Managing Info Security

8/14/2019 Managing Info Security

1/60


2/60

2002 by Carnegie Mellon University2

NSS* Program Strategies

*Networked Systems Survivability


3/60


Survivable Enterprise ManagementOur mission is to assist organizations in attaining and

maintaining an acceptable level of information asset protectionby:

applying information security management practices and

techniques identifying, initiating, and validating effective survivability

practices and protection strategies

Requires acknowledging and establishinginformation survivability as a legitimate, on-going

business process


4/60


Agenda

Beyond Technology Vulnerability Evaluations

Overview of OCTAVE

Summary


5/60


Evaluation Practice in January 1999

Products and services varied widely.

Evaluations

tended to have a technological focus

were often conducted without a sites direct participation were often precipitated by an event (reactive)

Evaluation criteria were often inconsistent or undefined.

Organizations typically did not follow through by

implementing the results of the evaluation.


6/60


Need to Expand the SecurityEvaluation Focus

Both organizational and I/T focused

Proactive rather than reactive

Based on organizations unique risk factors

Inclusive of security policy, practices, procedures

Foundation for continuous security improvement


7/60


Organizational Gap


8/60


9/60


You Own YourRisk Risk is unique to each organization.

Risk is linked to business drivers. All levels of the organization need to be engaged.

Internal expertise is required.

External experts can be acquired as needed. Although you can insure for some things, your risks

cannot be completely outsourced.

Internal

Expertise

External

Expertise


10/60


Operationally Critical Threat, Asset, andVulnerability Evaluation


11/60


Founding Philosophy

You cannot mitigate all risks.

Your budget is not limitless. Neither are your other

resources.

You cannot prevent all determined, skilled incursions.

You need to determine the best use of your limitedresources to ensure the survivability of your enterprise.

enterprise view

focus on critical few


12/60


OCTAVE Approach


13/60


OCTAVE and Risk Management


14/60


Important Aspects of OCTAVE- 1

Identifies information security risks that could prevent you

from achieving your mission - ensuring business continuity.

Looks at information security enterprise-wide.

Creates a focused protection strategy

information asset-driven threat and risk identification

based on your organizations- unique operational security risks

- current security practices

- current organizational and technological weaknesses


15/60


Important Aspects of OCTAVE - 2

Enables you to effectively communicate critical

information security issues.

Provides a foundation for future security improvements.

Positions your organization for compliance with data

security requirements or regulations.


16/60


OCTAVE Approach


17/60


OCTAVE Principles


18/60


OCTAVE Process

Operationally Critical Threat, Asset, and Vulnerability Evaluation


19/60


Conducting OCTAVE

An interdisciplinary team -- composed of:-business or mission-related staff-information technology staff


20/60


Scoping OCTAVE

Focus the risk evaluation to look at a cross section of the

key areas of the enterprise.

Use the knowledge and expertise across a broad range of

employees- senior managers

- operational area managers

- staff - information technology staff

Scale the evaluation up or down by changing the scope.


21/60


OCTAVE Method

Focused on large-scale organizations

Is a systematic, context-sensitive method for evaluating risks series of workshops conducted by analysis team

Defined by method implementation guide (procedures, guidance,

worksheets, information catalogs) method training Managing Information Security Risks (Addison-Wesleybook)


22/60


OCTAVE-S

Currently in pilot testing, this method defines a more

structured method for evaluating risks in small organizations. requires less security expertise, if any, in analysis team

analysis team has a full, or nearly full, understanding of

the organization and what is important uses fill-in-the-blank as opposed to essay style

Will be defined by detailed procedures for each process

worksheets and templates for each process

information catalogs


23/60


OCTAVE Process



24/60


Phase 1 Questions

What are your organizations critical information-related

assets?

What is important about each critical asset?

Who or what threatens each critical asset?

What is your organization currently doing to protect its

critical assets?

What weaknesses in policy and practice currently existin your organization?


