Measuring the Security of Information Systems

Vicente Aceituno Canal© Inovement 2014

Measuring the Security of Information Systems

Questions

Is AIC necessary? Is AIC sufficient? Is AIC ambiguous? Is AIC useful? Is AIC reproducible / repeatable / automatable? Is AIC good for measurement, communication,

management, risk assessment?

Traditional Security Concepts

…for you?

What are…

…the fundamental concepts of security…

Take a minute to write your own

definition

Availability

Confidentiality Integrity


Number of concepts?

The need for Security Requirements

Does the result of this procedure increase or decrease security?



Answer: It depends on the baseline. If the hard drive contains valid data, it is not secure. If the hard drive contains expired data, it is secure.




What about a hacker accessing a system?




What about a hacker accessing a system? Well, if it is HIS system…


The current state of security can be measured only comparing against a baseline for security, so you can compare what you want with what you get.

A baseline for security can be expressed using Security Requirements.

Scoop: Management of Security

Perform an assessment of the value of information security activities. Those that contribute to meet a security requirement are valuable.

Perform an assessment of the return of investment of information security activities.

Prioritize the use of resources to maximize the value of information security activities.

Plan for the need of resources necessary to meet security requirements.

Check when past decisions render or not the expected results.

Measurement

Measuring is reducing uncertainty.

Measurement

Do or invest in “A”

Do or invest in “B”

SR1

Measurement

SR1

SR2

Measurement

SR1

SR2

SR3

Measurement

Measurement

Security Requirement “A”

Security Requirement “B”

SR1

SR2

SR3

Measurement

Do or invest in “A”

Do or invest in “B”

SR3

Measurement

Needless to say, Requirements need to be mutually exclusive, otherwise they are redundant

Use Case

Ambiguous Ltd is a business that sells retail travel packages. The most important system they own and operate is the Package Sales System, which they use for advertising, sales, and bookings.1.A high level view of the Package Sales System Database reveals the following data resources:

Travel Package Archive Sales Archive Feedback Archive Offers Archive Claims, Feedback and Incidences Archive

2.The following list of actions can be performed on each data resource: Travel Package Archive: Create, Update, Retire, Publish, Unpublish. Sales Archive: Book, Release, Sell, Refund, Update. Feedback Archive: Create, Update, Close. Offers Archive: Create, Update, Retire, Publish. Claims, Feedback and Incidences Archive: Create, Update, Close Sales Statistics Report Archive: Create, Close

3.The systems logs all the sales activity, but not any other activity.4.As some Offers expire at midnight, the Package Sales System should prevent customers from purchasing Travel Packages after they have expired, even by a few seconds.

Use Case

5. There are certain requirements about who can do what, and where they can do it:

Only the sales manager can Create, Update and Publish Travel Packages. Each salesperson can only view the personal information of his or her own clients. Only the sales manager and the person assigned to Feedback and Claims can view the

personal information of all clients. Only the owner of the company can access the Sales Statistics Report. Only the sales manager can create Offers.

6. The general public of Spain is a user and they can purchase Travel Packages through the application. Persons under the age of 18 can ask for feedback and signup for offers, but they can't purchase Travel Packages. The users of the system are authorized employees, authorized outsourced employees, and clients.

7. The system shouldn’t be used by unauthorized employees, non employees, users not in Spain, clients younger than 18 years old.

Use Case

8. In order to create an account in the Package Sales System, potential clients can login using Facebook or create an account linked to their email address. They can unlink or delete the account at any time, but that does not delete any data in the database if they have purchased a Travel Package, even if they cancelled the purchase. In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator. The general public doesn't need an account to provide feedback or sign up for the Offers newsletter.

9. Customer who lose their passwords to the Package Sales System can request a new one and a link will be sent to their email address. Users who lose their password to access the Package Sales System need to physically visit the Administrator, who resets the password and give it to them in a written note.

10. The email the Sales Manager sends the Administrator states what functions the user should be able to perform.

11. The administrators of the Package Sales System are employees of Confederacy SL.

Use Case

12. The system is expected to work 24x713. because of maintenance stoppages of no more than one hour per week during

no business hours (from 9 to 5 from Tuesday to Sunday) are acceptable.14. The longest time that the system can be offline during business hours is 2

hours, because sales can be performed with TPV and handwritten notes can partially replace the use of the system.

15. In case of a major malfunction of the system, it would be acceptable to lose one day of data, since most data could be reconstructed checking with VISA, Amadeus and Mtravel.

16. It is understood that all "live" transactions would be lost in case of an incident.17. Data needs to be archived for 5 years in order to meet tax regulations.18. After ten years data should be deleted permanently, as customer behaviour

changes over time and data is no longer useful for Business Intelligence.19. Sales representatives and customers sometimes make mistakes entering data.

This is acceptable as long as there is no more than one percent of the records contain innacurate information.

Measurement is called “Assessment” in consulting lingo.

An assessment is performed by asking questions, for example: Who is supposed to access the System? - Authorized

Employees, Authorized Outsourced Employees, Clients over 18 years old, Potential Clients, Users in Spain.

