1 security assessment and methodologies michael poon netdefence co. limited 08 nov 2002...
Post on 19-Dec-2015
215 views
TRANSCRIPT
1
Security Assessment and Methodologies
Michael Poon
NETdefence Co. Limited
08 Nov 2002
2
Agenda
Security Basics Best Practice in InfoSec Management InfoSec Risk Assessment Policies, Standards and Procedures
3
Security is Very Complex
Security is currently where networking was 15 years ago
Many parts & pieces Complex parts Lack of expertise in the
industry No common GUI Lack of standards Attacks are growing
4
Security Basics: Information and Value of Information Information
Students, staff, plans, procedures, research, reports, mail, contracts, archives, passwords … ALL ARE DATA but NOT ALL ARE INFORMATION
Beware: data aggregation can become sensitive information
Value of Information Impact and value of service Strategic value Exam papers Recovery value Department image and reputation
5
Security Basics: The triads
Integrity
AvailabilityConfidentiality
SECURITY = QUALITY
CorrectnessCompletenessValidityAuthenticityNon-repudiation
ContinuityPunctuality Exclusivity
ManipulationDestructionFalsificationRepudiation
DivulgationInterruptionDelay
6
Security Basics: The triads
Authentication
Authorization Accounting
SECURITY = QUALITY
Verify Identity
Verify CredentialsGrants Rights Auditability
ID SpoofingID MasqueradeContent Modification
RepudiationUnauthorizedAccess
7
Threats Primary Threats
Unauthorized access User masquerading Denial of service Physical attack …
Secondary Threats Introduction of malware Bad security administration Uncontrolled changes Bad architecture, implementation or exploitation Misconfiguration Manual error …
8
Best Practice InfoSec Management ISO/IEC 17799. Information Security Code of Practice (aka BS
7799) ISO/IEC 13335. Guidelines for the Management of IT Security
(GMITS) ITIL Security Management Information Security Forum’s Standard of Good Practice NIST’s Principles and Practices for Securing IT Systems ISACA’s Control Objectives for Information and related
Technology (COBIT)
9
A Security Management Model
Strategy
Management
Operations
Monitoring & Maintenance
Incident Handling & Forensics
Goals
Prevent
Protect
Control
React
Costs
OperabilityEfficiency
10
A Security Management Model
Define Goals: AvailabilityIntegrity, Responsibility
Sponsorship
Policies, Standards, Procedures,Reporting, Control, Legal, Training,
Awareness, Audit, Technology, PenTest
Operate SecurityAwareness & Training
Verify Logfiles, control, alerts, Update security, report incidents
Analyze evidence, restore service, report,Lesson learnt, escalation procedures, contingency
11
ISO17799/BS7799: What is it?
A comprehensive set of controls comprising best practices in Information Security.
An internationally recognized generic information security standard covering 10 subject domains; 36 management objectives; 127 controls; and 500 detail controls.
12
ISO17799/BS7799: History UK Government initiative to promote confidence in inter-company
trading Contributed by Shell, BOC, BT, Marks & Spencer, Midland Bank,
Nationwide and Unilever First Published as DTI Code of Practice as PD 0003 in 1993 Rebadged and published by British Standards Institution (BSI) as
BS7799 … Version 1, in Feb 1995 Top selling BSI publication in Spring 1996 Major revision of BS7799 … Version 2 published in May 1999 Formal certification and accreditation schemes launched by BSI in
the same year Fast track ISO initiatives accelerated Published as ISO standard in Dec 2000 Increasing international acceptance as the primary de facto
industry security standard
13
BSI Code of Practice Structure:The 10 Subject Domains in Part 1 Security policy Security organization Assets classification &
control Personnel security Physical &
environmental security
Computer & network management
System access control System development &
maintenance Business continuity
planning Compliance
14
International Take Up
BS77999 adopted by UK, Netherlands, Australia, New Zealand, Sweden, Switzerland and Norway since 1999.
Recommended in US NIST “Generally Principles for Securing IT Systems”
High usage in Europe, beginning to penetrate US market
Certification schemes completed and operational in various countries since 1997
Five companies received BS7799 certification in Hong Kong as of today.
15
Component Relationship
ThreatsThreats VulnerabilitiesVulnerabilities
Security ControlsSecurity Controls Security RisksSecurity Risks AssetsAssets
SecuritySecurityRequirementsRequirements
Asset ValuesAsset Valuesand Potentialand Potential
ImpactsImpacts
exploit
exposeincreaseincrease
increase have
protect against
met by indicate
reduce
16
What is ISO 13335?
ISO/IEC 13335: Guidelines for the Management of IT Security (GMITS) ISO/IEC TR 13335-1: 1996 Part 1: Concepts and models for IT
Security ISO/IEC TR 13335-2: 1997 Part 2: Managing and planning IT
Security ISO/IEC TR 13335-3: 1998 Part 3: Techniques for the
management of IT Security ISO/IEC TR 13335-4: 2000 Part 4: Selection of safeguards ISO/IEC WD 13335-5: 1999 Part 5: Management guidance on
network security
17
Risk Assessment Methodology Originally developed by U.S. National Security
Agency (NSA) as a standardised INFOSEC Assessment Methodology (IAM) for Department of Defence (DoD) organizations to perform their own INFOSEC assessments.
A baseline methodology for information systems security assessment in the U.S. Government over the past fifteen years.
