Carnegie Mellon University page 32

OCTAVE PhasesOCTAVE is structured into the following three phases:

• Phase 1: Build Asset-Based Threat Profiles • Phase 2: Identify Infrastructure Vulnerabilities

• Phase 3: Develop Security Strategy and Plans

© 2003 by Carnegie Mellon University page 33

© 2003 by Carnegie Mellon University page 34

OCTAVE Analysis Team

• An interdisciplinary team – consisting of- teaching and administrative staff- information technology staff

© 2003 by Carnegie Mellon University page 35

Catalog of Security Practices

Security Practice Survey

OCTAVE Catalog of Practices

Protection Strategy

Mitigation Plan

© 2003 by Carnegie Mellon University page 36

Catalog Structure

© 2003 by Carnegie Mellon University page 37

Strategic Practice Areas

© 2003 by Carnegie Mellon University page 38

System and Network Management

System Administration Tools

Monitoring and Auditing IT Security

Authentication and Authorization

Vulnerability Management

Encryption

Security Architecture and Design

Incident Management

General Staff Practices

Physical Security Plans and Procedures

Physical Access Control

Monitoring and Auditing Physical Security

Operational Practice Areas

© 2003 by Carnegie Mellon University page 39

Outputs of the OCTAVE Approach

Defines organizational direction

Plans designed to reduce risk

Near-term action items

Protection Strategy

Mitigation Plan

Action List

© 2003 by Carnegie Mellon University page 40

OCTAVE Method

Focused on large-scale (300 or more employees) or complex organizations

• A systematic, context-sensitive method for use across the organization, involving multiple organizational levels and IT

• Uses open-ended “essay” worksheets for information collection

• Requires moderate level of security expertise

© 2003 by Carnegie Mellon University page 41

OCTAVE-S

Focused on small (less than 100 employees) or simple organizations

• Requires analysis team to have a full, or nearly full, understanding of the organization and what is important

• Uses “fill-in-the-blank” worksheets in a structured process

• Requires less security expertise

© 2003 by Carnegie Mellon University page 42

Key Selection Question - 1

Does the analysis team (i.e., 3-5 people) have sufficient insight into the organization to characterize the information security risks affecting the organization?

© 2003 by Carnegie Mellon University page 43

Key Selection Question - 2

Does the organization have the capability (security expertise) to conduct the Phase 2 vulnerability evaluation?

© 2003 by Carnegie Mellon University page 44

© 2003 by Carnegie Mellon University page 45

OCTAVE Information

Visit http://www.cert.org/octave

• Introduction to the OCTAVE® Approach

•OCTAVE® Method Implementation Guide

•OCTAVE®-S (preliminary version)

© 2003 by Carnegie Mellon University page 46

Additional Options

OCTAVE® Transition Partners: licensed to train and assist organizations in using the OCTAVE Approach

Book: Managing Information Security Risks: The OCTAVESM Approach

Public Training at the SEI http://www.sei.cmu.edu/products/courses/

© 2003 by Carnegie Mellon University page 47

Questions?