Upload
leslie-spencer
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Managing Risk in Information Systems
Lesson 4
Key Components of Risk Assessment
Page 2Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Learning Objectives
Identify assets and activities to protect within an organization.
Identify threats, vulnerabilities, and exploits. Identify and analyze risk mitigation security
controls.
Page 3Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Key Concepts
Identification of key activities and assets Recognize value of data Basic planning steps of a BIA Techniques used to identify relevant
threats, vulnerabilities, and exploits Identify and compare procedural, technical,
physical, and functional controls
Page 4Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: CONCEPTS
Page 5Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Risk Assessment Approaches
Page 6Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Quantitative Risk Assessment
Page 7Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Best Practices for Risk Assessment
Page 8Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Activities
• System Access• System Availability• System Functions:
Manual and Automated
Identifying Activities
Eliminate single points of failure (SPOF)• Part of a system that
can cause entire system to fail
• If SPOF fails, entire system fails
Page 9Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
System Access and Availability
Goal: 99.999 percent up time Failover cluster RAID
Page 10Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Identifying Assets
People can also be single points of failure
• Hire additional personnel
• Cross train• Job rotation
Assets
• Hardware Assets• Software Assets• Personnel Assets
Page 11Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Identifying Data Assets
Protect data
Ensure methods are available to retrieve data• Data warehousing• Data mining
Data and Information
• Customer• Intellectual
Property• Data bases
Page 12Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Types of Assessments
Threat Assessment
Vulnerability Assessments
Exploits Assessments
Page 13Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Threat Assessments
Identifies and evaluates threats• Determines impact on confidentiality
• Determines impact on integrity• Determines impact on availability
Page 14Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Vulnerability Assessments
Vulnerabilities are any weaknesses in an IT infrastructure.
Assessments identify vulnerabilities within an organization:• Servers• Networks• Personnel
Entire networks can be vulnerable if access controls aren’t implemented
Page 15Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Internal/External Vulnerability Assessments
• Security professionals exploit internal systems to learn about vulnerabilities
Internal assessments
• Personnel outside the company exploit systems to learn about vulnerabilities
External assessments
Page 16Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Intrusion Detection System Outputs
IDS uses logs Logs can be used in assessments
Page 17Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Verifying Rights and Permissions
Verify user rights and permissions• Principle of least privilege
Page 18Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Exploit Assessments
Exploit assessments attempt to exploit vulnerabilities• They simulate an attack to determine
if attack can succeed An exploit test:• Uually starts with a vulnerability test
to determine vulnerabilities• Follows with an attempt to exploit the
vulnerability
Page 19Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
In-Place Controls
Installed in an operational system
Replace in-place controls that don’t meet goals
Three primary objectives of controls:
• Prevent
• Recover
• Detect
Page 20Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Planned Controls
Those that have been approved but not yet installed
Identify planned controls before approving others
Vulnerabilities that planned controls mitigate still exist
Evaluate effectiveness of a planned control through research
Page 21Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Functional ControlsControls Based on Function Being Performed
Preventive• Hardening• Patching
Detective• Audit trails• IDS
Corrective• Backups• File
Recovery
Page 22Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
NIST SP 800-53 Control Families Access Control (AC) Audit and Accountability (AU) Awareness and Training (AT) Configuration Management (CM) Contingency Planning (CP) Identification and Authentication (IA) Incident Response (IR) Maintenance (MA) Media Protection (MP) Personnel Security (PS)
Page 23Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
NIST SP 800-53 Control Families (Cont.)
Physical and Environment Protection (PE) Planning (PL) Program Management (PM) Risk Assessment (RA) Security Assessment and Authorization (CA) System and Communications Protection (SC) System and Information Integrity (SI) System and Services Acquisition (SA)
Page 24Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Procedural Control Examples
Policies and procedures
Security plans
Insurance and bonding
Background and financial checks
Page 25Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Procedural Control Examples (Cont.)
