Upload
yasirzafar
View
226
Download
0
Embed Size (px)
Citation preview
8/14/2019 Managing Info Security
1/60
8/14/2019 Managing Info Security
2/60
2002 by Carnegie Mellon University2
NSS* Program Strategies
*Networked Systems Survivability
8/14/2019 Managing Info Security
3/60
2002 by Carnegie Mellon University3
Survivable Enterprise ManagementOur mission is to assist organizations in attaining and
maintaining an acceptable level of information asset protectionby:
applying information security management practices and
techniques identifying, initiating, and validating effective survivability
practices and protection strategies
Requires acknowledging and establishinginformation survivability as a legitimate, on-going
business process
8/14/2019 Managing Info Security
4/60
2002 by Carnegie Mellon University4
Agenda
Beyond Technology Vulnerability Evaluations
Overview of OCTAVE
Summary
8/14/2019 Managing Info Security
5/60
2002 by Carnegie Mellon University5
Evaluation Practice in January 1999
Products and services varied widely.
Evaluations
tended to have a technological focus
were often conducted without a sites direct participation were often precipitated by an event (reactive)
Evaluation criteria were often inconsistent or undefined.
Organizations typically did not follow through by
implementing the results of the evaluation.
8/14/2019 Managing Info Security
6/60
2002 by Carnegie Mellon University6
Need to Expand the SecurityEvaluation Focus
Both organizational and I/T focused
Proactive rather than reactive
Based on organizations unique risk factors
Inclusive of security policy, practices, procedures
Foundation for continuous security improvement
8/14/2019 Managing Info Security
7/60
2002 by Carnegie Mellon University7
Organizational Gap
8/14/2019 Managing Info Security
8/60
8/14/2019 Managing Info Security
9/60
2002 by Carnegie Mellon University9
You Own YourRisk Risk is unique to each organization.
Risk is linked to business drivers. All levels of the organization need to be engaged.
Internal expertise is required.
External experts can be acquired as needed. Although you can insure for some things, your risks
cannot be completely outsourced.
Internal
Expertise
External
Expertise
8/14/2019 Managing Info Security
10/60
2002 by Carnegie Mellon University10
Operationally Critical Threat, Asset, andVulnerability Evaluation
8/14/2019 Managing Info Security
11/60
2002 by Carnegie Mellon University11
Founding Philosophy
You cannot mitigate all risks.
Your budget is not limitless. Neither are your other
resources.
You cannot prevent all determined, skilled incursions.
You need to determine the best use of your limitedresources to ensure the survivability of your enterprise.
enterprise view
focus on critical few
8/14/2019 Managing Info Security
12/60
2002 by Carnegie Mellon University12
OCTAVE Approach
8/14/2019 Managing Info Security
13/60
2002 by Carnegie Mellon University13
OCTAVE and Risk Management
8/14/2019 Managing Info Security
14/60
2002 by Carnegie Mellon University14
Important Aspects of OCTAVE- 1
Identifies information security risks that could prevent you
from achieving your mission - ensuring business continuity.
Looks at information security enterprise-wide.
Creates a focused protection strategy
information asset-driven threat and risk identification
based on your organizations- unique operational security risks
- current security practices
- current organizational and technological weaknesses
8/14/2019 Managing Info Security
15/60
2002 by Carnegie Mellon University15
Important Aspects of OCTAVE - 2
Enables you to effectively communicate critical
information security issues.
Provides a foundation for future security improvements.
Positions your organization for compliance with data
security requirements or regulations.
8/14/2019 Managing Info Security
16/60
2002 by Carnegie Mellon University16
OCTAVE Approach
8/14/2019 Managing Info Security
17/60
2002 by Carnegie Mellon University17
OCTAVE Principles
8/14/2019 Managing Info Security
18/60
2002 by Carnegie Mellon University18
OCTAVE Process
Operationally Critical Threat, Asset, and Vulnerability Evaluation
8/14/2019 Managing Info Security
19/60
2002 by Carnegie Mellon University19
Conducting OCTAVE
An interdisciplinary team -- composed of:-business or mission-related staff-information technology staff
8/14/2019 Managing Info Security
20/60
2002 by Carnegie Mellon University20
Scoping OCTAVE
Focus the risk evaluation to look at a cross section of the
key areas of the enterprise.
Use the knowledge and expertise across a broad range of
employees- senior managers
- operational area managers
- staff - information technology staff
Scale the evaluation up or down by changing the scope.