INFOSEC Assessment Methodology (IAM) developed by The National Security Agency(NSA) of the US Government
18
IAM - Baseline Categories
INFOSEC documentation INFOSEC Roles and
Responsibilities Identification & Authentication Account Management Session Controls External Connectivity Telecommunications Auditing Virus Protection
Contingency Planning Maintenance Configuration Management Back-ups Labelling Media Sanitization/Disposal Physical Environment Personnel Security Training and Awareness
19
Planning
- Aim
- Scope
- Boundary
- Gathering
information
- System
description
- Target risk &
required certainty
AssessmentPreparation
- Identify assets
- Asset valuation
RiskAnalysis
- Identify threats
- Assess likelihood of a
compromise
- Assess consequence
of a compromise
- Identify vulnerabilities
- Identify safeguards
- Assess risk
PolicyFramework
&Requirement
Definition
Decision
Safeguard Selection
- Administrative
- Personnel
- Physical
- Technical
Constructionand
Implementation
Decision
ReduceRisk
Avoid or Transfer Risk
AcceptRisk
Refine System Design
Operationsand
MaintenanceDecision
Change Required
Insignificant
Significant
Assessment
Part 2: Risk Assessment
Certification
Accreditation
Recommendations
Risks
- Avoid
- Transfer
- Reduce
- Accept
Pre-Assessment Post-Assessment
20
Assessment Steps
Post-AssessmentPre-Assessment Onsite-Assessment
Planning
Information Gathering
- Identify system and information assets- Understand the criticality of information and system- Pre-analysis
Established assessment boundary and PreparedAssessment Plan
Risk Analysis
- Analyse Policy and Standards- Asset Identification and Valuation- Threat Analysis- Vulnerability Assessment- Impact and likelihood Analysis- Risk Level Analysis
Assessment of Risks
Identification/Review ofConstraints
Section of Safeguards
Recommendations
Risk Acceptance
Final Assessment Report
21
Risk Analysis
Qualitative Methodology A qualitative methodology is adopted throughout the
assessment in which scales (e.g. High, Low, Medium, 0,1,2,3,4) are used in rankings and description.
22
Risk Analysis
Asset Identification and Valuation Assets of IT infrastructure and systems within assessment boundary
are identified Information asset is valued according to its sensitivity or criticality Agree upon the scale to be used and the guideline for assigning a
value to an asset, e.g. on a scale of 0-4 based on CIA properties as shown in the table below.
Other valuation method can be used, e.g.– Safety– Loss of goodwill– Financial loss/disruption of activities, etc.
Confidentiality Integrity Availability
Email Message 3 3 2
DNS Record 2 4 3
Firewall Configuration 4 4 2
23
Risk Analysis
Threat and Likelihood Analysis To identify the threats and to determine the likelihood of their
occurrence Vulnerability and Ease of Exploitation Analysis
To identify and analyze the vulnerabilities of the IT Infrastructure and systems
Levels of Threats Low Medium High
Levels of Vulnerability L M H L M H L M H
Asset
Value
0 0 1 2 1 2 3 2 3 4
1 1 2 3 2 3 4 3 4 5
2 2 3 4 3 4 5 4 5 6
3 3 4 5 4 5 6 5 6 7
4 4 5 6 5 6 7 6 7 8
24
Risk Assessment Report
Risk Analysis Assets Identification and Valuation Threat and Vulnerability Analysis Impact and Likelihood Analysis Risk Level Analysis Assessment of Risks
– Findings– Priority– Discussion– Recommendation
25
From Best Practice to Security Management Model
1. STRATEGY
1.1 Continuity of Business
1.2 Quality Criteria
1.3 Sponsorship
2. MANAGEMENT
2.1 Policies, Standards, Procedures
2.2 Awareness & Training
2.3 Legal & Regulatory
2.4 Security Controls & Audit
3. OPERATIONS
3.1 Perimeter Security
3.2 Network Security
3.3 Operating System Security
3.4 Database Security
3.5 Application Security
4. MAINTENANCE
4.1 Technology Watch
4.2 Monitoring
5. INCIDENT HANDLING
5.1 Penetration Testing
5.2 Forensics
Risk Assessment ReportOn Current State ofInformation Security
Findings
InfoSec Risk Assessment
Risk Analysis
Recommendations
Gap Analysis
DocumentReview
Interviews
Tests
InfoSec Enhancement
Plan
Best Practice, e.g.
ISO 17799
26
Building Information Security Policies, Standards & Procedures
Laws, Regulations& Requirements
Policies
Standards
Procedures,Practices
Guidelines
HKSAR Laws and Legislations PCO Guidelines & Regulations Best Practice InfoSec Management, e.g. ISO 17799 Standard ITS Security Policy Departmental Security Requirements
27
Step by Step to InfoSec Management
Assess Riskand Determine
Needs
Establish ACentral
ManagementFocal Point
ImplementAppropriatePolicies and
Related Controls
PromoteAwareness
Monitor andEvaluate Policy
and ControlEffectiveness
1. Recognize information resources as essential organizational assets2. Develop practical risk assessment procedures that link security to needs and objectives3. Hold individual accountable4. Manage risk on a continuing basis
5. Designate a central group to carry out key activities.6. Provide the central group ready and independent access to senior members.7. Designate dedicated funding and staff.8. Enhance staff professionalism and technical skills
9. Link policies to needs and objectives10. Distinguish between policies and guidelines.11. Support policies through central security group.
14. Monitor factors that affect risk and indicate security effectiveness.15. Use results to direct future efforts and hold individuals accountable.16. Be alert to new monitoring tools and techniques.
12. Continually educate users and others on risks and related policies13. User attention-getting and user-friendly techniques.
28
Thank you!