Who should not have access to the System? - Unauthorized Employees, Non Employees, Non Spain users, Clients younger than 18 years old

Measurement

SR3

The O-ISM3 Challenge Crafting the answers with IAC Crafting the answers with anything but IAC

The Results


Availability

Confidentiality Integrity

Traditional Security Concepts: ISO2700x

Availability: The property of being accessible and useable upon demand by an authorized entity.

Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Integrity: The property of safeguarding the accuracy and completeness of assets.

Traditional Security Concepts: CobIT

Availability: Relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

Confidentiality: Concerns the protection of sensitive information from unauthorized disclosure.

Integrity: Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations

Traditional Security Concepts: ITIL

Availability: Ability of a Configuration Item or IT Service to perform its agreed Function when required. Availability is determined by Reliability, Maintainability, Serviceability, Performance, and Security.

Confidentiality: A security principle that requires that data should only be accessed by authorized people.

Integrity: A security principle that ensures data and Configuration Items are only modified by authorized personnel and Activities. Integrity considers all possible causes of modification, including software and hardware Failure, environmental Events, and human intervention.

Does it macth your own definition?

Security Concepts

IntegrityConfidentiality

Authentication

Authorization

AuditPrivacy

Utility

Accountability

AvailabilityReliability

Possession

NonRepudiation

Identification

Assessment with Traditional Definitions

What are the high level data resources used by the system? What is the expected confidentiality of each data resource? What is the expected integrity (accuracy and completeness)

of each data resource? What is the expected availability of each data resource?

Here is where you need to explain what you mean. The answer depends on the explanation of each concept.

Would you answer the same tomorrow? What if it is someone else who asks? What is it was a machine or a form?

Something is very wrong

Standards don’t agree on the definition of fundamental concepts. Even ISO standards don’t.

Confidentiality, Integrity and Availability are surrounded by a constellation of concepts. Not all professionals agree on what are the fundamental concepts.

We could debate: If the different definitions are equivalent. If the fundamental concepts are incomplete, ambiguous or both. Which are fundamental, which are not.

The simple possibility of debate and disagreement implies that there is a high variance on assessments depending on what professional or company you count on.

The Alternative

Wouldn’t it be better to just skip the debate?

Traditional definitions are about the nature of the thing, “What is it”. Useful to tell security from non-security.

Operational definitions are about the measurement of the thing, “How do you measure it”. Useful to manage security.

The Alternative

On October 15, 1970, the West Gate Bridge in Melbourne, Australia collapsed, killing 35 construction workers. The subsequent enquiry found that the failure arose because engineers had specified the supply of a quantity of flat steel plate. The word flat in this context lacked an operational definition, so there was no test for accepting or rejecting a particular shipment or for controlling quality.

Operational Definitions

Use operational definitions for Security Requirements, concepts are defined through the operations by which we measure them (asking questions).

Operationalization is used to specifically refer to the scientific practice of defining concepts through the operations by which we measure them.


Benefits: Independent of the observer. Repeatable. Free of ambiguity and undesirable variance. Depending on the level of measurement (nominal,

ordinal, interval, ratio) can have Units, making possible the optimization of resources.

Sorry, I am not defining security itself operationally today

Operational Questions

1. What are the high level data resources used by the system?2. What are the actions that can be performed on each type of data

resource of the system? 3. What are the actions that are logged by the system?4. What is the maximum amount of time the logs of the system time may

differ from real time?5. What are the requirements regarding who can do what and where with

economic or contractual data resources?6. Who are the users of the system?7. Who should not be able to use the system?8. How are user accounts managed?9. How are credentials (password, digital certificate, other) managed? 10. How are access rights managed?

Operational Questions

11. Which roles (types of users accounts) exist within the system?12. When is the system supposed to be up and working?13. How many interruptions and how long are acceptable in the window

of availability?14. When and how long would a downtime of system have an

unacceptable impact on your business?15. In case of incident with system, how much data, in minutes, hours or

days before the incident, can you afford to lose?16. In the event system goes down, how many live transactions can you

afford to lose?17. For how long the data resources should be archived?18. When do data resources of the system expire and need to be

deleted, if any?19. What is the maximum tolerable amount of data resources in the

system that may be inaccurate?


Would you answer the same tomorrow? What if it is someone else who asks? What is it was a machine or a form?

Conclusions

Is AIC necessary? Is AIC sufficient? Is AIC ambiguous? Is AIC useful? Is AIC reproducible / repeatable / automatable? Is AIC good for measurement, communication,

management, risk assessment?

Learn More

Open Information Security Management Maturity Model (O-ISM3) www2.opengroup.org/ogsys/catalog/C102

O-ISM3 Resources www.ism3.com/?q=node/39

O-ISM3 Challenge Study www.slideshare.net/vaceituno/o-ism3-challenge-results-study

Vicente Aceituno [email protected]++44 20 8144 8211 © Inovement 2014

Internet

Measuring the Security of Information Systems