8/14/2019 Managing Info Security
21/60
2002 by Carnegie Mellon University21
OCTAVE Method
Focused on large-scale organizations
Is a systematic, context-sensitive method for evaluating risks series of workshops conducted by analysis team
Defined by method implementation guide (procedures, guidance,
worksheets, information catalogs) method training Managing Information Security Risks (Addison-Wesleybook)
8/14/2019 Managing Info Security
22/60
2002 by Carnegie Mellon University22
OCTAVE-S
Currently in pilot testing, this method defines a more
structured method for evaluating risks in small organizations. requires less security expertise, if any, in analysis team
analysis team has a full, or nearly full, understanding of
the organization and what is important uses fill-in-the-blank as opposed to essay style
Will be defined by detailed procedures for each process
worksheets and templates for each process
information catalogs
8/14/2019 Managing Info Security
23/60
2002 by Carnegie Mellon University23
OCTAVE Process
Operationally Critical Threat, Asset, and Vulnerability Evaluation
8/14/2019 Managing Info Security
24/60
2002 by Carnegie Mellon University24
Phase 1 Questions
What are your organizations critical information-related
assets?
What is important about each critical asset?
Who or what threatens each critical asset?
What is your organization currently doing to protect its
critical assets?
What weaknesses in policy and practice currently existin your organization?
8/14/2019 Managing Info Security
25/60
2002 by Carnegie Mellon University25
OCTAVE Catalog of Practices -1
StrategicPractice Areas
Security
Awareness
and Training
Collaborative
Security
Management
Security
Management
Contingency
Planning/Disaster
Recovery
Security
Strategy
Security
Policies and
Regulations
8/14/2019 Managing Info Security
26/60
2002 by Carnegie Mellon University26
OCTAVE Catalog of Practices -2
Physical
Security
Information
Technology
Security
Staff Security
Operational
Practice Areas
System and Network Management
System Administration Tools
Monitoring and Auditing IT SecurityAuthentication and Authorization
Vulnerability Management
Encryption
Security Architecture and Design
Incident Management
General Staff
Practices
Physical Security Plans
and Procedures
Physical Access ControlMonitoring and Auditing
Physical Security
8/14/2019 Managing Info Security
27/60
2002 by Carnegie Mellon University27
Critical AssetsThe most important assets to the organization
information systems
services and applications
people
There will be a large adverse impact to the organization if
the asset is disclosed to unauthorized people. the asset is modified without authorization.
the asset is lost or destroyed.
access to the asset is interrupted.
8/14/2019 Managing Info Security
28/60
2002 by Carnegie Mellon University28
Threat ProfileA threat profile contains a range of threat scenarios for a
critical asset using the following sources of threats: human actors using network access
human actors using physical access
system problems
other problems
The threat profile is visually represented using asset-based
threat trees, one for each of the four sources of threats.
8/14/2019 Managing Info Security
29/60
2002 by Carnegie Mellon University29
Threat Properties
Asset
Actor
Motive (optional)
Access (optional)
Outcome
8/14/2019 Managing Info Security
30/60
2002 by Carnegie Mellon University30
Human Actors - Network Accessdisclosure
modification
loss/destruction
interruption
deliberate
outside
inside
disclosure
modification
loss/destruction
interruption
disclosure
modification
loss/destruction
interruption
disclosuremodification
loss/destruction
interruption
accidental
deliberate
network
asset
accidental
Note: heavy
red line
indicates a
perceived
threatasset access actor motive outcome
8/14/2019 Managing Info Security
31/60
2002 by Carnegie Mellon University31
Human Actors - Physical Accessdisclosure
modification
loss/destruction
interruption
accidental
deliberate
deliberate
outside
disclosure
modification
loss/destruction
interruption
disclosure
modification
loss/destruction
interruption
disclosuremodification
loss/destruction
interruption
inside
physical
asset
accidental
asset access actor motive outcome
8/14/2019 Managing Info Security
32/60
2002 by Carnegie Mellon University32
System Problemsdisclosure
modification
loss/destruction
interruption
software defects
disclosure
modification
loss/destruction
interruptiondisclosure
modification
loss/destruction
interruption
disclosure
modification
loss/destruction
interruption
malicious code
asset
system crashes
LAN instability
asset actor outcome
8/14/2019 Managing Info Security
33/60
2002 by Carnegie Mellon University33
Other Problemsdisclosure
modification
loss/destruction
interruption
natural disasters
asset actor outcome
ISP unavailable
disclosure
modification
loss/destruction
interruptiondisclosure
modification
loss/destruction
interruption
disclosure
modification
loss/destruction
interruption
asset
telecommunications
problems or
unavailability
power supply
problems
8/14/2019 Managing Info Security
34/60
2002 by Carnegie Mellon University34
OCTAVE Process
Operationally Critical Threat, Asset, and Vulnerability Evaluation
8/14/2019 Managing Info Security
35/60
2002 by Carnegie Mellon University35
Phase 2 Questions
How do people access each critical asset?
