Introduction to Information Security

1
Introduction to Information Security

• Dr. Randy M. Kaplan

1
2
Risk Management
3
Risk Mangement

• Identify and control risks faced by an
  organization
• Two major tasks
• Risk identification
• Risk Control

4
Risk Mangement

• Identify and control risks faced by an
  organization
• Two major tasks
• Risk identification
• Examining and documenting the security posture of
  an organizations information technology and the
  risks it faces
• Risk Control

5
Risk Mangement

• Identify and control risks faced by an
  organization
• Two major tasks
• Risk identification
• Risk Control
• Apply controls to reduce risks to an
  organizations data and information systems

6
Competition

• Organizations must design and create safe
  environments
• For business processes and procedures to function
• The environments maintain -
• Confidentiality and privacy
• Assure integrity of organizational data

7
Risk Management

• Sun Tzu - The Art of War
• If you know the enemy and know yourself, you
  need not fear the result of a hundred battles. If
  you know yourself and not the enemy, for every
  victory gained you will also suffer a defeat. If
  you know neither the enemy nor yourself, you will
  succumb in every battle.

8
Know Yourself

• You must -
• Identify
• Examine
• Understand
• The information and systems currently in place
  within your organization

9
Protecting Assets

• Defined as -
• Information and systems that use, store, and
  transmit information
• You must understand what they are, how they add
  value to the organization, and to which
  vulnerabilities they are susceptible

10
Protecting Assets

• Know what you have
• Know what you are doing to protect it
• If you have a control in place to protect an
  asset this does not mean that the asset is
  protected

11
Protecting Assets

• Frequently when an organization puts a control in
  place it thinks that its work is done and it has
  nothing more to do
• This should raise a red flag as far as security
  is concerned
• Controls need to be periodically reviewed,
  revised, and maintained
• Policies, educations, training, and technologies
  that protect information must be carefully
  maintained

12
Know the Enemy

• Moving on to Sun Tzus next piece of advice we
  examine the threats facing the organization
• Determine threats that directly affect the
  organization and the security of the
  organizations information assets
• Use your understanding of these aspects to create
  a list of threats prioritized by how important
  each asset is to the organization

13
Communities of Interest

• A community of interest is a group of people who
  share a common interest
• Usually this interest is something that the
  members of the community interact about on a
  regular basis sharing knowledge about the domain
• A community of interest is not a casual group or
  club but a group of people engaged in serious
  knowledge management

14
Communities of Interest

• The Communities of Interest of Interest to
  Information Security
• Information Security
• Management and Users
• Information Technology

15
Communities of Interest

• The Communities of Interest of Interest to
  Information Security
• Information Security
• Best understand the threats and attacks
• Take a leadership role in addressing risk
• Management and Users
• Information Technology

16
Communities of Interest

• The Communities of Interest of Interest to
  Information Security
• Information Security
• Management and Users
• Properly trained and kept aware of threats these
  groups act as early detectors and response to
  threats
• Information Technology

17
Communities of Interest

• The Communities of Interest of Interest to
  Information Security
• Information Security
• Management and Users
• Information Technology
• Build secure systems
• Operate them safely

18
Communities of Interest

• Information Technology
• Build secure systems
• Operate them safely
• Ensure good backups to control the risk from hard
  drive failure
• Evaluate valuation
• Evaluate threats

19
Communities of Interest

• Other Responsibilities
• Evaluate the risk controls
• Determine which control options
• Acquiring or installing the needed controls
• Overseeing that the controls remain effective
• Essential that Communities of Interest conduct
  periodic management reviews

20
Identifying Risks

• Identify Information Assets
• Identify
• Classify
• Prioritize
• Assets are targets -
• Threats
• Threat Agents

21
Identifying Assets
Circumstances
Settings
Assets
Vulnerabilities
22
Risk Identification Process
Plan and organize the process
Risk Identification
Categorize system components
Risk Assessment
Inventory and categorize assets
Assign value to attack on assets
Identify Threats
Assets likelihood of attack on vulnerabilities
Specify vulnerable assets
Calculate relative risk factor for assets
Review possible controls
Document findings
23
Asset Identification

• Identification of all of the elements of an
  organizations system including -

• People
• Procedures
• Data
• Information
• Hardware
• Networking Elements

24
Asset Identification
Traditional SecSDLC Risk Management System Components
People Employees Trusted Employees Other Staff
Procedures Procedures IT and business standard procedures IT and business sensitive procedures
Data Information Transmission Processing Storage
Software Software Applications Operating systems Security Components
Hardware System devices and peripherals Systems and peripherals Security devices
Networking components Intranet components Internet or DMZ components

• Categories

25
Identifying People, Procedures, and Data Assets

• Identifying
• Human resources
• Documentation
• Data and information
• Is more challenging than hardware and software

