Upload
vicente-aceituno-canal
View
329
Download
2
Embed Size (px)
Citation preview
Vicente Aceituno Canal© Inovement 2014
Measuring the Security of Information Systems
Questions
Is AIC necessary? Is AIC sufficient? Is AIC ambiguous? Is AIC useful? Is AIC reproducible / repeatable / automatable? Is AIC good for measurement, communication,
management, risk assessment?
Traditional Security Concepts
…for you?
What are…
…the fundamental concepts of security…
Take a minute to write your own
definition
Availability
Confidentiality Integrity
Traditional Security Concepts
Number of concepts?
The need for Security Requirements
Does the result of this procedure increase or decrease security?
The need for Security Requirements
Does the result of this procedure increase or decrease security?
Answer: It depends on the baseline. If the hard drive contains valid data, it is not secure. If the hard drive contains expired data, it is secure.
The need for Security Requirements
Does the result of this procedure increase or decrease security?
Answer: It depends on the baseline. If the hard drive contains valid data, it is not secure. If the hard drive contains expired data, it is secure.
What about a hacker accessing a system?
The need for Security Requirements
Does the result of this procedure increase or decrease security?
Answer: It depends on the baseline. If the hard drive contains valid data, it is not secure. If the hard drive contains expired data, it is secure.
What about a hacker accessing a system? Well, if it is HIS system…
The need for Security Requirements
The current state of security can be measured only comparing against a baseline for security, so you can compare what you want with what you get.
A baseline for security can be expressed using Security Requirements.
Scoop: Management of Security
Perform an assessment of the value of information security activities. Those that contribute to meet a security requirement are valuable.
Perform an assessment of the return of investment of information security activities.
Prioritize the use of resources to maximize the value of information security activities.
Plan for the need of resources necessary to meet security requirements.
Check when past decisions render or not the expected results.
Measurement
Measuring is reducing uncertainty.
Measurement
Do or invest in “A”
Do or invest in “B”
SR1
Measurement
SR1
SR2
Measurement
SR1
SR2
SR3
Measurement
Measurement
Security Requirement “A”
Security Requirement “B”
SR1
SR2
SR3
Measurement
Do or invest in “A”
Do or invest in “B”
SR3
Measurement
Needless to say, Requirements need to be mutually exclusive, otherwise they are redundant
Use Case
Ambiguous Ltd is a business that sells retail travel packages. The most important system they own and operate is the Package Sales System, which they use for advertising, sales, and bookings.1.A high level view of the Package Sales System Database reveals the following data resources:
Travel Package Archive Sales Archive Feedback Archive Offers Archive Claims, Feedback and Incidences Archive
2.The following list of actions can be performed on each data resource: Travel Package Archive: Create, Update, Retire, Publish, Unpublish. Sales Archive: Book, Release, Sell, Refund, Update. Feedback Archive: Create, Update, Close. Offers Archive: Create, Update, Retire, Publish. Claims, Feedback and Incidences Archive: Create, Update, Close Sales Statistics Report Archive: Create, Close
3.The systems logs all the sales activity, but not any other activity.4.As some Offers expire at midnight, the Package Sales System should prevent customers from purchasing Travel Packages after they have expired, even by a few seconds.
Use Case
5. There are certain requirements about who can do what, and where they can do it:
Only the sales manager can Create, Update and Publish Travel Packages. Each salesperson can only view the personal information of his or her own clients. Only the sales manager and the person assigned to Feedback and Claims can view the
personal information of all clients. Only the owner of the company can access the Sales Statistics Report. Only the sales manager can create Offers.
6. The general public of Spain is a user and they can purchase Travel Packages through the application. Persons under the age of 18 can ask for feedback and signup for offers, but they can't purchase Travel Packages. The users of the system are authorized employees, authorized outsourced employees, and clients.
7. The system shouldn’t be used by unauthorized employees, non employees, users not in Spain, clients younger than 18 years old.
Use Case
8. In order to create an account in the Package Sales System, potential clients can login using Facebook or create an account linked to their email address. They can unlink or delete the account at any time, but that does not delete any data in the database if they have purchased a Travel Package, even if they cancelled the purchase. In order to create an account in the Package Sales System, the Sales Manager sends an email to the Administrator. The general public doesn't need an account to provide feedback or sign up for the Offers newsletter.
9. Customer who lose their passwords to the Package Sales System can request a new one and a link will be sent to their email address. Users who lose their password to access the Package Sales System need to physically visit the Administrator, who resets the password and give it to them in a written note.
10. The email the Sales Manager sends the Administrator states what functions the user should be able to perform.
11. The administrators of the Package Sales System are employees of Confederacy SL.
Use Case
12. The system is expected to work 24x713. because of maintenance stoppages of no more than one hour per week during
no business hours (from 9 to 5 from Tuesday to Sunday) are acceptable.14. The longest time that the system can be offline during business hours is 2
hours, because sales can be performed with TPV and handwritten notes can partially replace the use of the system.
15. In case of a major malfunction of the system, it would be acceptable to lose one day of data, since most data could be reconstructed checking with VISA, Amadeus and Mtravel.
16. It is understood that all "live" transactions would be lost in case of an incident.17. Data needs to be archived for 5 years in order to meet tax regulations.18. After ten years data should be deleted permanently, as customer behaviour
changes over time and data is no longer useful for Business Intelligence.19. Sales representatives and customers sometimes make mistakes entering data.
