Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
1
Security Risks AnalysisMGMT755
Dr. Arafat Awajan2006
Introduction
2
11/17/2006 Dr. Arafat Awajan 3
Introduction
Information technology is critical to business and society: most organizations recognize the critical role that information technology (IT) plays in supporting their business objectives.But today's highly connected IT infrastructures exist in an environment that is increasingly hostile—attacks are being mounted with increasing frequency and are demanding ever shorter reaction times
11/17/2006 Dr. Arafat Awajan 4
Introduction
IT is the vehicle used to store, manipulate, and transport information What happens if the vehicle breaks down, even for a little while.Computer security is evolving into information securityInformation security is more general
3
11/17/2006 Dr. Arafat Awajan 5
Introduction
Information security is the responsibility of every member of an organization, but managers play a critical role
Managing information SecurityProblem: Organizations are unable to react to new security threats before their business is impacted
Security Risks Analysis and management
11/17/2006 Dr. Arafat Awajan 6
Introduction
Information security involves three distinct communities of interest
Information security managers and professionalsInformation technology managers and professionals Non-technical business managers and professionals
4
11/17/2006 Dr. Arafat Awajan 7
Communities of Interest
Information Security community: protect information assets from threats
IT community: support business objectives by supplying appropriate information technology
Business community: articulates and communicates policyallocates resources to the other groups
11/17/2006 Dr. Arafat Awajan 8
What Is Security?
“The quality or state of being secure—to be free from danger”
Security is achieved using several strategies usually undertaken simultaneously
5
11/17/2006 Dr. Arafat Awajan 9
Security and ControlExamples
Physical security: workplace and physical assetsPersonal security: peopleOperations security: operations without interruption or compromiseCommunications security: media and contentNetwork security: devices, content, connections
11/17/2006 Dr. Arafat Awajan 10
Security and ControlControls Objectives
Prevention – Detection – RecoveryAnticipation, Corrective
Types of ControlsPhysical ControlsTechnical ControlsAdministrative
6
11/17/2006 Dr. Arafat Awajan 11
InfoSec Components
11/17/2006 Dr. Arafat Awajan 12
Information Main Features
The C.I.A. triangle is made up ofConfidentialityIntegrityAvailability
CIA represent the critical features of informationOver time the list of characteristics has expanded, but these three remain central
7
11/17/2006 Dr. Arafat Awajan 13
NSTISSC Security Model (4011)
11/17/2006 Dr. Arafat Awajan 14
Key Concepts: Confidentiality
Confidentialityonly those with sufficient privileges may access certain information
To protect confidentiality:Information ClassificationSecure Document storageGeneral Security PoliciesEducation and training
8
11/17/2006 Dr. Arafat Awajan 15
Key Concepts: Confidentiality
Some threats: Some threatsHackersMasqueradersUnauthorized usersUnprotected download of filesLANSTrojan horses
11/17/2006 Dr. Arafat Awajan 16
Key Concepts: IntegrityIntegrity
Integrity is the quality or state of being whole, complete, and uncorrupted
ThreatsCorruptionDestruction
Other issuesOrigin integrityData integrity
9
11/17/2006 Dr. Arafat Awajan 17
Key Concepts: AvailabilityAvailability
making information accessible to user access without interference or obstruction and in the required formatIt does mean availability to authorized users (person/other computer system)
SurvivabilityEnsuring availability in presence of attacks
11/17/2006 Dr. Arafat Awajan 18
Key Concepts: privacy
PrivacyInformation is to be used only for purposes known to the data ownerThis does not focus on freedom from observation, but rather that information will be used only in ways known to the owner
10
11/17/2006 Dr. Arafat Awajan 19
Key Concepts: Identification
IdentificationInformation systems possess the characteristic of identification when they are able to recognize individual usersIdentification and authentication are essential to establishing the level of access or authorization that an individual is granted
11/17/2006 Dr. Arafat Awajan 20