26
Identifying People, Procedures, and Data Assets

• Assign individuals who have knowledge,
  experience, and judgement to this task
• As assets are identified, they need to be
  recorded using a reliable data-handling process
• Recording process needs to be flexible to record
  various types of attributes

27
Recommended Attributes

• People
• Position name/number/ID
• Supervisor
• Security clearance level
• Special skills

28
Recommended Attributes

• Procedures
• Description
• Intended purpose
• Relationship to -
• Software, hardware, networking elements, storage
  location

29
Recommended Attributes

• Data
• Classification
• Owner
• Creator
• Manager
• Size of data structure

30
Recommended Attributes

• Data (continued ...)
• Data structure used
• Online or offline
• Location
• Backup procedures

31
How much can be tracked?

• Decisions must be made about what is to be
  tracked
• It is impossible to track all of the assets
  (especially when it comes to data)
• Therefore there needs to be a prioritization of
  the assets in order to decide what to track and
  document
• Most companies do not recognize all of their
  assets

32
Hardware, Software, Network

• What are the attributes of hardware, software,
  and network assets that should be collected?
• For each type of component this will vary
• The most important thing is to be consistent in
  the collection process

33
Hardware, Software, Network Attributes

• Name - use a common name
• IP address
• MAC address
• Element type
• An element will have attributes that may differ
  from another elements

34
Hardware, Software, Network Attributes

• Element type
• An element will have attributes that may differ
  from another elements
• For example, a server might be identified by,
• Class of the device
• OS of the device
• Device capacity

35
Hardware, Software, Network Attributes

• Serial number
• Applies to hardware and software
• Record for each instance
• Manufacturers Name
• Manufacturers Part No. and/or Model No.
• Acquisition Date

36
Hardware, Software, Network Attributes

• Software version, update revision, or FCO (field
  change order)
• Physical Location
• Logical Location
• Controlling Entity

37
Asset Valuation

• In the beginning assets are identified, then it
  is necessary to determine the value of the assets
  identified.
• All assets will not have equal value
• All assets will not be equally protected

38
Asset Valuation

• Question 1
• Which information asset(s) is/are MOST critical
  to the success of the organization?
• In order to answer this question we can refer to
  the organizations mission and objectives

39
Asset Valuation

• Which information asset(s) is/are MOST critical
  to the success of the organization?
• Which elements support the objectives?
• Which elements are adjuncts to the objectives?

40
Asset Valuation

• Example
• Amazons uses web servers to receive and process
  orders 24 hours a day seven days a week
• These servers are critical to the success of
  Amazons business
• In customer service, the desktop systems used by
  customer representatives, although important are
  as critical

41
Asset Valuation

• Which information asset generates the most
  revenue?
• How much of an organizations revenue depends on
  a particular asset?
• In some organizations different systems are in
  place for each line of business or service
  offering
• Which play the greatest role in generating
  revenue or delivering services?

42
Asset Valuation

• Which information asset generates the most
  profitability?
• How much of an organizations profitability
  depends on a particular asset?

43
Asset Valuation

• Example
• Amazons Servers
• Some servers support sales operations
• Some servers support the auction process
• Some servers support the customer review database
• Which of these servers contribute to
  profitability?

44
Asset Valuation

• Sales operations servers
• Auctions servers
• Customer review database servers

• Contribute directly to profitiability
• Auction server contribute
• Do not directly contribute

45
Asset Valuation

• Which asset would be most expensive to replace?
• Which asset would be the most expensive to
  protect?
• Which asset would be most embarrasing or cause
  the greatest liability if revealed?

46
Ordering the Assets

• Once the assets have been inventoried and the
  value of each has been assessed it is possible to
  calculate the relative importance of an asset
  with a process known as weighted factor analysis

47
Data Classification

• Corporate and military organizations use a
  variety of schemes to classify information
• This scheme is called a DATA CLASSIFICATION
  SCHEME
• Georgia-Pacific Corporation uses a corporate
  scheme
• The U.S. Military uses a more complex scheme

48
Corporate Data Classification

• Confidential
• Internal
• External

49
Corporate Data Classification

• Confidential
• Used for the most sensitive information that must
  be tightly controlled even within the company
• Access to this information is strictly on a
  need-to-know basis
• Internal
• External

50
Corporate Data Classification

• Confidential
• Internal
• The internal classification is used to denote
  information that can be viewed inside an
  organization by employees, authorized
  contractors, and other parties
• External

51
Corporate Data Classification

• Confidential
• Internal
• External
• This is all information that has been approved by
  the company for public release

52
Military Data Classification

• Unclassified Data
• Information to be distributed to the public
  without any threats to U.S. national interests
• Sensitive but Unclassified
• Confidential Data
• Secret
• Top Secret

53
Military Data Classification

• Unclassified Data
• Sensitive but Unclassified
• Any information of which the loss, misuse, or
  unauthorized access to, or modification of might
  adversely affect U.S. National interests
• Confidential Data
• Secret
• Top Secret