This is acceptable as long as there is no more than one percent of the records contain innacurate information.
Measurement is called “Assessment” in consulting lingo.
An assessment is performed by asking questions, for example: Who is supposed to access the System? - Authorized
Employees, Authorized Outsourced Employees, Clients over 18 years old, Potential Clients, Users in Spain.
Who should not have access to the System? - Unauthorized Employees, Non Employees, Non Spain users, Clients younger than 18 years old
Measurement
SR3
The O-ISM3 Challenge Crafting the answers with IAC Crafting the answers with anything but IAC
The Results
Traditional Security Concepts
Availability
Confidentiality Integrity
Traditional Security Concepts: ISO2700x
Availability: The property of being accessible and useable upon demand by an authorized entity.
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
Integrity: The property of safeguarding the accuracy and completeness of assets.
Traditional Security Concepts: CobIT
Availability: Relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
Confidentiality: Concerns the protection of sensitive information from unauthorized disclosure.
Integrity: Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations
Traditional Security Concepts: ITIL
Availability: Ability of a Configuration Item or IT Service to perform its agreed Function when required. Availability is determined by Reliability, Maintainability, Serviceability, Performance, and Security.
Confidentiality: A security principle that requires that data should only be accessed by authorized people.
Integrity: A security principle that ensures data and Configuration Items are only modified by authorized personnel and Activities. Integrity considers all possible causes of modification, including software and hardware Failure, environmental Events, and human intervention.
Does it macth your own definition?
Security Concepts
IntegrityConfidentiality
Authentication
Authorization
AuditPrivacy
Utility
Accountability
AvailabilityReliability
Possession
NonRepudiation
Identification
Assessment with Traditional Definitions
What are the high level data resources used by the system? What is the expected confidentiality of each data resource? What is the expected integrity (accuracy and completeness)
of each data resource? What is the expected availability of each data resource?
Here is where you need to explain what you mean. The answer depends on the explanation of each concept.
Would you answer the same tomorrow? What if it is someone else who asks? What is it was a machine or a form?
Something is very wrong
Standards don’t agree on the definition of fundamental concepts. Even ISO standards don’t.
Confidentiality, Integrity and Availability are surrounded by a constellation of concepts. Not all professionals agree on what are the fundamental concepts.
We could debate: If the different definitions are equivalent. If the fundamental concepts are incomplete, ambiguous or both. Which are fundamental, which are not.
The simple possibility of debate and disagreement implies that there is a high variance on assessments depending on what professional or company you count on.
The Alternative
Wouldn’t it be better to just skip the debate?
Traditional definitions are about the nature of the thing, “What is it”. Useful to tell security from non-security.
Operational definitions are about the measurement of the thing, “How do you measure it”. Useful to manage security.
The Alternative
On October 15, 1970, the West Gate Bridge in Melbourne, Australia collapsed, killing 35 construction workers. The subsequent enquiry found that the failure arose because engineers had specified the supply of a quantity of flat steel plate. The word flat in this context lacked an operational definition, so there was no test for accepting or rejecting a particular shipment or for controlling quality.
Operational Definitions
Use operational definitions for Security Requirements, concepts are defined through the operations by which we measure them (asking questions).
Operationalization is used to specifically refer to the scientific practice of defining concepts through the operations by which we measure them.
Operational Definitions
Benefits: Independent of the observer. Repeatable. Free of ambiguity and undesirable variance. Depending on the level of measurement (nominal,
ordinal, interval, ratio) can have Units, making possible the optimization of resources.
Sorry, I am not defining security itself operationally today
Operational Questions
1. What are the high level data resources used by the system?2. What are the actions that can be performed on each type of data
resource of the system? 3. What are the actions that are logged by the system?4. What is the maximum amount of time the logs of the system time may
differ from real time?5. What are the requirements regarding who can do what and where with
economic or contractual data resources?6. Who are the users of the system?7. Who should not be able to use the system?8. How are user accounts managed?9. How are credentials (password, digital certificate, other) managed? 10. How are access rights managed?
Operational Questions
11. Which roles (types of users accounts) exist within the system?12. When is the system supposed to be up and working?13. How many interruptions and how long are acceptable in the window
of availability?14. When and how long would a downtime of system have an
unacceptable impact on your business?15. In case of incident with system, how much data, in minutes, hours or
days before the incident, can you afford to lose?16. In the event system goes down, how many live transactions can you
afford to lose?17. For how long the data resources should be archived?18. When do data resources of the system expire and need to be
deleted, if any?19. What is the maximum tolerable amount of data resources in the
system that may be inaccurate?
Operational Definitions
Would you answer the same tomorrow? What if it is someone else who asks? What is it was a machine or a form?
Conclusions
Is AIC necessary? Is AIC sufficient? Is AIC ambiguous? Is AIC useful? Is AIC reproducible / repeatable / automatable? Is AIC good for measurement, communication,
management, risk assessment?
Learn More
Open Information Security Management Maturity Model (O-ISM3) www2.opengroup.org/ogsys/catalog/C102
O-ISM3 Resources www.ism3.com/?q=node/39
O-ISM3 Challenge Study www.slideshare.net/vaceituno/o-ism3-challenge-results-study
Vicente Aceituno [email protected]++44 20 8144 8211 © Inovement 2014