What infrastructure components are related to each
critical asset? What are the key components of the
computing infrastructure?
What technological weaknesses expose your critical
assets to threats?
Which technological weaknesses need to be addressed
immediately?
8/14/2019 Managing Info Security
36/60
2002 by Carnegie Mellon University36
Vulnerability Evaluation Strategy
Conduct a vulnerability
evaluation that isfocused on where
critical assets live
Make a long-term
recommendation to eventuallybuild, or contract for, a
vulnerability management
capability
Phase 2 Strategy
Identify key components and review
previous evaluation results or
contract for a vulnerability evaluation
of those components
8/14/2019 Managing Info Security
37/60
2002 by Carnegie Mellon University37
Vulnerability Evaluations andTools
Vulnerability evaluation tools identify known weaknesses in technology
misconfigurations of well known administrative
functions, such as
- file permissions on certain files
- accounts with null passwords
what an attacker can determine about your systems
and networks
8/14/2019 Managing Info Security
38/60
2002 by Carnegie Mellon University38
Vulnerability Tools and Practices
Information
Technology
Security
Operational
Practice Areas
System and Network Management
Monitoring and Auditing IT Security
Authentication and AuthorizationEncryption
Vulnerability Management
System Administration Tools
Security Architecture and Design
Incident Management
General Staff
Practices
Staff SecurityPhysical
Security
Physical Security Plans
and Procedures
Physical Access Control
Monitoring and Auditing
Physical Security
8/14/2019 Managing Info Security
39/60
2002 by Carnegie Mellon University39
Threats Driven by Vulnerabilities -1disclosure
modification
loss/destruction
interruption
deliberate
deliberate
outside
inside
disclosure
modification
loss/destruction
interruption
disclosure
modification
loss/destruction
interruption
disclosuremodification
loss/destruction
interruption
accidental
network
asset
accidental
asset access actor motive outcome
8/14/2019 Managing Info Security
40/60
2002 by Carnegie Mellon University40
Threats Driven by Vulnerabilities -2disclosure
modification
loss/destruction
interruption
software defects
disclosure
modification
loss/destruction
interruptiondisclosure
modification
loss/destruction
interruption
disclosure
modification
loss/destruction
interruption
malicious code
asset actor outcome
LAN instability
system crashes
asset
8/14/2019 Managing Info Security
41/60
2002 by Carnegie Mellon University41
OCTAVE Process
Operationally Critical Threat, Asset, and Vulnerability Evaluation
8/14/2019 Managing Info Security
42/60
2002 by Carnegie Mellon University42
Phase 3 QuestionsWhat is the potential impact on your organization due to
each threat? (What are your risks?)
Which are the highest-priority risks to your organization?
What policies and practices does your organization need toaddress?
What can your organization do to recognize, resist, andrecover from its highest-priority risks?
8/14/2019 Managing Info Security
43/60
2002 by Carnegie Mellon University43
Impact on the OrganizationWhen something negative occurs, it can have an impact
on your company.
Impact is described using either qualitative or quantitative
values for several areas of potential impact.
Values for each area are defined by a set ofevaluation
criteria.
Once you define a good set of impact evaluation criteria,
they tend to remain stable from one evaluation to the next.
8/14/2019 Managing Info Security
44/60
2002 by Carnegie Mellon University44
Impact CriteriaA basic set of impact areas includes:
reputation/customer confidence
life/health of customers
fines/legal penalties
financial
productivity other
Examples: To a hospital, a medium life/health impact is a patient
death; a high impact is permanently disabling a patient
$1 million is a low impact to some, a high to others
8/14/2019 Managing Info Security
45/60
2002 by Carnegie Mellon University45
RiskRisk comprises
an event (a threat scenario) consequence (impact on the organization)
uncertainty (whether the threat scenario will occur)
Risks are evaluated to held determine:
relative priority
which risks to actually mitigate
Impact evaluation is required in OCTAVE; qualitative
probability is being tested in OCTAVE-S.
