July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management...
-
Upload
marshall-tyler -
Category
Documents
-
view
216 -
download
0
description
Transcript of July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management...
![Page 1: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/1.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-1
Risk Management Process
• Frame = context, strategies• Assess = determine risk• Respond = evaluate & implement
approaches• Monitor = detect failures, changes
![Page 2: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/2.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-2
Risk Management Process
Assess
MonitorRespond
Frame
Information Flows
![Page 3: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/3.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-3
Risk Assessment Supports
• Develop information security architecture• Develop security solutions
– Controls, products, procedures, configurations• Authorizations• Modifications of organization processes• Implementation of security solutions• Operation and maintenance
![Page 4: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/4.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-4
Risk Concepts• Measure that combines• Potential for loss/harm• Impact of loss/harm• Likelihood of various forms of loss/harm
![Page 5: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/5.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-5
Overall Process• Identify and Classify Assets
– What are we protecting? How are they important?• Identify Exposures and Threats
– What would be bad? How could it happen?• Identify Vulnerabilities and Threat Sources
– Who or what could cause loss, and how?• Determine Policies and Controls
– What should be allowed and what disallowed?– How will the policies be enforced
• Implement and Monitor– Deploy controls and use them, gain experience to update p.r.n.
![Page 6: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/6.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop Slide #1-6
Risk Framing Components
Organizational Risk Frame
Risk Assessment Methodology
Risk Model
Risk Assessment Process
Assessment Approach
Analysis Approach
determines
AssumptionsConstraintsPrioritiesTrade-offsRisk ToleranceUncertainty
• Establishes foundation• Delineates boundaries
for decisions
![Page 7: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/7.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-7
Risk Model
• Determines risk factors– Inputs to determination of risk
• Threats/threat shifting– Sources, events, scenarios, responses
• Vulnerabilities, predispositions• Likelihoods
– Intent, capability, targeting
![Page 8: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/8.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-8
Risk Model
• Determines risk factors• Threats/threat shifting• Vulnerabilities, predispositions• Likelihoods• Impacts• Risk, aggregation• Uncertainty
![Page 9: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/9.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop Slide #1-9
Generic Risk Model
ThreatEvent
ThreatSource
PredisposingConditions
Controls
initiates
Vulnerability
exploits causes
AdverseImpact
with severityin context of
with pervasiveness
with effectiveness
with likelihoodof initiation
with likelihoodof success
withdegree
OrganizationalRisk
producing
![Page 10: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/10.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-10
Risk Assessment Approaches
• Quantitative– numerical
• Qualitative– E.g, low, moderate, high
• Semi-quantitative– Bins, scales
![Page 11: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/11.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-11
Risk Analysis Approaches
• Threat-oriented– What can cause harm/loss– What are sources, capabilities, inclinations
• Asset-oriented– What are assets, processes, impacts
• Vulnerability-oriented– What are weaknesses– Can they be expoited
![Page 12: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/12.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop Slide #1-12
Risk Management Hierarchy
• Traceability & Transparency of Risk-based Decisions
• Inter-Tier and Intra-Tier Communications
Strategic Risk
Tactical Risk
• Organization-wide Risk Awareness
• Feedback Loop for Continuous ImprovementTier 1
Organization
Tier 2Mission/Business Processes
Tier 3Information Systems
![Page 13: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/13.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-13
Risk Management Framework• Categorize
– Assets, threats, vulnerabilities• Select
– Controls• Implement• Assess• Authorize• Monitor• Repeat!