54
Military Data Classification

• Unclassified Data
• Sensitive but Unclassified
• Confidential Data
• Any information the unauthorized disclosure of
  which reasonable could be expected to cause
  damage to the national security
• Examples include compromise of information like
  strength of U.S. forces
• Secret
• Top Secret

55
Military Data Classification

• Unclassified Data
• Sensitive but Unclassified
• Confidential Data
• Secret
• Any information the unauthorized exposure of
  which reasonably could be expected to cause
  serious damage to the national security
• Examples include disruption of foreign relations
  significantly affecting national security
• Top Secret

56
Military Data Classification

• Unclassified Data
• Sensitive but Unclassified
• Confidential Data
• Secret
• Top Secret
• Any information or material the unauthorized
  disclosure of which reasonably could be expected
  to cause exceptionally grave damage to the
  national security
• Examples include armed hostilities agains the U.S.

57
A Practical Scheme

• Most organizations dont need as detailed a
  classification as the military scheme
• Most organizations need a scheme to protect data

58
A Practical Scheme

• Public
• Information for general public dissemination
• For Official Use Only
• Sensitive
• Classified

59
A Practical Scheme

• Public
• For Official Use Only
• Information that is not particularly sensitive,
  but not for public release
• Sensitive
• Classified

60
A Practical Scheme

• Public
• For Official Use Only
• Sensitive
• Information important to the business that could
  embarrass the company or cause loss of market
  share if revealed
• Classified

61
A Practical Scheme

• Public
• For Official Use Only
• Sensitive
• Classified
• Information of the utmost secrecy to the
  organization
• Could severely impact the welfare of the
  organization

62
Security Clearances

• The other part of a data classification scheme is
  the personnel scurity clearence structure
• In organizations that require security clearances
  each user of data must be assigned a single
  authorization level
• Indicates the level of classification that he or
  she is authorized to view

63
Threat Identification

• Once the assets are classified the next step is
  to identify the threats that an organization
  faces
• Of these threats there are those that will be
  important and those that will be unimportant
• It is critical to distinguish between these types
  of threats as it is impossible to attend to all
  of the possible threats that could possibly
  effect and organization

64
Threat Assessment

• Threats
• Acts of human error or failure
• Compromises to intellectual property
• Deliberate acts of espionage or trespass
• Deliberate acts of information extortion
• Deliberate acts of sabotage or vandalism

65
Threat Assessment

• Threats (continued)
• Deliberate acts of theft
• Deliberate software attacks
• Forces of nature
• Quality of service deviations from service
  providers
• Technical hardware failures or errors

66
Threat Assessment

• Threats (continued)
• Technical software failures or errors
• Technological obsolescence

67
Threat Assessment

• Each of the threats must be examined to determine
  its potential to cause damage to an organization
  and its assets

68
Threat Assessment

• Questions to Ask
• Which threats present a danger to an
  organizations assets in the given environment?
• Any category is eliminated that does not apply to
  the organization

69
Threat Assessment

• After it has been determined which threats apply
  -
• It is necessary to seek examples in each category
• These examples are examined to determine if any
  do not apply in the current environment

70
Threat Assessment

• Which threats represent the most danger to the
  organizations information?
• Danger may be -
• Probability of threat of attack
• Amount of damage the threat could create
• Frequency of which an attack could occur

71
Threat Assessment

• Threat Ranking
• Quantitative and Qualitative measures can be used
  to rank threats
• Rank threats subjectively in the order of danger
• Rate each threat on a scale from 1 to 5
• 1 not significant
• 5 very significant

72
Threat Assessment

• Questions to Ask
• How much would is cost to recover from a
  successful attack?
• This cost is a guide to corporate spending on on
  controls for the threat
• Provide a rough assessment of the cost to
  recover (Is it a chevy or a cadillac?)

73
Threat Assessment

• Questions
• Which of the threats will require the greatest
  expenditure to prevent?
• Some threats like malicious code have very low
  costs of protection (comparatively)
• Other threats very high cost of protection

74
Threat Assessment

• As seen by Computing Executives
• Deliberate software attacks (Rank 1)
• Technical software failures or errors (Rank 2)
• Acts of human error or failure (Rank 3)
• Deliberate acts of espionage or tresspass (Rank
  4)
• Deliberate acts of sabotage or vandalism (Rank
  5)

75
Threat Assessment

• As seen by Computing Executives
• Technical hardware failures or errors (Rank 6)
• Deliberate acts of theft (rank 7)
• Forces of nature (Rank 8)
• Compromises to intellectual property (Rank 9)
• Quality of service deviations from service
  providers (Rank 10)

76
Threat Assessment

• As seen by Computing Executives
• Technological obsolescence (Rank 10)
• Deliberate acts of information extortion (Rank
  11)

