1

Security Assessment and Methodologies

Michael Poon

NETdefence Co. Limited

08 Nov 2002

(mpoon@netdefence.com)

2

Agenda

Security Basics Best Practice in InfoSec Management InfoSec Risk Assessment Policies, Standards and Procedures

3

Security is Very Complex

Security is currently where networking was 15 years ago

Many parts & pieces Complex parts Lack of expertise in the

industry No common GUI Lack of standards Attacks are growing

4

Security Basics: Information and Value of Information Information

Students, staff, plans, procedures, research, reports, mail, contracts, archives, passwords … ALL ARE DATA but NOT ALL ARE INFORMATION

Beware: data aggregation can become sensitive information

Value of Information Impact and value of service Strategic value Exam papers Recovery value Department image and reputation

5

Security Basics: The triads

Integrity

AvailabilityConfidentiality

SECURITY = QUALITY

CorrectnessCompletenessValidityAuthenticityNon-repudiation

ContinuityPunctuality Exclusivity

ManipulationDestructionFalsificationRepudiation

DivulgationInterruptionDelay

6

Security Basics: The triads

Authentication

Authorization Accounting

SECURITY = QUALITY

Verify Identity

Verify CredentialsGrants Rights Auditability

ID SpoofingID MasqueradeContent Modification

RepudiationUnauthorizedAccess

7

Threats Primary Threats

Unauthorized access User masquerading Denial of service Physical attack …

Secondary Threats Introduction of malware Bad security administration Uncontrolled changes Bad architecture, implementation or exploitation Misconfiguration Manual error …

8

Best Practice InfoSec Management ISO/IEC 17799. Information Security Code of Practice (aka BS

7799) ISO/IEC 13335. Guidelines for the Management of IT Security

(GMITS) ITIL Security Management Information Security Forum’s Standard of Good Practice NIST’s Principles and Practices for Securing IT Systems ISACA’s Control Objectives for Information and related

Technology (COBIT)

9

A Security Management Model

Strategy

Management

Operations

Monitoring & Maintenance

Incident Handling & Forensics

Goals

Prevent

Protect

Control

React

Costs

OperabilityEfficiency

10

A Security Management Model

Define Goals: AvailabilityIntegrity, Responsibility

Sponsorship

Policies, Standards, Procedures,Reporting, Control, Legal, Training,

Awareness, Audit, Technology, PenTest

Operate SecurityAwareness & Training

Verify Logfiles, control, alerts, Update security, report incidents

Analyze evidence, restore service, report,Lesson learnt, escalation procedures, contingency

11

ISO17799/BS7799: What is it?

A comprehensive set of controls comprising best practices in Information Security.

An internationally recognized generic information security standard covering 10 subject domains; 36 management objectives; 127 controls; and 500 detail controls.

12

ISO17799/BS7799: History UK Government initiative to promote confidence in inter-company

trading Contributed by Shell, BOC, BT, Marks & Spencer, Midland Bank,

Nationwide and Unilever First Published as DTI Code of Practice as PD 0003 in 1993 Rebadged and published by British Standards Institution (BSI) as

BS7799 … Version 1, in Feb 1995 Top selling BSI publication in Spring 1996 Major revision of BS7799 … Version 2 published in May 1999 Formal certification and accreditation schemes launched by BSI in

the same year Fast track ISO initiatives accelerated Published as ISO standard in Dec 2000 Increasing international acceptance as the primary de facto

industry security standard

13

BSI Code of Practice Structure:The 10 Subject Domains in Part 1 Security policy Security organization Assets classification &

control Personnel security Physical &

environmental security

Computer & network management

System access control System development &

maintenance Business continuity

planning Compliance

14

International Take Up

BS77999 adopted by UK, Netherlands, Australia, New Zealand, Sweden, Switzerland and Norway since 1999.

Recommended in US NIST “Generally Principles for Securing IT Systems”

High usage in Europe, beginning to penetrate US market

Certification schemes completed and operational in various countries since 1997

Five companies received BS7799 certification in Hong Kong as of today.

15

Component Relationship

ThreatsThreats VulnerabilitiesVulnerabilities

Security ControlsSecurity Controls Security RisksSecurity Risks AssetsAssets

SecuritySecurityRequirementsRequirements

Asset ValuesAsset Valuesand Potentialand Potential

ImpactsImpacts

exploit

exposeincreaseincrease

increase have

protect against

met by indicate

reduce

16

What is ISO 13335?

ISO/IEC 13335: Guidelines for the Management of IT Security (GMITS) ISO/IEC TR 13335-1: 1996 Part 1: Concepts and models for IT

Security ISO/IEC TR 13335-2: 1997 Part 2: Managing and planning IT

Security ISO/IEC TR 13335-3: 1998 Part 3: Techniques for the

management of IT Security ISO/IEC TR 13335-4: 2000 Part 4: Selection of safeguards ISO/IEC WD 13335-5: 1999 Part 5: Management guidance on

network security

17

Risk Assessment Methodology Originally developed by U.S. National Security

Agency (NSA) as a standardised INFOSEC Assessment Methodology (IAM) for Department of Defence (DoD) organizations to perform their own INFOSEC assessments.

A baseline methodology for information systems security assessment in the U.S. Government over the past fifteen years.

