1 / 65

Information Security Planning Overview

Information Security Planning Overview. Susan Lincke Assoc Prof Computer Science University of Wisconsin-Parkside. Acknowledgments. Material is from: CISA Review Manual, 2009 CISM Review Manual, 2009 All-in-One CISSP Exam Guide, 4 th Edition, McGraw Hill, 2008

jtrent
Download Presentation

Information Security Planning Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Planning Overview Susan Lincke Assoc Prof Computer Science University of Wisconsin-Parkside Based on CISA Review Manual 2009

  2. Acknowledgments Material is from: • CISA Review Manual, 2009 • CISM Review Manual, 2009 • All-in-One CISSP Exam Guide, 4th Edition, McGraw Hill, 2008 • Essentials of Corporate Fraud, T L Coenen, John Wiley & Sons, 2008 • The Art of the Steal, Frank Abignale, Broadway Books, 2001 Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Reviewers: Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

  3. Imagine a company… Bank with 1 Million accounts, social security numbers, credit cards, loans… Airline serving 50,000 people on 250 flights daily… Pharmacy system filling 5 million prescriptions per year, some of the prescriptions are life-saving… Factory with 200 employees producing 200,000 products per day using robots…

  4. Business-Driven Approach to Security Information Security Risk Mgmt What are our company assets? What are our vulnerabilities? Business Impact Assessment Network Security Incident Response Fraud

  5. Due Diligence Due Diligence = Did careful risk assessment (RA) Due Care = Implemented recommended controls from RA Liability minimized if reasonable precautions taken Policies & Procedures Compliance Risk Assessment Adequate Security Controls Senior Mgmt Support Backup & Recovery Business Continuity &Disaster Recovery Monitoring & Metrics

  6. Wisconsin Statute 134.98 Restricted data includes: Social Security Number Driver’s license # or state ID # Financial account number (credit/debit) and access code/password DNA profile (Statute 939.74) Biometric data National HIPAA protects: Health status, treatment, or payment

  7. Business-Driven Approach to Security What are our company assets? What are our vulnerabilities? Risk Mgmt What should we protect? How much are we liable for? How much should we spend? What kind of security technology should we use? Where should we use these security techniques & technology?

  8. Security Evaluation: Risk Assessment Five Steps include: Assign Values to Assets: Where are the Crown Jewels? Determine Loss due to Threats & Vulnerabilities Confidentiality, Integrity, Availability Estimate Likelihood of Exploitation Weekly, monthly, 1 year, 10 years? Compute Expected Loss Loss = Downtime + Recovery + Liability + Replacement Risk Exposure = ProbabilityOfVulnerability * $Loss Treat Risk Survey & Select New Controls Reduce, Transfer, Avoid or Accept Risk Risk Leverage = (Risk exposure before reduction) – (risk exposure after reduction) / (cost of risk reduction)

  9. Step 1:Determine Criticality of Resources I

  10. Step 2: Determine Loss(taken from CISM Exhibit 2.16)

  11. 1 week 1 year 5 years (.2) 10 years (.1) 20 years (.05) 50 years (.02) Threat (Probability) Hacker/Criminal Loss of Electricity Malware 1 2 Snow emergency Social Engineering Intruder Stolen Laptop Vulnerability (Severity) Spy Flood, Earthquake Disgruntled Employee Fire Terrorist 4 3 Step 3: Estimate Likelihood of ExploitationVulnerability Assessment Quadrant Map Slow down business Temp. shut business Threaten Business

  12. Step 4: Compute Loss Using Quantitative Analysis Single Loss Expectancy (SLE): The cost to the organization if one threat occurs once Eg. Stolen laptop= Replacement cost + Cost of installation of special software and data Assumes no liability SLE = Asset Value (AV) x Exposure Factor (EF) With Stolen Laptop EF > 1.0 Annualized Rate of Occurrence (ARO): Probability or frequency of the threat occurring in one year If a fire occurs once every 25 years, ARO=1/25 Annual Loss Expectancy (ALE): The annual expected financial loss to an asset, resulting from a specific threat ALE = SLE x ARO

  13. Example: Quantitative Analysis Quantitative: Cost of HIPAA accident with insufficient protections SLE = $50K + (1 year in jail:) $100K = $150K Estimate of Time = 10 years or less = 0.1 Annualized Loss Expectancy (ALE)= $150 x .1 =$15K

  14. Step 5: Treat Risk Risk Acceptance: Handle attack when necessary E.g.: Comet hits Ignore risk if risk exposure is negligible Risk Avoidance: Stop doing risky behavior E.g.: Do not use Social Security Numbers Risk Mitigation: Implement control to minimize vulnerability E.g. Purchase & configure a firewall Risk Transference: Pay someone to assume risk for you E.g., Buy malpractice insurance (doctor) While financial impact can be transferred, legal responsibility cannot Risk Planning: Implement a set of controls

  15. Continuous Risk Mgmt Process Risks change with time as business & environment changes Controls degrade over time and are subject to failure Countermeasures may open new risks Risk Appetite Identify & Assess Risks Proactive Monitoring Develop Risk Mgmt Plan Implement Risk Mgmt Plan

  16. Business-Driven Approach to Security What are our company assets? What are our vulnerabilities? Information Security What Assets do we need to protect? What data is sensitive? What data is critical? How should we treat sensitive data? Who should have access to sensitive data? Who decides who has access to sensitive data?