77
Threat Assessment

• How can you use these rankings?
• As a way to decide where to place your resources
• As a way to determine where the most likely
  successful attacks will occur (according to other
  executives)

78
Risk Assessment

• Definition of Risk
• Risk is
• the LIKELIHOOD of the occurrence of a
  vulnerability
• multiplied by
• the VALUE of the information asset
• minus
• the percentage of risk mitigated by CURRENT
  CONTROLS
• plus
• the UNCERTAINTY of the current knowledge of the
  vulnerability

79
Risk Assessment

• Our goal at this point is to develop a way to
  evaluate the relative risk of each of the listed
  vulnerabilities

80
Likelihood

• LIKELIHOOD
• Probability that a specific vulnerability within
  an organization will be successfully attacked
• In risk assessment a numeric value is assigned to
  the likelihood of a vulnerability being
  successfully exploited
• NIST recommends that likelihoods are in the range
  of 0.1 to 1.0

81
Calculating Likelihood

• Unless it is the case that you have accumulated
  significant data about a particular vulnerability
  it would be difficult to calculate the likelihood
• For that reason it is a good idea to use external
  references whenever possible as a resource for
  likelihood values

82
Valuation of Information Assets

• Once the assets are identified weighted scores
  can be assigned to the assets to indicate an
  assets valkue
• The values must be assigned by again asking the
  questions,
• Which threats present a danger to an
  organizations assets in the given environment?
• Which threats represent the most danger to the
  organizations information?

83
Valuation of Information Assets

• The values must be assigned by again asking the
  questions,
• Which threats present a danger to an
  organizations assets in the given environment?
• Which threats represent the most danger to the
  organizations information?
• How much would it cost to recover from a
  successful attack?

84
Valuation of Information Assets

• The values must be assigned by again asking the
  questions,
• Which threats present a danger to an
  organizations assets in the given environment?
• Which threats represent the most danger to the
  organizations information?
• How much would it cost to recover from a
  successful attack?
• Which of the threats would require the greatest
  expenditure to prevent?

85
Valuation of Information Assets

• Once these questions are re-evaluated the
  background information from the risk
  identification process is used to answer the
  following question -
• Which of the questions posed above for each
  information asset is the most important to the
  protection of information of the organization?
• This question helps set priorities

86
Controls

• If a vulnerability is managed by a control it no
  longer needs to be considered for additional
  controls and can be set aside
• If a vulnerability is partially controlled,
  estimate the percentage it has been controlled

87
Determining the Risk

• For the purposes of RELATIVE RISK ASSESSMENT risk
  equals likelihood of vulnerability occurrence
  times value or impact minus percentage risk
  already controlled plus an element of uncertainty
• Let risk be R
• Let likelihood be l
• Let value be v
• Let percentage controlled risk be c
• Let uncertainty be u

88
Determining the Risk

• Thus risk represented formulaically would be -
• R (l v) - c u

89
Determining Risk

• Examples
• Example 1
• Asset A
• v50, l1.0, c0, u10
• R (50 1.0) - 0 (10 (50 1.0)) 55

90
Determining Risk

• Example 2
• Asset B
• v100, 2 vulnerabilities
• l(2).5, c50,u20
• l(3).1, c0, u20
• R(B,Vulnerability 2) (100 .5) - ((100 .5)
  .5) (100 .5) .2) 35
• R(B,Vulnerability 3) (100 .1) - ((100 .1)
  0) ( (100 .1) .2) 12

91
Possible Controls

• For each threat and its associated
  vulnerabilities that have residual risk create a
  preliminary list of control ideas
• RESIDUAL RISK is the risk that remains after the
  existing control is applied

92
Types of Controls

• Three General Categories
• Category 1 - Policies
• Category 2 - Programs
• Category 3 - Technologies

93
Types of Controls

• Three General Categories
• Category 1 - Policies
• Documents that specify an organizations approach
  to security
• Category 2 - Programs
• Category 3 - Technologies

94
Types of Controls

• Three General Categories
• Category 1 - Policies
• Category 2 - Programs
• Activities performed within the organization to
  improve security
• Category 3 - Technologies

95
Types of Controls

• Three General Categories
• Category 1 - Policies
• Category 2 - Programs
• Category 3 - Technologies
• Technical implementations of the policies defined
  by the organization

96
Access Controls

• Access control address the issue of allowing a
  user into a trusted area of the organization
• These areas can include both physical and logical
  areas
• An example of a physical area is a particular
  office area, i.e., the area where sensitive
  information is maintained
• An example of a logical area is a particular
  computer system where sensitive data is maintained

97
Access Controls

• Access Controls consist of a combination of -
• Policies
• Programs
• Technologies

98
Types of Access Controls

• Mandatory
• Limited control over access to information
  resources
• Non-discretionary
• Discretionary

99
Types of Access Controls

• Mandatory
• Non-discretionary
• Managed by a central authority
• Can be based on an individuals role (role-based
  controls)
• Can be based on tasks (task-based controls)
• Discretionary

