© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and...
-
Upload
jeremy-oliver -
Category
Documents
-
view
214 -
download
0
Transcript of © 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and...
© 2003 by Carnegie Mellon University page 1
Information Security Risk Evaluation for Colleges and
Universities
Carol WoodySenior Technical StaffSoftware Engineering InstituteCarnegie Mellon University
© 2003 by Carnegie Mellon University page 2
Copyright Statement
Copyright Carol Woody 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided
that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of
the author. To disseminate otherwise or to republish requires written permission from the author.
© 2003 by Carnegie Mellon University page 3
Objectives
Internet Context
Security Risk Management
Information Security Risk Evaluation using the OCTAVE® Approach
© 2003 by Carnegie Mellon University page 6
The New ’Net
Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html
© 2003 by Carnegie Mellon University page 7
Unwarranted Trust
•Address spoofing
•Viruses & worms
•Denial of service attacks
•Packet sniffing
•Password cracking
© 2003 by Carnegie Mellon University page 8
All Sites are Potentially Vulnerable
•Design Vulnerabilities
•Implementation Vulnerabilities
•Configuration Vulnerabilities
•Resource Vulnerabilities
•User Vulnerabilities
•Business Process Vulnerabilities
© 2003 by Carnegie Mellon University page 9
Growth in Number of Vulnerabilities Reported to the CERT/CC
© 2003 by Carnegie Mellon University page 10
Attack Impact v Intruder Knowledge
Source: www.cert.org
© 2003 by Carnegie Mellon University page 11
Statistics from IT Security
CSI & FBI 2003 Computer Crime and Security Survey
•78% of 530 respondents detected Internet security breaches
•30% detected internal security breaches
© 2003 by Carnegie Mellon University page 12
Statistics from IT Security
Likely sources of attack
•Independent hackers
•Disgruntled employees (current & former)
•Competitors
•Foreign governments & corporations
© 2003 by Carnegie Mellon University page 13
Protection Responses
Implement effective security practices
•Fire walls
•Intrusion detection
•Encryption and authentication
•Software upgrades and patching
•Self-hacking
© 2003 by Carnegie Mellon University page 14
Protection is Incomplete
Security management requires a plan to recognize, resist, and recover
•Hackers are running programs on the Internet at all times looking for security holes (technical vulnerabilities).
•People using the Internet are unaware of the risks (organizational vulnerabilities)
© 2003 by Carnegie Mellon University page 15
Selecting Security Practices - 1
What do you need to protect?
What will protection failure mean?
What vulnerabilities exist in your environment?
How much protection can you afford?
© 2003 by Carnegie Mellon University page 16
Selecting Security Practices - 2
Technical Vulnerability Management• Focus is primarily on technology • Led by external experts• Driven by software vendor information• Accurate for a very limited timeframe
© 2003 by Carnegie Mellon University page 17
Selecting Security Practices - 3
Security Risk Management• Led by the organization• Defines and prioritizes the risks based on organizational goals
• Includes security issues in the planning, policy and procedures of the organization
• Considers a wider range of risks
© 2003 by Carnegie Mellon University page 19
Risk Management
Each organization must “own” its risk.• Each organization has a unique set of information security risks.
• Information security risks can affect an organization’s ability to meet its mission.
© 2003 by Carnegie Mellon University page 21
Multiple Perspectives of Security
Internal and external participants• Information technology (IT) staff• Employees• Managers• Contractors• Service providers• Partners and collaborators
© 2003 by Carnegie Mellon University page 22
Risk Management Regulations
Regulations may mandate security risk management:• Health Insurance Portability and Accountability Act (HIPAA) for health care organizations
• Gramm-Leach-Bliley Act for financial organizations
© 2003 by Carnegie Mellon University page 23
Risk Aware Culture
Information security risks cannot be addressed if they aren’t communicated to and understood by the organization’s decision makers.
Everyone must be able to identify and respond to security risks.
© 2003 by Carnegie Mellon University page 24
Risk - 1
The possibility of suffering harm or loss
Risk consists of• an event • consequence• uncertainty
© 2003 by Carnegie Mellon University page 26
Risk - 3
Threat Actor Asset
Organizational vulnerabilities Technology vulnerabilities
Impact on organization
Event Consequence
Uncertainty
© 2003 by Carnegie Mellon University page 27
Effective Risk Management
Effective information security risk management requires: • a systematic process • experience and expertise • information (e.g., risks, lessons learned)• a risk-aware culture
© 2003 by Carnegie Mellon University page 29
The OCTAVE® Approach
Operationally Critical Threat, Asset, and Vulnerability Evaluation SM
® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon University
SM Operationally Critical Threat, Asset, and Vulnerability Evaluation is a service mark of Carnegie Mellon University.
© 2003 by Carnegie Mellon University page 31
OCTAVE Approach
Use OCTAVE to identify, analyze, and plan security risk management.
© 2003 by Carnegie Mellon University page 32
OCTAVE PhasesOCTAVE is structured into the following three phases:
• Phase 1: Build Asset-Based Threat Profiles • Phase 2: Identify Infrastructure Vulnerabilities
• Phase 3: Develop Security Strategy and Plans
© 2003 by Carnegie Mellon University page 34
OCTAVE Analysis Team
• An interdisciplinary team – consisting of- teaching and administrative staff- information technology staff
© 2003 by Carnegie Mellon University page 35
Catalog of Security Practices
Security Practice Survey
OCTAVE Catalog of Practices
Protection Strategy
Mitigation Plan
© 2003 by Carnegie Mellon University page 38
System and Network Management
System Administration Tools
Monitoring and Auditing IT Security
Authentication and Authorization
Vulnerability Management
Encryption
Security Architecture and Design
Incident Management
General Staff Practices
Physical Security Plans and Procedures
Physical Access Control
Monitoring and Auditing Physical Security
Operational Practice Areas
© 2003 by Carnegie Mellon University page 39
Outputs of the OCTAVE Approach
Defines organizational direction
Plans designed to reduce risk
Near-term action items
Protection Strategy
Mitigation Plan
Action List
© 2003 by Carnegie Mellon University page 40
OCTAVE Method
Focused on large-scale (300 or more employees) or complex organizations
• A systematic, context-sensitive method for use across the organization, involving multiple organizational levels and IT
• Uses open-ended “essay” worksheets for information collection
• Requires moderate level of security expertise
© 2003 by Carnegie Mellon University page 41
OCTAVE-S
Focused on small (less than 100 employees) or simple organizations
• Requires analysis team to have a full, or nearly full, understanding of the organization and what is important
• Uses “fill-in-the-blank” worksheets in a structured process
• Requires less security expertise
© 2003 by Carnegie Mellon University page 42
Key Selection Question - 1
Does the analysis team (i.e., 3-5 people) have sufficient insight into the organization to characterize the information security risks affecting the organization?
© 2003 by Carnegie Mellon University page 43
Key Selection Question - 2
Does the organization have the capability (security expertise) to conduct the Phase 2 vulnerability evaluation?
© 2003 by Carnegie Mellon University page 45
OCTAVE Information
Visit http://www.cert.org/octave
• Introduction to the OCTAVE® Approach
•OCTAVE® Method Implementation Guide
•OCTAVE®-S (preliminary version)
© 2003 by Carnegie Mellon University page 46
Additional Options
OCTAVE® Transition Partners: licensed to train and assist organizations in using the OCTAVE Approach
Book: Managing Information Security Risks: The OCTAVESM Approach
Public Training at the SEI http://www.sei.cmu.edu/products/courses/