  17. Sensitivity Classification(Example) Sensitive CISA Review Manual 2009

  18. Sensitivity Classification

  19. Information Owneror Data Owner Is responsible for the data within business (mgr/director - not IS staff) Determines who can have access to data and may grant permissions directly OR Gives written permission for access directly to security administrator, to prevent mishandling or alteration Periodically reviews authorization to restrict authorization creep CISA Review Manual 2009

  20. Physical Information Security Public Private Sensitive

  21. Business-Driven Approach to Security What are our company assets? What are our vulnerabilities? Network Security Where do we perform various applications from? What applications can enter and leave our network? What parts of the network will processing occur? How should we best protect the sensitive data? What illegal transactions should we be monitoring for?

  22. Personnel, Finance Medical Plan Medical DB Secure Server Chris Laptop Internet cable modem SecureWLAN VLAN Jamie Laptop home Web/ Email Server hospital Terry Comp. Who can access which information from where?

  23. Path of Logical AccessHow many logical access checks are required? How could access control be improved? Border Router/Firewall The Internet De-Militarized Zone Router/Firewall WLAN Private Network

  24. Business-Driven Approach to Security What are our company assets? What are our vulnerabilities? Business Impact Assessment Which business processes are of strategic importance? What disasters could occur? What impact would these have financially? On life? On reputation? What is the required recovery time period? How much data can we afford to lose after a disaster?

  25. Recovery Time: Terms Interruption Window: Time duration organization can wait between point of failure and service resumption Service Delivery Objective (SDO): Level of service in Alternate Mode Maximum Tolerable Outage: Max time in Alternate Mode Disaster Recovery Plan Implemented Regular Service Regular Service Alternate Mode SDO Time… Restoration Plan Implemented Interruption Window Interruption Maximum Tolerable Outage

  26. Classification of Services Critical $$$$: Cannot be performed manually. Tolerance to interruption is very low Vital $$: Can be performed manually for very short time Sensitive $: Can be performed manually for a period of time, but may cost more in staff Nonsensitive ¢: Can be performed manually for an extended period of time with little additional cost and minimal recovery effort

  27. RPO and RTO Recovery Point Objective Recovery Time Objective Interruption • 2 • Hours 24 Hours One Week One Day One Hour How far back can you fail to? How long can you operate without a system? One week’s worth of data? Which services can last how long?

  28. Disruption vs. Recovery Costs Service Downtime * Hot Site Cost * Warm Site Alternative Recovery Strategies Minimum Cost * Cold Site Time

  29. Alternative Recovery Strategies Hot Site: Fully configured, ready to operate within hours Warm Site: Ready to operate within days: no or low power main computer. Does contain disks, network, peripherals. Cold Site: Ready to operate within weeks. Contains electrical wiring, air conditioning, flooring Duplicate or Redundant Info. Processing Facility: Standby hot site within the organization Reciprocal Agreement with another organization or division Mobile Site: Fully- or partially-configured trailer comes to your site, with microwave or satellite communications

  30. Disaster Recovery Test Execution Always tested in this order: Desk-Based Evaluation/Paper Test: A group steps through a paper procedure and mentally performs each step. Preparedness Test: Part of the full test is performed. Different parts are tested regularly. Full Operational Test: Simulation of a full disaster

  31. Backup & Offsite Library • Backups are kept off-site (1 or more) • Off-site is sufficiently far away (disaster-redundant) • Library is equally secure as main site; unlabelled • Library has constant environmental control (humidity-, temperature-controlled, UPS, smoke/water detectors, fire extinguishers) • Detailed inventory of storage media & files is maintained

  32. Business-Driven Approach to Security What are our company assets? What are our vulnerabilities? Incident Response What incidents could occur that we should be prepared for? What shall we do if our network is penetrated? Who do we contact? How do we prioritize which applications are served?

  33. Incident Response Plan (IRP) Preparation Plan PRIOR to Incident Identification Determine what is/has happened Containment Limit incident Determine and remove root cause Analysis & Eradication Return operations to normal Recovery Process improvement: Plan for the future Lessons Learned

  34. Stage 1: Preparation What shall we do if different types of incidents occur? (BIA helps) When is the incident management team called? How can governmental agencies or law enforcement help? When do we involve law enforcement? What equipment do we need to handle an incident? What shall we do to prevent or discourage incidents from occurring? (e.g. banners, policies) Where on-site & off-site shall we keep the IRP?