Data loss prevention program
Awareness training
Rules of behavior
Software testing
Page 26Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Technical Control Examples
Login identifier
Session timeout
System logs and audit trails
Data range and reasonableness checks
Firewalls and routers
Encryption
Public key infrastructure (PKI)
Page 27Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Firewalls and Routers Filters traffic• Access control lists (ACLs)
Page 28Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Using Digital Signatures
Page 29Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Physical Control Examples
Locked doors, guards, CCTV
Fire detection and suppression
Water detection
Temperature and humidity detection
Electrical grounding and circuit breakers
Page 30Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: PROCESS
Page 31Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Business Impact Analysis (BIA)
A Business impact analysis (BIA) differentiates critical (urgent) and non-critical (non-urgent) organization functions/activities. Critical functions are those whose disruption is regarded as unacceptable. Perceptions of acceptability are affected by the cost of recovery solutions. A function may also be considered critical if dictated by law. For each critical (in scope) function, two values are then assigned:
Recovery Point Objective (RPO) – the acceptable latency of data that will not be recovered. For example is it acceptable for the company to lose 2 days of data
Recovery Time Objective (RTO) – the acceptable amount of time to restore the function.
The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded. The recovery time objective must ensure that the Maximum Tolerable Period of Disruption (MTPoD) for each activity is not exceeded.http://en.wikipedia.org/wiki/Business_continuity_planning#Business_impact_analysis_.28BIA.29
Page 32Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
BIA Planning Introduction
Identifies impact of sudden loss
Define the scope
Identify objectives
Identify mission-critical functions and processes
Map functions and processes to IT systems
Page 33Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Assessing Vulnerabilities
Documentation review
Review logs
Vulnerability scans
Audits and personnel interviews
Process and output analysis
System testing
Page 34Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Process Analysis and Output Analysis
Firewall has five rules• Use process analysis
Firewall has 100 rules• Use output analysis
Page 35Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Procedure for Assessing Exploits
Identification
Mitigation
Implementation
Remediation
Page 36Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Suggested Steps for Implementing Security Controls
Selection of security control Documentation of each control Implementation of each control• Insurance• Avoidance• Reduction• Retention
Page 37Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: ROLES
Page 38Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Data and Information Assets
Data protected by:• Access controls• Backups
Page 39Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Data Classifications
OrganizationClassifications
Proprietary
Private
Public
Freely available
Protected Internally
Highest Level of Protection
Government Top Secret Secret Confidential
Page 40Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Data and Information Asset Categories
Organization Customer Intellectual property
Data warehousing Data mining
Page 41Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Internal Threats
Internal threats• Users with unintentional access• Users responding to phishing
attempts• Users forwarding viruses• Disgruntled ex-employees• Equipment failure• Data loss• Attacks
Page 42Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
External Threats
Attack public-facing servers Weather conditions and natural
disasters
Page 43Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Risk Mitigation Functions
Senior management
IT management
Functional management and employees
Contractors/vendors
Page 44Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: CONTEXTS
Page 45Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Identify Assets
First step in risk management• You can’t plan the protection if you
don’t know what you’re protecting
When do you want to identify a single point of failure?• Before it fails?• Or after if fails?
Page 46Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Threat Modeling
What system are you trying to protect? Is the system susceptible to attacks? Who are the potential adversaries? How might a potential adversary attack? Is the system susceptible to hardware
or software failure? Who are the users? How might an internal user misuse the
system?
Page 47Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Key to Risk Management
Risk = Threat X Vulnerability• Threat assessments
- Help reduce impact of threats• Vulnerability assessments
- Help reduce vulnerabilities• Exploit assessments
- Help validate actual threats and vulnerabilities
Page 48Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Controls Mitigate Risk Controls reduce impact of threats
Controls reduce vulnerabilities to an acceptable level
Hundreds of controls• Best to evaluate based on categories
Page 49Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: RATIONALE
Page 50Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Identify Valuable Assets
Ask a system owner• How much downtime can you
accept?- Answer: “None”
• How much data loss can you accept?- Answer: “None”
Then ask• “How much money are you willing to
spend?”
Page 51Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
System Testing
Functionality testing ~ • Defining requirements
Access controls ~ • Verifying user rights and allocations
Penetration testing ~ • Verifying security countermeasures
Tests transactions with applications
Page 52Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Variety of Controls Needed What is missed if only technical
controls are used?
What is missed if only procedural controls are used?
What is missed if only physical controls are used?
Page 53Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Summary
Identification of key activities and assets Recognize value of data Basic planning steps of a BIA Techniques used to identify relevant
threats, vulnerabilities, and exploits Identify and compare procedural,
technical, physical, and functional controls