100
Types of Access Controls

• Mandatory
• Non-discretionary
• Discretionary
• Implemented at the discretion or option of the
  data user

101
Documenting the Results

• The product of the risk assessment is a worksheet
  that ranks the risks
• This worksheet should contain the following items
• Asset, asset impact, vulnerability, vulnerability
  likelihood, risk-rating factor

102
Risk Control Strategies

• When organizational management has determined
  that risks from information security threats are
  creating a competitive disadvantage they empower
  the information technology and information
  security organizations to control the risks

103
Quote

• Most organizations can spend only a reasonable
  amount of time and money on information security,
  and the definition of reasonable differs from
  organization to organization and even from
  manager to manager.

104
Risk Control Strategies

• Once the risks are ranked, the team must choose
  one of four strategies to control each of the
  risks resulting from the vulnerabilities
• These are -
• Avoidance
• Transfer
• Mitigation
• Acceptance

105
Avoidance

• Prevent exploitation of the vulnerability
• Preferred approach
• Accomplished by countering threat(s), removing
  vulnerabilities in assets, limiting access to
  assets, and adding protective safeguards

106
Avoidance

• Three Common Methods
• Application of Policy
• Training and Education
• Applying Technology

107
Avoidance

• Three Common Methods
• Application of Policy
• Management mandates that certain procedures are
  always followed
• Training and Education
• Applying Technology

108
Avoidance

• Three Common Methods
• Application of Policy
• Training and Education
• Awareness, education, and training are essential
  if employees are to exhibit safe and controlled
  behavior
• Applying Technology

109
Avoidance

• Three Common Methods
• Application of Policy
• Training and Education
• Applying Technology
• Technology is often required to assure that risk
  is reduced

110
Implementing Avoidance

• Risks may be avoided by -
• Countering the threats facing an asset
• Eliminating the exposure of a particular asset
• Eliminating a threat is difficult
• It can be done

111
Transference

• Approach that tries to shift the risk to other
  assets
• Can be achieved by rethinking how processes are
  implemented in the organization -
• Revising deployment models
• Outsourcing
• Purchasing insurance
• Service contracts

112
Transference

• The philosophy of transference becomes a business
  rationale for moving non-core activities outside
  of an organization while only maintaining core
  activities in the organization

113
Mitigation

• Reduce impact of exploitation of a vulnerability
  through planning and preparation
• Approach includes three types of plans
• IRP
• DRP
• BCP

114
IRP

• Incident Response Plan
• This document defines the actions an organization
  should take while and incident is in progress
• For example, if you know your network is being
  attacked by a hacker, this is the document that
  will answer the question, what do you do in
  response to the attack?

115
DRP

• The Disaster Recovery Plan is the most common of
  the mitigation procedures
• The DRP frequently is largely based on a strategy
  for backing up key information assets.
• In reality a DRP must include significantly more
  than just a backup plan

116
DRP

• The DRP specifies what needs to be done when the
  disaster stops.
• DRPs can include strategies to limit losses
  before and during the disaster
• The DRP is a specification of how to get back up
  and running in the event of a disaster
• DRPs are frequently practiced within a
  organization

117
BCP

• The Business Continuity Plan addresses the issue
  of how the organization will maintain business
  operations during an incident or disaster
• It naturally also relates to the DRP because the
  BCP will transition to the DRP once the disaster
  is over
• BCP may require the setup of special sites that
  can be used in the event that the main processing
  sites for the business are adversely affected by
  an incident

118
Acceptance

• Acceptance differs from the other choices of how
  to deal with risk in that it approaches it from
  the standpoint of doing nothing about it
• Under these circumstances the organization has
  decided to take the consequences of the
  exploitation

119
Acceptance

• The only accepted use of this strategy is as
  follows -
• Determined the level of risk
• Assessed the probability of attack
• Estimated the potential damage that could occur
  from attacks
• Evaluated controls using each type of feasibility
• Decided that a particular function, service,
  information, or asset did not warrant the cost of
  protection

120
Acceptance

• Example
• Supposing it would cost an organization 100,000
  per year to protect a server
• The organization has determined that to replace
  the server and the data on the server, and to
  cover the associated recovery costs would cost
  10,000
• Under these circumstances the organization may be
  satisfied with taking its chances

121
Acceptance

• When an organization chooses acceptance as the
  strategy to address all of its security issues it
  is usually a statement about the organizations
  ability to proactively respond to a threat
• It also represents an organizational apathy
  towards security
• An organization leaves itself open to litigation
  when adopting a strategy of ignorance is bliss

122
Risk Evaluation Strategy

• In order to determine if a risk is viable, that
  is, a strategy should be selected to address it,
  a process should be followed to make this
  assessment