  35. (1) Detection Technologies Organization must have sufficient detection & monitoring capabilities to detect incidents in a timely manner Proactive Detection includes: Network Intrusion Detection System (NIDS) Host Intrusion Detection System (HIDS) Includes personal firewalls Vulnerability/audit testing Centralized Incident Management System Input: Server, system logs Coordinates & co-relates logs from many systems Tracks status of incidents to closure Reactive Detection: Reports of unusual or suspicious activity

  36. (1) IRP Contents Preincident readiness How to declare a disaster Evacuation procedures Identifying persons responsible, contact information IRT, S/W-H/W vendors, insurance, recovery facilities, suppliers, offsite media, human relations, law enforcement (for serious security threat) Step-by-step procedures Required resources for recovery & continued operations

  37. Stage 2: Identification Triage: Categorize, prioritize and assign events and incidents What type of incident just occurred? What is the severity of the incident? Severity may increase if recovery is delayed Who should be called? Establish chain of custody for evidence

  38. Computer Forensics Did a crime occur? If so, what occurred? Evidence must pass tests for: Authenticity: Evidence is a true and faithful copy of the crime scene Computer Forensics does not destroy or alter the evidence Continuity: “Chain of custody” assures that the evidence is intact.

  39. Chain of Custody 11:47-1:05 Disk Copied RFT & PKB 11:05-11:44 System copied PKB & RFT 11:04 Inc. Resp. team arrives Time Line 10:53 AM Attack observed Jan K 11:15 System brought Offline RFT 11:45 System Powered down PKB & RFT 1:15 System locked in static-free bag in storage room RFT & PKB Who did what to evidence when? (Witness is required) CISA Review Manual 2009

  40. Incident Management Metrics # of Reported Incidents # of Detected Incidents Average time to respond to incident Average time to resolve an incident Total number of incidents successfully resolved Proactive & Preventative measures taken Total damage from reported or detected incidents Total damage if incidents had not been contained in a timely manner

  41. Business-Driven Approach to Security What are our company assets? What are our vulnerabilities? Fraud How do we prevent fraud? How do we detect fraud? How do we cope with fraud?

  42. The Fraud Problem Organizations lose 5-6% of revenue annually due to internal fraud = $652 Billion in U.S. (2006) Average scheme lasts 18 months, costs $159,000 25% costs exceed $1M Smaller companies suffer greater average $ losses than large companies Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

  43. Fraud Categories

  44. Who Does Fraud? Most $$$ internal frauds committed by longer-tenured, older, and more educated staff Executives commit most expensive fraud: $1M 4.5 times more expensive than managers: $218K 13 times more expensive than line employees Men & women commit fraud in nearly equal proportions, but men’s are more expensive: Men’s average: $250k (or 4x) Women’s average: $120k 92% have no criminal convictions related to fraud Positions of Power steal most money: highly degreed > HS grad, older > younger people Collusion dramatically increases duration and $ loss for fraud Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

  45. How Fraud is Discovered Some fraud is discovered via multiple reporting methods, Thus results do not sum to 100% Tips come from Employee 64%, Anonymous 18%, Customer 11%, Vendor 7% Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

  46. Fraud Control Types Time of Fraud After Fraud Before Fraud: ***BEST*** Corrective Controls: Fix problems and prevent future problems Includes: Punishment-> Amend controls Detective Controls: Finding fraud when it occurs Includes: Anonymous hotline*-> Surprise audits*-> Monitoring activities-> Complaint or fraud investigation Preventive Controls**: Preventing fraud Includes: Risk assessment Develop internal controls Physical security & data security Authorization (Passwords, etc) Segregation of duties Fraud education

  47. Techniques to Discourage Fraud Realistic job expectations Adequate pay Training in job duties Trained in policies and procedures Policy enforcement Sr. Mgmt models ethical behavior to customers, vendors, employees, share holders Segregation of duties Checks and balances Job rotation Physical security of assets Background checks Mandatory vacations Examination of required documentation Essentials of Corporate Fraud, T L Coenen, 2008, John Wiley & Sons

  48. Code of Ethics This code of ethics provides general guidelines, and is not intended to cover every potential scenario. Examples are provided only as necessary for the employee to understand general concepts. General Employee Conduct While at Work Unethical Behavior Conflict of Interest Confidentiality Relationship with Customers and Suppliers Gifts & Entertainment Using the Organization’s Assets for Personal Activities Reporting Fraud or Unethical Behavior [1] This Code of Ethics is adapted from “Essentials of Corporate Fraud”, Tracy L Coenen, John Wiley & Sons, 2008.

  49. Segregation of Duties Authorization Distribution Approves Acts on Double-checks Origination Verification CISA Review Manual 2009

More Related