25/60


OCTAVE Catalog of Practices -1

StrategicPractice Areas

Security

Awareness

and Training

Collaborative

Security

Management

Security

Management

Contingency

Planning/Disaster

Recovery

Security

Strategy

Security

Policies and

Regulations


26/60


OCTAVE Catalog of Practices -2

Physical

Security

Information

Technology

Security

Staff Security

Operational

Practice Areas

System and Network Management

System Administration Tools

Monitoring and Auditing IT SecurityAuthentication and Authorization

Vulnerability Management

Encryption

Security Architecture and Design

Incident Management

General Staff

Practices

Physical Security Plans

and Procedures

Physical Access ControlMonitoring and Auditing

Physical Security


27/60


Critical AssetsThe most important assets to the organization

information systems

services and applications

people

There will be a large adverse impact to the organization if

the asset is disclosed to unauthorized people. the asset is modified without authorization.

the asset is lost or destroyed.

access to the asset is interrupted.


28/60


Threat ProfileA threat profile contains a range of threat scenarios for a

critical asset using the following sources of threats: human actors using network access

human actors using physical access

system problems

other problems

The threat profile is visually represented using asset-based

threat trees, one for each of the four sources of threats.


29/60


Threat Properties

Asset

Actor

Motive (optional)

Access (optional)

Outcome


30/60


Human Actors - Network Accessdisclosure

modification

loss/destruction

interruption

deliberate

outside

inside

disclosure

modification

loss/destruction

interruption

disclosure

modification

loss/destruction

interruption

disclosuremodification

loss/destruction

interruption

accidental

deliberate

network

asset

accidental

Note: heavy

red line

indicates a

perceived

threatasset access actor motive outcome


31/60


Human Actors - Physical Accessdisclosure

modification

loss/destruction

interruption

accidental

deliberate

deliberate

outside

disclosure

modification

loss/destruction

interruption

disclosure

modification

loss/destruction

interruption


loss/destruction

interruption

inside

physical

asset

accidental

asset access actor motive outcome


32/60


System Problemsdisclosure

modification

loss/destruction

interruption

software defects

disclosure

modification

loss/destruction

interruptiondisclosure

modification

loss/destruction

interruption

disclosure

modification

loss/destruction

interruption

malicious code

asset

system crashes

LAN instability

asset actor outcome


33/60


Other Problemsdisclosure

modification

loss/destruction

interruption

natural disasters

asset actor outcome

ISP unavailable

disclosure

modification

loss/destruction


modification

loss/destruction

interruption

disclosure

modification

loss/destruction

interruption

asset

telecommunications

problems or

unavailability

power supply

problems


34/60


OCTAVE Process



35/60


Phase 2 Questions

How do people access each critical asset?

What infrastructure components are related to each

critical asset? What are the key components of the

computing infrastructure?

What technological weaknesses expose your critical

assets to threats?

Which technological weaknesses need to be addressed

immediately?


36/60


Vulnerability Evaluation Strategy

Conduct a vulnerability

evaluation that isfocused on where

critical assets live

Make a long-term

recommendation to eventuallybuild, or contract for, a

vulnerability management

capability

Phase 2 Strategy

Identify key components and review

previous evaluation results or

contract for a vulnerability evaluation

of those components


37/60


Vulnerability Evaluations andTools

Vulnerability evaluation tools identify known weaknesses in technology

misconfigurations of well known administrative

functions, such as

- file permissions on certain files

- accounts with null passwords

what an attacker can determine about your systems

and networks


38/60


Vulnerability Tools and Practices

Information

Technology

Security

Operational

Practice Areas

System and Network Management

Monitoring and Auditing IT Security

Authentication and AuthorizationEncryption

Vulnerability Management

System Administration Tools

Security Architecture and Design

Incident Management

General Staff

Practices

Staff SecurityPhysical

Security

Physical Security Plans

and Procedures

Physical Access Control

Monitoring and Auditing

Physical Security


39/60


Threats Driven by Vulnerabilities -1disclosure

modification

loss/destruction

interruption

deliberate

deliberate

outside

inside

disclosure

modification

loss/destruction

interruption

disclosure

modification

loss/destruction

interruption


loss/destruction

interruption

accidental

network

asset

accidental

asset access actor motive outcome


40/60


Threats Driven by Vulnerabilities -2disclosure

modification

loss/destruction

interruption

software defects

disclosure

modification

loss/destruction


modification

loss/destruction

interruption

disclosure

modification

loss/destruction

interruption

malicious code

asset actor outcome

LAN instability

system crashes

asset


41/60


OCTAVE Process



42/60


Phase 3 QuestionsWhat is the potential impact on your organization due to

each threat? (What are your risks?)