123
Risk Evaluation Strategy
Viable threats
Is system vulnerable?
Is system exploitable?
System as Designed
Vulnerability exists
Threat and vulnerability exist
Yes
Yes
No
No
No risk
No risk
Yes
Yes
Risk exists
Is the attackers gain gt cost?
Is expected loss gt organizations acceptable
level?
Risk is unacceptable
No
No
Risk may be accepted
Risk should be accepted
124
Risk Evaluation Strategy

• Rules of Thumb for Strategy Selection
• When a vulnerability exists implement security
  controls to reduce the likelihood of a
  vulnerability being exercised
• When a vulnerability can be exploited Applied
  layered protection, architectural designs, and
  administrative controls to minimize risk or to
  prevent an occurrence

125
Risk Evaluation Strategy

• Rules of Thumb for Strategy Selection
• When the attackers cost is less than his
  potential gain Apply protections to increase the
  attackers cost
• When potential loss is substantial Apply design
  principals, architectural designs, and technical
  and non-technical protections to limit the extent
  of the attack, thereby reducing the potential for
  loss

126
Ongoing Evaluation

• Like most things, the conditions which bring
  about the needs for controls do not remain static
• The effectiveness of controls will change over
  time
• The amount of risk incurred by a threat will
  change over time
• A control may be ineffective or may become no
  longer needed over time

127
Ongoing Evaluation

• For these reasons it is necessary, on an ongoing
  basis to evaluate the effectiveness of controls
• It is also necessary to make sure that new
  threats are addressed as they arise because the
  conditions that give rise to threats are changing
  all of the time also

128
Categories of Controls

• Four control categories are defined -
• Control function
• Architectural layer
• Strategy layer
• Information security principle

129
Control Function

• Controls designed to defend systems are -
• Preventive
• Detective

130
Control Function

• Controls designed to defend systems are -
• Preventive
• Stop attempts to exploit a vulnerability
• Implement enforcement of an organizational policy
  or security principle
• Detective

131
Control Function

• Controls designed to defend systems are -
• Preventive
• Detective
• Warn organizations of violations of -
• Security principles
• Organizational policies
• Attempts to exploit vulnerabilities

132
Control Function

• Controls designed to defend systems are -
• Preventive
• Detective
• Use techniques like -
• Audit trails
• Intrusion detection
• Configuration monitoring

133
Architectural Layer

• Some controls apply to one or more layers of the
  organizations technical architecture
• Firewalls, for example, operate between the WAN
  and LAN of a network

134
Architectural Layer

• The layers of an information architecture are
  considered to include -
• Organizational policy
• External networks
• Extranets
• Intranets
• Network devices
• Systems
• Applications

135
Strategy Layer

• Controls are sometimes classified by the risk
  control strategy that they are operate within -
• Avoidance
• Mitigation
• Transference

136
Secure Information

• Controls can also be characterized according to
  an accepted characteristic of secure information
• A control may enforce the CONFIDENTIALITY of
  information. An example of this is SSL
• A control may enforce the INTEGRITY of the
  information. An example of this is the CRC or
  Tripwire
• A control may enforce the AVAILABILITY of the
  information. An example of this is the use of
  redundancy in the network

137
Secure Information

• A control may enforce AUTHENTICATION. An example
  of this is requiring the user to identify
  themselves before access to a critical
  information asset is granted
• A control may enforce AUTHORIZATION. In this case
  the control assures that a specific user has the
  rights to access a specific information asset in
  a specific way

138
Secure Information

• A control may enforce ACCOUNTABILITY. An example
  of this is that each and every action taken that
  involves an information asset can be attributed
  to an employee
• A control may enforce PRIVACY. In this case the
  control assures that the information asset does
  not in any way contain any personally identifying
  information.

139
Feasibility Studies

• Choosing a strategy involves exploring
• Economic implications
• Non-economic implications
• Answer the question, What are the actual and
  perceived advantages to implementing a control as
  opposed to the actual and perceived disadvantages
  to implementing a control?

140
Cost Benefit Analysis

• Determine the economic feasibility of an
  implementation
• Formal process to document the decision is called
  a cost benefit analysis

141
Cost of a Control

• Items affecting the cost of a control or
  safeguard
• Cost of development
• Cost of acquisition
• Cost of implementation
• Install, configure, test hardware, software,
  services
• Service costs (maintenance and upgrades)
• Cost of maintenance (labor expense)

142
Benefit

• Definition
• The value that an organization realizes by using
  controls to prevent losses associated with a
  specific vulnerability
• Determine how much value is at risk for the asset
• A benefit can be expressed as an ANNUALIZED LOSS
  EXPECTANCY

143
Asset Valuation

• Asset valuation is the process of assigning value
  or financial worth to each information asset
• There is an argument to be made that it is
  impossible to do this
• Insurance underwriters do not have valuation
  tables for this purpose
• Much of the work of valuation of information
  asset can draw upon the work that was done during
  risk identification process