![Page 14: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/14.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop Slide #1-14
Risk Management Framework
SelectControls
CategorizeInfo Systems
MonitorSecurity Controls
ImplementSecurity ControlsAssess
Controls
AuthorizeInfo Systems
Architecture Description•Mission/Business Processes•FEA Reference Models•Segment and Solution Arch•Info System Boundaries
Organizational Inputs•Laws, Directives, Policy, Guidance•Strategic Goals & Objectives•Information Security Requirements•Priorities and Resources Available
Security Life Cycle
![Page 15: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/15.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-15
Categorizing Information Systems
• Determine types of information handled– NIST SP 800-60
• Determine impact values (FIPS-199)– Low, medium, high impact
• Security Category = {(C, ic), (I, ii), (A, ia)}– Confidentiality, Integrity, Availability impacts– Impacts may not be the same
• Overall impact is high-water mark (max)
![Page 16: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/16.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-16
Control FamiliesFrom NIST SP 800-53:•Access Control (AC)•Awareness and Training (AT)•Audit and Accountability (AU)•Security Assessment and Authorization (CA)•Configuration Management (CM)•Contingency Planning (CP)
![Page 17: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/17.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-17
Control Families (con’t)• Identification and Authentication (IA)• Incident Response (IR)• Maintenance (MA)• Media Protection (MP)• Physical and Environmental (PE)• Planning (PL)• Personnel Security (PS)
![Page 18: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/18.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-18
Control Families (con’t)• Risk Assessment (RA)• System and Services Acquisition (SA)• System and Communications Protection (SC)• System and Information Integrity (SI)• Program Management (PM)
![Page 19: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/19.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-19
Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements• References • Priority and Baseline Allocation
![Page 20: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/20.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-20
Security Control Structure• Control Section
– Prescribes actions/activities for control• Supplemental Guidance Section• Control Enhancements• References • Priority and Baseline Allocation
![Page 21: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/21.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-21
Security Control Structure• Control Section• Supplemental Guidance Section
– Non-prescriptive information• Control Enhancements• References • Priority and Baseline Allocation
![Page 22: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/22.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-22
Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements
– Ways to add functionality/specificity and/or– Increase strength of control
• References • Priority and Baseline Allocation
![Page 23: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/23.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-23
Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements• References
– Includes relevant laws, directives, etc.• Priority and Baseline Allocation
![Page 24: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/24.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-24
Security Control Structure• Control Section• Supplemental Guidance Section• Control Enhancements• References • Priority and Baseline Allocation
– Priority code indicates order of sequencing for decisions and for implementation/deployment
– Allocation (with enhancements) for each impact level (should it be used, and with which enhance’t)
![Page 25: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/25.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-25
Security ControlsMay involve aspects of•Policy•Oversight•Supervision•Manual processes•Actions by people•Automated mechanisms
![Page 26: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/26.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-26
Security Control Selection• Select Security Control Baselines
– Based on system impact level• Review assumptions/environment• Tailor Baseline Security Controls• Create Overlays (if needed)
– Community-wide and specialize control sets• Document Security Control Decisions
![Page 27: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/27.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-27
Security Control Tailoring• Identify and Designate Common Controls• Apply Scoping Considerations
– Control allocation and placement– Operational/Environmental considerations– Security objective-related considerations– Technology-related considerations– Mission requirement-related considerations
![Page 28: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/28.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-28
Security Control Tailoring• Identify and Designate Common Controls• Apply Scoping Considerations• Select Compensating Controls• Assign Security Control Parameter Values• Supplement Security Control Baselines• Provide Additional Specification Information
for Control Implementation
![Page 29: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/29.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-29
Risk Assessment Process• Prepare using framework• Identify threat sources and events • Identify vulnerabilities and predispositions• Determine likelihood of occurrence• Determine magnitude of impact• Determine risk• Communicate results• Maintain assessment
![Page 30: July 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.](https://reader036.fdocuments.net/reader036/viewer/2022062600/5a4d1b197f8b9ab0599929bd/html5/thumbnails/30.jpg)
July 1, 2004 Computer Security: Art and Science©2002-2004 Matt Bishop
Slide #1-30
Key Points• Security is all about risk management
– There are no absolutes!• Important to identify assets, processes
– Know what you are trying to protect and why!• Important to how threats, vulnerabilities
– What can go wrong? How likely?• Impact and likelihood lead to tradeoffs
– Selection and implementation of controls• Security is not an event, it is a process!