8/14/2019 Managing Info Security
46/60
2002 by Carnegie Mellon University46
Evaluating Risks disclosuremodification
loss/destruction High
interruption Low
deliberate
outside
insidedisclosure Medium
modification High
loss/destruction High
interruption Low
disclosure
modification
loss/destruction
interruption
disclosure Mediummodification High
loss/destruction High
interruption Low
accidental
deliberate
networkasset
accidental
Vulnerability assessment results
asset access actor motive outcome impact
8/14/2019 Managing Info Security
47/60
2002 by Carnegie Mellon University47
Outputs of OCTAVE
Defines
organizationaldirection
Plans
designed toreduce risk
Near-term
action items
ProtectionStrategy
MitigationPlan
ActionList
8/14/2019 Managing Info Security
48/60
2002 by Carnegie Mellon University48
Putting It All Together
8/14/2019 Managing Info Security
49/60
2002 by Carnegie Mellon University49
From Assets to Mitigation Plans
Mitigation Plan
Practices to Improve
Training and SecurityArchitecture related
tasks
Monitoring IT Securityrelated tasks
Critical
Asset
Risks
Risk A
Risk B
Risk C
Risk D
Mitigation Approach
Accept
Mitigate
Mitigate
Defer
8/14/2019 Managing Info Security
50/60
2002 by Carnegie Mellon University50
8/14/2019 Managing Info Security
51/60
2002 by Carnegie Mellon University51
After OCTAVE
Steps required to implement the results of this evaluation
and improve the organizations security posture. getting management sponsorship for security
improvement
monitoring implementation of the results of thecurrent evaluation
expanding the current evaluation, if needed
scheduling the next information security riskevaluation
8/14/2019 Managing Info Security
52/60
2002 by Carnegie Mellon University52
Summary
8/14/2019 Managing Info Security
53/60
2002 by Carnegie Mellon University53
Findings - 1
OCTAVE produces usable results at each phase.
identifying critical assets can change the focus ofmany other activities and alter resource allocations
surveys alone produce institutional learning
vulnerability assessments become more useful
Other interesting results
one IT department found effective justification for
increased budgets
one company used it to start long-term improvements
in their third-party relations and contracting
8/14/2019 Managing Info Security
54/60
2002 by Carnegie Mellon University54
Findings - 2Workshops produce a strong side effect of team buildingand increased security awareness.
IT staff realize what users are really doing users have a better appreciation for security measures managers have a better sense of whats really going
on in the organization
Some immediate actions that occurred reallocation of information across servers
removal of private information from web sites immediate purchase of insurance building access restrictions review of arrangements with building managers
8/14/2019 Managing Info Security
55/60
2002 by Carnegie Mellon University55
Keys for Success with theOCTAVE Approach
Getting senior management sponsorship
Selecting the right analysis team
Setting the scope of the evaluation
Selecting participants (for OCTAVE Method)
8/14/2019 Managing Info Security
56/60
2002 by Carnegie Mellon University56
Some OCTAVE Users -1The Security Working Integrated Project Team (Security
WIPT), Office of the Assistant Secretary of
Defense/Health Affairs (OASD/HA), endorses OCTAVE
as the preferred information security risk assessment to
prepare for complying with the Administrative
Simplification subsection of the Health InsurancePortability and Accountability Act of 1996.
analysis teams have been trained in all international
regions of the Department of Defense healthcare domain additional teams are scheduled to be trained in 2003
8/14/2019 Managing Info Security
57/60
2002 by Carnegie Mellon University57
Some OCTAVE Users -2
FirstGov (now the Office of Citizen Services and
Communication)
Small companies in Western Pennsylvania
County government
Variety of national and international companies and
consulting organizations are now using all or part of
OCTAVE
8/14/2019 Managing Info Security
58/60
2002 by Carnegie Mellon University58
Questions?
8/14/2019 Managing Info Security
59/60
2002 by Carnegie Mellon University59
OCTAVE Approach
8/14/2019 Managing Info Security
60/60
2002 by Carnegie Mellon University60
For Additional InformationOCTAVE
Internet [email protected]
WWW http://www.cert.org/octave
Software Engineering InstituteTelephone 412 / 268-5800 Fax 412 / 268-5758
Internet [email protected]
U.S. mail Customer RelationsSoftware Engineering InstituteCarnegie Mellon University
Pittsburgh, PA 15213-3890