144
Asset Valuation

• Estimate
• Real costs of design and development of
  information asset
• Perceived cost of design and development of
  information asset

145
Asset Valuation

• Costs involve valuation of characteristics
  including -
• Design, development, installation, maintenance,
  protection, recovery, defense against loss, and
  litigation

146
Components of Asset Valuation

• Value retained from the cost of creating the
  information asset
• Cost to the organization of developing or
  collecting the information asset
• Example Multimedia based training averages 350
  hours of development for each hour of training
  time
• Average hourly rate for a programmer is 35/hour
  12,250 per hour of multimedia development time

147
Components of Asset Valuation

• Value retained from past maintenance of the
  information asset
• The expenditure to maintain the information asset
  after it has been developed

148
Components of Asset Valuation

• Value implied by the cost of replacing the
  information
• This is the actual cost of replacing the
  information in the event it is lost or
  compromised
• This calculation includes all costs - human labor
  and technical

149
Components of Asset Valuation

• Value from providing the information
• This is the cost of actually providing the
  information to those who use the information
• Costs included here are things like database
  capability, networks, and related software systems

150
Components of Asset Valuation

• Value incurred from the cost of protecting the
  information
• This represents a recursive conundrum as we are
  trying to calculate the cost of protecting the
  information based on the cost of protecting the
  information
• It is possible to estimate the cost and that
  should be used in the valuation

151
Components of Asset Valuation

• Value to owners
• This is the value of the actual information asset
• For example if a company mines a database to find
  a certain population of individuals that would
  desire a product they manufacture, how much is
  that data worth?

152
Components of Asset Valuation

• Value of intellectual property
• Intellectual property is an even more difficult
  type of information asset to value
• We wont be able to estimate what a new idea will
  be worth - for example, what would a medication
  that cures a certain type of cancer be worth to
  the patient that has that type of cancer?

153
Components of Asset Valuation

• Value to adversaries
• What would it be worth to the competition to know
  what your organization was up to? Could another
  organization gain a competitive edge? Could it
  mean the difference between getting and not
  getting a contract?

154
Components of Asset Valuation

• Loss of productivity while the information assets
  are unavailable
• Inside an organization, when information assets
  become unavailable this may lead to an inability
  to carry out work, which in turns leads to a loss
  of productivity, which in turn can have a value
  attached to it

155
Components of Asset Valuation

• Loss of revenue while information assets are
  unavailable
• What if a business is unable to process a credit
  card transaction and this is the only way you are
  able to pay? What do they do?
• At this point they will loose their revenue. They
  depend on the information asset for revenue and
  its unavailability has a direct effect on loss of
  revenue

156
Coming up with a Value

• Each collection of information must be valued.
  The value is based on the following questions -
• How much did it cost to create or acquire the
  information?
• How much would it cost to recreate or recover
  this information?
• How much does it cost to maintain this
  information?
• How much is this information worth to the
  organization?

157
Coming up with a Value

• Each collection of information must be valued.
  The value is based on the following questions -
• How much is this information worth to the
  competition?

158
After the assets are valued ...

• The potential loss that could occur from the
  exploitation of a vulnerability can begin to be
  determined
• The questions to be asked at this point include -
• What damage could occur and what financial impact
  could it have?
• What would it cost to recover from the attack, in
  addition to the financial impact of damage?
• What is the single loss expectancy for each risk?

159
Single Loss Expectancy

• Definition
• A SINGLE LOSS EXPECTANCY (SLE) is the calculation
  of the value associated with the most likely loss
  from an attack
• It is a calcualtion based on the value of the
  asset and the EXPOSURE FACTOR (EF) which is the
  expected percentage of loss that would occur from
  a particular attack as follows

160
Single Loss Expectancy

• SLE asset value exposure factor
• Example
• Web site - estimated value 1,000,000
• Defaced by a hacker
• 10 of web site defaced or destroyed
• SLE 1,000,000 .10 100,000

161
Probability of Attack

• Extremely difficult to estimate
• Not always references to go to
• Some sources are available for some threat-asset
  pairs
• Tornado-building
• For this reason the probability of an attack is
  usually estimated in a table indicating the
  probability for an attack in a given time frame

162
Probability of Attack

• Such an estimate is called the ANNUALIZED RATE OF
  OCCURANCE (ARO)

163
Calculating Loss

• Once an assets value is known the next step is
  to determine how much loss is expected from a
  single expected attack and how often attacks will
  occur
• Once these values are determined, the overall
  lost potential per risk can be determined
• This is usually called the ANNUALIZED LOSS
  EXPECTANCY (ALE)

164
Calculating Loss

• ALE SLE x ARO
• For the web site we have been using as an
  example, since the SLE 100,000 and the ARO
  .50, the ALE 50,000
• This means that if nothing is done the company
  can be expected to loose 50,000 each year as a
  result of web site exploitations

