© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software

© 2003 by Carnegie Mellon University page 1

Information Security Risk Evaluation for Colleges and

Universities

Carol WoodySenior Technical StaffSoftware Engineering InstituteCarnegie Mellon University


Copyright Statement

Copyright Carol Woody 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided

that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of

the author. To disseminate otherwise or to republish requires written permission from the author.


Objectives

Internet Context

Security Risk Management

Information Security Risk Evaluation using the OCTAVE® Approach


Internet Context


The Old ’Net


The New ’Net

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html


Unwarranted Trust

•Address spoofing

•Viruses & worms

•Denial of service attacks

•Packet sniffing

•Password cracking


All Sites are Potentially Vulnerable

•Design Vulnerabilities

•Implementation Vulnerabilities

•Configuration Vulnerabilities

•Resource Vulnerabilities

•User Vulnerabilities

•Business Process Vulnerabilities


Growth in Number of Vulnerabilities Reported to the CERT/CC


Attack Impact v Intruder Knowledge

Source: www.cert.org


Statistics from IT Security

CSI & FBI 2003 Computer Crime and Security Survey

•78% of 530 respondents detected Internet security breaches

•30% detected internal security breaches


Statistics from IT Security

Likely sources of attack

•Independent hackers

•Disgruntled employees (current & former)

•Competitors

•Foreign governments & corporations


Protection Responses

Implement effective security practices

•Fire walls

•Intrusion detection

•Encryption and authentication

•Software upgrades and patching

•Self-hacking


Protection is Incomplete

Security management requires a plan to recognize, resist, and recover

•Hackers are running programs on the Internet at all times looking for security holes (technical vulnerabilities).

•People using the Internet are unaware of the risks (organizational vulnerabilities)


Selecting Security Practices - 1

What do you need to protect?

What will protection failure mean?

What vulnerabilities exist in your environment?

How much protection can you afford?



Technical Vulnerability Management• Focus is primarily on technology • Led by external experts• Driven by software vendor information• Accurate for a very limited timeframe



Security Risk Management• Led by the organization• Defines and prioritizes the risks based on organizational goals

• Includes security issues in the planning, policy and procedures of the organization

• Considers a wider range of risks


Security Risk Management


Risk Management

Each organization must “own” its risk.• Each organization has a unique set of information security risks.

• Information security risks can affect an organization’s ability to meet its mission.


Organizational Gap


Multiple Perspectives of Security

Internal and external participants• Information technology (IT) staff• Employees• Managers• Contractors• Service providers• Partners and collaborators


Risk Management Regulations

Regulations may mandate security risk management:• Health Insurance Portability and Accountability Act (HIPAA) for health care organizations

• Gramm-Leach-Bliley Act for financial organizations


Risk Aware Culture

Information security risks cannot be addressed if they aren’t communicated to and understood by the organization’s decision makers.

Everyone must be able to identify and respond to security risks.


Risk - 1

The possibility of suffering harm or loss

Risk consists of• an event • consequence• uncertainty


Risk - 2

Event Consequence

Uncertainty


Risk - 3

Threat Actor Asset

Organizational vulnerabilities Technology vulnerabilities

Impact on organization

Event Consequence

Uncertainty


Effective Risk Management

Effective information security risk management requires: • a systematic process • experience and expertise • information (e.g., risks, lessons learned)• a risk-aware culture


Information Security Risk Management Framework


The OCTAVE® Approach

Operationally Critical Threat, Asset, and Vulnerability Evaluation SM

® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon University

SM Operationally Critical Threat, Asset, and Vulnerability Evaluation is a service mark of Carnegie Mellon University.


Establish a Shared Risk Language


OCTAVE Approach

Use OCTAVE to identify, analyze, and plan security risk management.


OCTAVE PhasesOCTAVE is structured into the following three phases:

• Phase 1: Build Asset-Based Threat Profiles • Phase 2: Identify Infrastructure Vulnerabilities

• Phase 3: Develop Security Strategy and Plans



OCTAVE Analysis Team

• An interdisciplinary team – consisting of- teaching and administrative staff- information technology staff


Catalog of Security Practices

Security Practice Survey

OCTAVE Catalog of Practices

Protection Strategy

Mitigation Plan


Catalog Structure


Strategic Practice Areas


System and Network Management

System Administration Tools

Monitoring and Auditing IT Security

Authentication and Authorization

Vulnerability Management

Encryption

Security Architecture and Design

Incident Management

General Staff Practices

Physical Security Plans and Procedures

Physical Access Control

Monitoring and Auditing Physical Security

Operational Practice Areas


Outputs of the OCTAVE Approach

Defines organizational direction

Plans designed to reduce risk

Near-term action items

Protection Strategy

Mitigation Plan

Action List


OCTAVE Method

Focused on large-scale (300 or more employees) or complex organizations

• A systematic, context-sensitive method for use across the organization, involving multiple organizational levels and IT

• Uses open-ended “essay” worksheets for information collection

• Requires moderate level of security expertise


OCTAVE-S

Focused on small (less than 100 employees) or simple organizations

• Requires analysis team to have a full, or nearly full, understanding of the organization and what is important

• Uses “fill-in-the-blank” worksheets in a structured process

• Requires less security expertise


Key Selection Question - 1

Does the analysis team (i.e., 3-5 people) have sufficient insight into the organization to characterize the information security risks affecting the organization?


Key Selection Question - 2

Does the organization have the capability (security expertise) to conduct the Phase 2 vulnerability evaluation?



OCTAVE Information

Visit http://www.cert.org/octave

• Introduction to the OCTAVE® Approach

•OCTAVE® Method Implementation Guide

•OCTAVE®-S (preliminary version)


Additional Options

OCTAVE® Transition Partners: licensed to train and assist organizations in using the OCTAVE Approach

Book: Managing Information Security Risks: The OCTAVESM Approach

Public Training at the SEI http://www.sei.cmu.edu/products/courses/


Questions?

Documents

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software