INFOSEC Assessment Methodology (IAM) developed by The National Security Agency(NSA) of the US Government

18

IAM - Baseline Categories

INFOSEC documentation INFOSEC Roles and

Responsibilities Identification & Authentication Account Management Session Controls External Connectivity Telecommunications Auditing Virus Protection

Contingency Planning Maintenance Configuration Management Back-ups Labelling Media Sanitization/Disposal Physical Environment Personnel Security Training and Awareness

19

Planning

- Aim

- Scope

- Boundary

- Gathering

information

- System

description

- Target risk &

required certainty

AssessmentPreparation

- Identify assets

- Asset valuation

RiskAnalysis

- Identify threats

- Assess likelihood of a

compromise

- Assess consequence

of a compromise

- Identify vulnerabilities

- Identify safeguards

- Assess risk

PolicyFramework

&Requirement

Definition

Decision

Safeguard Selection

- Administrative

- Personnel

- Physical

- Technical

Constructionand

Implementation

Decision

ReduceRisk

Avoid or Transfer Risk

AcceptRisk

Refine System Design

Operationsand

MaintenanceDecision

Change Required

Insignificant

Significant

Assessment

Part 2: Risk Assessment

Certification

Accreditation

Recommendations

Risks

- Avoid

- Transfer

- Reduce

- Accept

Pre-Assessment Post-Assessment

20

Assessment Steps

Post-AssessmentPre-Assessment Onsite-Assessment

Planning

Information Gathering

- Identify system and information assets- Understand the criticality of information and system- Pre-analysis

Established assessment boundary and PreparedAssessment Plan

Risk Analysis

- Analyse Policy and Standards- Asset Identification and Valuation- Threat Analysis- Vulnerability Assessment- Impact and likelihood Analysis- Risk Level Analysis

Assessment of Risks

Identification/Review ofConstraints

Section of Safeguards

Recommendations

Risk Acceptance

Final Assessment Report

21

Risk Analysis

Qualitative Methodology A qualitative methodology is adopted throughout the

assessment in which scales (e.g. High, Low, Medium, 0,1,2,3,4) are used in rankings and description.

22

Risk Analysis

Asset Identification and Valuation Assets of IT infrastructure and systems within assessment boundary

are identified Information asset is valued according to its sensitivity or criticality Agree upon the scale to be used and the guideline for assigning a

value to an asset, e.g. on a scale of 0-4 based on CIA properties as shown in the table below.

Other valuation method can be used, e.g.– Safety– Loss of goodwill– Financial loss/disruption of activities, etc.

Confidentiality Integrity Availability

Email Message 3 3 2

DNS Record 2 4 3

Firewall Configuration 4 4 2

23

Risk Analysis

Threat and Likelihood Analysis To identify the threats and to determine the likelihood of their

occurrence Vulnerability and Ease of Exploitation Analysis

To identify and analyze the vulnerabilities of the IT Infrastructure and systems

Levels of Threats Low Medium High

Levels of Vulnerability L M H L M H L M H

Asset

Value

0 0 1 2 1 2 3 2 3 4

1 1 2 3 2 3 4 3 4 5

2 2 3 4 3 4 5 4 5 6

3 3 4 5 4 5 6 5 6 7

4 4 5 6 5 6 7 6 7 8

24

Risk Assessment Report

Risk Analysis Assets Identification and Valuation Threat and Vulnerability Analysis Impact and Likelihood Analysis Risk Level Analysis Assessment of Risks

– Findings– Priority– Discussion– Recommendation

25

From Best Practice to Security Management Model

1. STRATEGY

1.1 Continuity of Business

1.2 Quality Criteria

1.3 Sponsorship

2. MANAGEMENT

2.1 Policies, Standards, Procedures

2.2 Awareness & Training

2.3 Legal & Regulatory

2.4 Security Controls & Audit

3. OPERATIONS

3.1 Perimeter Security

3.2 Network Security

3.3 Operating System Security

3.4 Database Security

3.5 Application Security

4. MAINTENANCE

4.1 Technology Watch

4.2 Monitoring

5. INCIDENT HANDLING

5.1 Penetration Testing

5.2 Forensics

Risk Assessment ReportOn Current State ofInformation Security

Findings

InfoSec Risk Assessment

Risk Analysis

Recommendations

Gap Analysis

DocumentReview

Interviews

Tests

InfoSec Enhancement

Plan

Best Practice, e.g.

ISO 17799

26

Building Information Security Policies, Standards & Procedures

Laws, Regulations& Requirements

Policies

Standards

Procedures,Practices

Guidelines

HKSAR Laws and Legislations PCO Guidelines & Regulations Best Practice InfoSec Management, e.g. ISO 17799 Standard ITS Security Policy Departmental Security Requirements

27

Step by Step to InfoSec Management

Assess Riskand Determine

Needs

Establish ACentral

ManagementFocal Point

ImplementAppropriatePolicies and

Related Controls

PromoteAwareness

Monitor andEvaluate Policy

and ControlEffectiveness

1. Recognize information resources as essential organizational assets2. Develop practical risk assessment procedures that link security to needs and objectives3. Hold individual accountable4. Manage risk on a continuing basis

5. Designate a central group to carry out key activities.6. Provide the central group ready and independent access to senior members.7. Designate dedicated funding and staff.8. Enhance staff professionalism and technical skills

9. Link policies to needs and objectives10. Distinguish between policies and guidelines.11. Support policies through central security group.

14. Monitor factors that affect risk and indicate security effectiveness.15. Use results to direct future efforts and hold individuals accountable.16. Be alert to new monitoring tools and techniques.

12. Continually educate users and others on risks and related policies13. User attention-getting and user-friendly techniques.

28

Thank you!