165
Calculating CBA

• CBA determines whether or not the control
  alternative being evaluated is worth the
  associated cost incurred to control the specific
  vulnerability

166
Calculating CBA

• The CBA is most easily calculated by -
• Using the ALE prior to the implementation of the
  proposed control ALE(prior)
• Subtract the revised ALE(post) which assumes the
  control is in place
• Complete the calculation by subtracting the
  annualized cost of the safeguard (ACS)

167
Calculating CBA

• The CBA is most easily calculated by -
• Summarizing -
• CBA ALE(Prior) - ALE(post) - ACS

168
Benchmarking

• Benchmarking is the practice of -
• Seeking out and studying practices in other
  organizations
• These organizations produce results that you
  would like to produce in your own
• When selecting other organizations it important
  to compare to other LIKE organizations

169
Benchmarking

• Once the desired practices are identified an
  organization will develop a way to measure how it
  is performing
• There are two types of measurements that are used
  -
• Metrics-based
• Performance-based

170
Metrics-based

• Comparisons based on numerical standards
• Numbers of successful attacks
• Staff hours spent on system protection
• Dollars spent on protection
• Estimated value in dollars of the information
  lost in successful attacks
• Loss in productivity hours associated with
  successful attacks

171
Metrics-based

• The difference between an organizations measures
  and those of other is often referred to as a
  PERFORMANCE GAP

172
Process-based Measures

• Process-based measures are more strategic than
  metrics-based approaches
• Process-based measures allow an organization to
  examine the activities that are necessary to
  achieve a goal rather than the specifics of the
  goal
• The primary focus of process-based measure is
  method rather than outcome

173
Categories of Benchmarks

• Two categories of benchmarks
• Standards of due care and due diligence
• Best practices
• Within best practices, the GOLD STANDARD is a
  subcategory of practices that are considered the
  best of the best

174
Categories of Benchmarks

• Standard of Due Care
• Organizations adopt levels of security for a
  legal defense
• Must show they have done what any prudent
  organization would do
• Insufficient to implement these standards and
  then ignore them

175
Categories of Benchmarks

• Standard of Due Diligence
• When an organization administers controls at or
  above the levels of due care the organization has
  shown they are performing at the level of due
  diligence
• DUE DILEGENCE is the demonstration that the
  organization is diligent in ensuring that the
  implemented standards continued to provide the
  required level of protection

176
Applying Best Practices

• When considering the adoption of best practices -
• Does your organization resemble the identified
  target organization with the best practice under
  consideration?
• Are the resources your organization can expend
  similar to those identified with the best
  practice?
• Is your organization in a similar threat
  environment as that proposed in the best practice?

177
Problems w/ Benchmarking Best Practices

• Biggest problem
• No sharing of experience in the industry
• No reporting of successful attacks since
  organizations consider these as failure
• Lessons learned are not recorded

178
Problems w/ Benchmarking Best Practices

• Another Problem
• No two organizations are identical
• Differences that can exist include -
• Size, composition, management philosophy,
  organizational cultures, technological
  infrastructures, and budgets for security

179
Problems w/ Benchmarking Best Practices

• Problem 3
• Best practices are a moving target
• What worked well two years ago, may be completely
  worthless against todays threats
• Security practices must be kept up to date
• Methods, techniques, guidelines, policies,
  educational and training approaches, and
  technologies to combat threats

180
Other Feasibility

• Beyond the financial feasibility, there are
  several other kinds of feasibility that must be
  determined
• There are organization, operational, technical,
  and political feasibility

181
Organizational Feasibility

• Examines how well the proposed information
  security alternatives will contribute to the
  efficiency, effectiveness, and overall operation
  of an organization

182
Operational Feasibility

• Addresses user acceptance and support
• Management acceptance and support
• Overall requirements of the organizations
  stakeholders
• Also known as BEHAVIORAL FEASIBILITY because it
  measures the behavior of users

183
Technical Feasibility

• Examines whether or not the organization has or
  can acquire the technology necessary to implement
  and support the control alternatives

184
Political Feasibility

• For some organizations the most significant
  feasibility evaluated may be political
• Within organizations, political feasibility
  defines what can and cannot occur based on the
  consensus and relationships between the
  communities of interest

185
Risk Appetite

• Defines the quantity and nature of risk that an
  organization is willing to accept as they
  evaluate the tradeoffs between perfect security
  and unlimited accessibility

186
Summary

• The main take away from this chapter should be
  that risk plays a significant part of the picture
  in any discussion about security
• For any organization the determination of risk
  involves calculating the value of information and
  the kinds of threats the information asset may be
  subject to
• In addition to this calculation an estimate must
  be made of the probability of each type of attack

187
Summary

• The cost of instituting a control must be
  compared to the potential cost that might be
  incurred in the event of a successful attack
• In some cases it may not be cost appropriate to
  institute a control because the potential loss is
  far less than the control cost