Which are the highest-priority risks to your organization?

What policies and practices does your organization need toaddress?

What can your organization do to recognize, resist, andrecover from its highest-priority risks?


43/60


Impact on the OrganizationWhen something negative occurs, it can have an impact

on your company.

Impact is described using either qualitative or quantitative

values for several areas of potential impact.

Values for each area are defined by a set ofevaluation

criteria.

Once you define a good set of impact evaluation criteria,

they tend to remain stable from one evaluation to the next.


44/60


Impact CriteriaA basic set of impact areas includes:

reputation/customer confidence

life/health of customers

fines/legal penalties

financial

productivity other

Examples: To a hospital, a medium life/health impact is a patient

death; a high impact is permanently disabling a patient

$1 million is a low impact to some, a high to others


45/60


RiskRisk comprises

an event (a threat scenario) consequence (impact on the organization)

uncertainty (whether the threat scenario will occur)

Risks are evaluated to held determine:

relative priority

which risks to actually mitigate

Impact evaluation is required in OCTAVE; qualitative

probability is being tested in OCTAVE-S.


46/60


Evaluating Risks disclosuremodification

loss/destruction High

interruption Low

deliberate

outside

insidedisclosure Medium

modification High


interruption Low

disclosure

modification

loss/destruction

interruption

disclosure Mediummodification High


interruption Low

accidental

deliberate

networkasset

accidental

Vulnerability assessment results

asset access actor motive outcome impact


47/60


Outputs of OCTAVE

Defines

organizationaldirection

Plans

designed toreduce risk

Near-term

action items

ProtectionStrategy

MitigationPlan

ActionList


48/60


Putting It All Together


49/60


From Assets to Mitigation Plans

Mitigation Plan

Practices to Improve

Training and SecurityArchitecture related

tasks

Monitoring IT Securityrelated tasks

Critical

Asset

Risks

Risk A

Risk B

Risk C

Risk D

Mitigation Approach

Accept

Mitigate

Mitigate

Defer


50/60



51/60


After OCTAVE

Steps required to implement the results of this evaluation

and improve the organizations security posture. getting management sponsorship for security

improvement

monitoring implementation of the results of thecurrent evaluation

expanding the current evaluation, if needed

scheduling the next information security riskevaluation


52/60


Summary


53/60


Findings - 1

OCTAVE produces usable results at each phase.

identifying critical assets can change the focus ofmany other activities and alter resource allocations

surveys alone produce institutional learning

vulnerability assessments become more useful

Other interesting results

one IT department found effective justification for

increased budgets

one company used it to start long-term improvements

in their third-party relations and contracting


54/60


Findings - 2Workshops produce a strong side effect of team buildingand increased security awareness.

IT staff realize what users are really doing users have a better appreciation for security measures managers have a better sense of whats really going

on in the organization

Some immediate actions that occurred reallocation of information across servers

removal of private information from web sites immediate purchase of insurance building access restrictions review of arrangements with building managers


55/60


Keys for Success with theOCTAVE Approach

Getting senior management sponsorship

Selecting the right analysis team

Setting the scope of the evaluation

Selecting participants (for OCTAVE Method)


56/60


Some OCTAVE Users -1The Security Working Integrated Project Team (Security

WIPT), Office of the Assistant Secretary of

Defense/Health Affairs (OASD/HA), endorses OCTAVE

as the preferred information security risk assessment to

prepare for complying with the Administrative

Simplification subsection of the Health InsurancePortability and Accountability Act of 1996.

analysis teams have been trained in all international

regions of the Department of Defense healthcare domain additional teams are scheduled to be trained in 2003


57/60


Some OCTAVE Users -2

FirstGov (now the Office of Citizen Services and

Communication)

Small companies in Western Pennsylvania

County government

Variety of national and international companies and

consulting organizations are now using all or part of

OCTAVE


58/60


Questions?


59/60


OCTAVE Approach


60/60


For Additional InformationOCTAVE

Internet [email protected]

WWW http://www.cert.org/octave

Software Engineering InstituteTelephone 412 / 268-5800 Fax 412 / 268-5758

Internet [email protected]

U.S. mail Customer RelationsSoftware Engineering InstituteCarnegie Mellon University

Pittsburgh, PA 15213-3890

Documents

Managing Info Security