Key Concepts: Authentication & Authorization
AuthenticationAuthentication occurs when a control provides proof that a user possesses the identity that he or she claims
Authorizationauthorization provides assurance that the user has been specifically and explicitly authorized by the proper authority to access the contents of an information asset
11
11/17/2006 Dr. Arafat Awajan 21
Key Concepts: Accountability; Assurance
AccountabilityThe characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process
AssuranceAssurance that all security objectives are met
11/17/2006 Dr. Arafat Awajan 22
What Is Management?A process of achieving objectives using a given set of resourcesTo manage the information security process,
First, understand core principles of managementSecond, understand IT Third, understand security
12
11/17/2006 Dr. Arafat Awajan 23
What Is Management?A manager is
“someone who works with and through other people by coordinating their work activities in order to accomplish organizational goals”
11/17/2006 Dr. Arafat Awajan 24
Managerial Roles
Informational role: Collecting, processing, and using information to achieve the objectiveInterpersonal role: Interacting with superiors, subordinates, outside stakeholders, and otherDecisional role: Selecting from alternative approaches and resolving conflicts, dilemmas, or challenges
13
11/17/2006 Dr. Arafat Awajan 25
Characteristics of Management
Principle of management:PlanningOrganizingLeading:
Staffing directing
Controlling
11/17/2006 Dr. Arafat Awajan 26
The Planning–Controlling Link
14
11/17/2006 Dr. Arafat Awajan 27
Planning & Organization
Planning: process that develops, creates, and implements strategies for the accomplishment of objectivesThree levels of planning
StrategicTacticalOperational
• Organization: structuring of resources to support the accomplishment of objectives
11/17/2006 Dr. Arafat Awajan 28
Leadership
Encourages the implementation of the planning and organizing functions, this includes supervising employee:
behavior,performanceattendanceattitude
Leadership generally addresses the direction and motivation of the human resource
15
11/17/2006 Dr. Arafat Awajan 29
Control
Control:Monitoring progress toward completionMaking necessary adjustments to achieve the desired objectives
Controlling function determines what must be monitored as well as using specific control tools to gather and evaluate information
11/17/2006 Dr. Arafat Awajan 30
Control ToolsFour categories:
InformationInformation flows/ communications
FinancialGuide use of monetary resources
OperationalGantt, process flow
BehavioralHuman resources
16
11/17/2006 Dr. Arafat Awajan 31
The Control Process
11/17/2006 Dr. Arafat Awajan 32
Solving Problems
Step 1: Recognize and Define the ProblemStep 2: Gather Facts and Make AssumptionsStep 3: Develop Possible Solutions (Brainstorming)Step 4: Analyze and Compare the Possible Solutions (Feasibility analysis)Step 5: Select, Implement, and Evaluate a Solution
17
11/17/2006 Dr. Arafat Awajan 33
Feasibility AnalysesEconomic feasibility assesses costs and benefits of a solutionTechnological feasibility assesses an organization’s ability to acquire and manage a solutionBehavioral feasibility assesses whether members of the organization will support a solutionOperational feasibility assesses if an organization can integrate a solution
11/17/2006 Dr. Arafat Awajan 34
Principles Of Information Security Management
The extended characteristics of information security are:
PlanningPolicyProgramsProtectionPeopleProject Management
18
11/17/2006 Dr. Arafat Awajan 35
InfoSec Planning
Planning as part of InfoSec management is an extension of the basic planning model of management
The InfoSec planning model includes the activities necessary to support the design, creation, and implementation of information security strategies as they exist within the IT planning environment
11/17/2006 Dr. Arafat Awajan 36
InfoSec Planning TypesSeveral types of InfoSec plans exist:
Incident responseBusiness continuityDisaster recoveryPolicyPersonnelTechnology rollout Risk managementSecurity program including education, training and awareness
19
11/17/2006 Dr. Arafat Awajan 37
PolicyPolicy: set of organizational guidelines that dictates certain behavior within the organizationIn InfoSec, there are three general categories of policy:
General program policy (Enterprise Security Policy)An issue-specific security policy (ISSP)
Ex: email, Intenert useSystem-specific policies (SSPs)
Ex: Access control list (ACLs) for a device
11/17/2006 Dr. Arafat Awajan 38
ProgramsPrograms are operations managed as
specific entities in the information security domainExample:
A security education training and awareness (SETA) program is one such entity
Other programs that may emerge include a physical security program, complete with fire, physical access, gates, guards, and so on
20
11/17/2006 Dr. Arafat Awajan 39
Protection
Risk management activities, including risk assessment and control
Protection mechanisms, technologies & toolsEach of these mechanisms represents some aspect of the management of specific controls in the overall security plan
11/17/2006 Dr. Arafat Awajan 40
PeoplePeople are the most critical link in the information security program
Human firewallIt is imperative that managers continuously recognize the crucial role that people play; includes
information security personnel and the security of personnel, as well as aspects of the security education training and awareness program
21
11/17/2006 Dr. Arafat Awajan 41
Project ManagementProject management discipline should be present throughout all elements of the information security programInvolves
Identifying and controlling the resources applied to the projectMeasuring progress and adjusting the process as progress is made toward the goal
11/17/2006 Dr. Arafat Awajan 42
22
11/17/2006 Dr. Arafat Awajan 43
Risk Management
Risk Management: RM is the process of identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the information stored and processed by the organization
11/17/2006 Dr. Arafat Awajan 44
Risk Management
To better understand the risk analysis phase of the Security policy, you should know something about the kinds of threats facing organizationsA threat is an object, person, or other entity that represents a constant danger to an asset
23
11/17/2006 Dr. Arafat Awajan 45
Key TermsAttack: deliberate act that exploits a vulnerability to achieve the compromise of a controlled system
Accomplished by a threat agent that damages or steals an organization’s information or physical asset
Exploit: technique or mechanism used to compromise a systemVulnerability: identified weakness of a controlled system in which necessary controls are not present or are no longer effective
11/17/2006 Dr. Arafat Awajan 46
Threats to Information Security
24
11/17/2006 Dr. Arafat Awajan 47
Some Common AttacksMalicious codeHoaxesBack doorsPassword crackBrute forceDictionaryDenial-of-service (DoS) and distributed denial-of-service (DDoS)
SpoofingMan-in-the-middleSpamMail bombingSnifferSocial engineeringBuffer overflowTiming
11/17/2006 Dr. Arafat Awajan 48
Risk ManagementUse some method of prioritizing risk posed by each category of threat and its related methods of attackTo manage risk, you must identify and assessthe value of your information assetsRisk assessment assigns comparative risk rating or score to each specific information asset
25
11/17/2006 Dr. Arafat Awajan 49
Conclusion
Often, organizations are unable to react to new security threats before their business is impacted. Managing the security of their infrastructures—and the business value that those infrastructures deliver—has become a primary concern for IT departments.
11/17/2006 Dr. Arafat Awajan 50
Conclusion
New legislation that stems from privacy concerns, financial obligations, and corporate governance is forcing organizations to manage their IT infrastructures more closely and effectively than in the past. Failure to proactively manage security may put executives and whole organizations at risk due to legal responsibilities.
26
11/17/2006 Dr. Arafat Awajan 51
Conclusion
The approach to manage risk, varies for every organization. There is no right or wrong answer; there are many risk management models in use today. Each model has tradeoffs that balance accuracy, resources, time, complexity, and subjectivity. Security risk management will fail without executive support and commitment.
11/17/2006 Dr. Arafat Awajan 52
Conclusion
Risk management identifies vulnerabilities in an organization’s information systems and takes carefully reasoned steps to assure the confidentiality, integrity, and availability of all the components in organization’s information system.