Vulnerability is software,
hardware, procedural, or human weakness that may provide an attacker the open
door he is looking for to enter a computer or network and have
unauthorized access to resources within the environment. A vulnerability
characterizes the absence or weakness of a safeguard that could be exploited.
Threat is any potential danger to information
or systems. The threat is that someone, or something, will identify a
specific vulnerability and use it against the company or individual. The
entity that takes advantage of a vulnerability is referred to as a threat
agent.
Risk is the likelihood of a threat agent
taking advantage of a vulnerability and the corresponding business impact. If
a firewall has several ports open, there is a higher likelihood that an
intruder will use one to access the network in an unauthorized method.
An exposure is an instance of being exposed to
losses from a threat agent.
A countermeasure, or safeguard,
is put into place to mitigate the potential risk. A countermeasure may be a
software configuration, a hardware device, or a procedure that eliminates
a vulnerability or that reduces the likelihood a threat agent will be able
to exploit a vulnerability.
Typical
Threat Agents:
- Accidental
discovery
- Automated
malware
- curious attacker
- Script kiddie
- motivated
attacker ( or disgruntled employee)
- Organized crime.
Security
model
Security Principles
- Minimize attack
surface
- secure defaults
- principle of
least privilege
- defense in depth
- Fail securely
- External systems
are insecure.
- separation of
duties
- It ensures no single person has total control over an activity or task.
- Split knowledge and dual control are two aspects of separation of duties.
- Do not trust
security through obscurity
- simplicity
- fix security
issues correctly
Security planning
Has
various layers, but it also has different types of goals to accomplish in
different time frames.
- Strategic
planning is the plans that fall in line with the business and
information technology goals.
- Tactical
planning refers to the initiatives and other support that must be
implemented to reach the broader goals that have been put forth by
the strategic planning
- operational
planning deals with very specific plans, their deadlines, and goals.
This
approach to planning is called the planning horizon.
Security Frameworks
The
Control Objectives for Information and related Technology (CobiT) was created by the Information Systems Audit and Control Association (ISACA) to provide specific guidance for creating and assessing IT controls. It is a
framework and set of best practices developed by the Information Systems
Audit and Control Association (ISACA) and the IT Governance Institute (ITGI).
It defines goals for the controls that should be used to properly manage
IT and to ensure that IT maps to business needs.
CobiT is broken down into
four domains(34 IT processes, ranging from strategic planning to implementation, production support and monitoring):
- Plan and
Organize,
- Acquire and
Implement,
- Deliver and
Support, and
- Monitor
and Evaluate.
CobiT
CobiT is a framework that defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs.
Derived
from the COSO framework, developed by the Committee of Sponsoring Organizations
(COSO) of the Treadway Commission in 1985 to deal with fraudulent
financial activities and reporting. The COSO framework is made up of the
following components:
-
Management's philosophy and operating style
-
Company culture as it pertains to ethics and fraud
-
Establishment of risk objectives
-
Ability to manage internal and external change
-
Policies, procedures, and practices put in place to mitigate risk
- Information and
communication
-
Structure that ensures that the right people get the right information at the
right time
-
Detecting and responding to control deficiencies
COSO is a Model for corporate governance and
CobiT is a model for IT governance. COSO deals more at the
strategic level, while CobiT focuses more at the operational level. You
can think of CobiT as a way to meet many of the COSO objectives, but only
from the IT perspective. COSO deals with non-IT items also, as in company
culture, financial accounting principles, board of director
responsibility, and internal communication structures. COSO was formed to provide sponsorship
for the National Commission on Fraudulent Financial Reporting, an organization
that studies deceptive financial reports and what elements lead to them.
COBIT information security topics
A policy would typically address a specific topic such as acceptable use of company e-mail, or wireless communications.
For example, the Benchmark provided by the Center for Internet Security (
CIS). This benchmark provides specific guidance for configuring security on a Windows 2000 server.
- Access and Authentication
In addition to AA, Includes user and account mgmt.
firewalls, intrusion detection systems (IDS), encryption, certificates.
- antivirus is mandatory.
- use ethical hacking or penetration testing to test systems.
invalid logins, port scans, invalid authorization requests, use analysis tools if appt.
The Information Technology Governance Institute (ITGI) is a group created to assist corporations with governing their IT and ensuring IT efficiently supports business mission and goals. ITGI has used COSO and COBIT to create a set of specific IT control objectives for SOX.
Security Standards
Guidelines are recommendations and general approaches that provide advice and flexibility.
There
are standards and industry best practices, which provide the guidance and recipe
for how to set up and implement a full security program.
A standard specifies how hardware and software are to be used. Standards are compulsory.
The
most common standard used to be ISO
17799, which was derived from the British Standard 7799
(BS7799).
It is an internationally recognized Information Security Management (ISM)
Standard that provides high-level conceptual recommendations on enterprise
security. The British Standard actually has two parts:
- - BS7799 Part
1: outlines control objectives and a range of controls to meet those
objectives; and
- - BS7799 Part 2,
which outlines how a security program can be set up and
maintained.
BS7799
Part 2 also served as a baseline that organizations could be certified
against. To become certified against the ISO 17799, an
authorized third party would evaluate the organization against the requirements
in ISO 17799 Part 2. The organization could be certified against all or
just a portion of ISO 17799 Part 2.
ISO/IEC 27000
ISO
9000 series comprises many standards that deal with quality control for
business processes. A new series, ISO/IEC 27000, is used for assurance and
security standards. ISO has overhauled the 17799 standards to correspond with
their current numbering format. Following are the ISO/IEC series that are
used as blueprints for organizations to follow when developing their security
program:
- ISO/IEC 27001
Based on British Standard BS7799 Part 2, which is establishment,
implementation, control, and improvement of the Information Security
Management System
- It is the standard for the establishment, implementation, control, and improvement of the Information Security Management System.
- ISO/IEC 27002
Code of practice providing good practice advice on ISMS (previously known
as ISO 17799 part 1), itself based on British Standard BS 7799 Part 1
- It is a comprehensive set of controls comprising best practices in information security and provides guidelines on how to set up and maintain security programs.
- ISO/IEC 27004 A
standard for information security management measurements
- ISO/IEC 27005
Designed to assist the satisfactory implementation of information security
based on a risk management approach
- ISO/IEC 27006 A
guide to the certification/registration process
- ISO/IEC 27799 A
guide to illustrate how to protect personal health information
The
ISO/IEC 27002 (formerly ISO 17799) domains are as follows:
- Information
security policy for the organization
- Creation of
information security infrastructure
- Asset
classification and control
- Personnel
security
- Physical and
environmental security
- Communications
and operations management
- Access control
- System
development and maintenance
- Business
continuity management
- Compliance
ITIL
Where
CobiT defines IT goals, ITIL provides the steps at the process level on how
to achieve those goals. Although ITIL has a component that deals with
security, its focus is more toward internal service level agreements
between the IT department and the "customers" it serves. The
customers are usually internal departments.
Security Governance
Security
governance is all of the tools, personnel, and business processes necessary to
ensure that the security implemented meets the organization's specific needs.
Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly.
Security Program Development
It
is important to understand that a security program has a life cycle that is always
continuing, because it should be constantly evaluated and improved upon. The security program should be integrated with current business objectives and goals.
The life cycle of any process can be described in different ways.
1.
Plan
and Organize
- Establish
management commitment.
- Establish
oversight steering committee.
- Assess business
drivers.
- Carry out a
threat profile on the organization.
- Carry out a risk
assessment.
- Develop security
architectures at an organizational, application, network, and component
level.
- Identify
solutions per architecture level.
- Obtain management
approval to move forward.
2.
Implement
- Assign roles and
responsibilities.
- Develop
and implement security policies, procedures, standards, baselines, and
guidelines.
- Identify
sensitive data at rest and in transit.
- Implement
the following blueprints:
- Asset
identification and management
- Risk
management
- Vulnerability
management
- Compliance
- Identity
management and access control
- Change
control
- Software
development life cycle
- Business
continuity planning
- Awareness
and training
- Physical
security
- Incident
response
- Implement
solutions (administrative, technical, physical) per blueprint.
- Develop
auditing and monitoring solutions per blueprint.
- Establish
goals, service level agreements (SLAs), and metrics per blueprint.
3.
Operate
and Maintain
- Follow
procedures to ensure all baselines are met
- Carry out
internal and external audits.
- Carry out
tasks outlined per blueprint.
- Manage
service level agreements
4.
Monitor
and Evaluate
- Review
logs, audit results, collected metric values, and SLAs per blueprint.
- Assess
goal accomplishments
- quarterly
meetings
- improvement
steps and integrate into the Plan and Organize phase.
Information risk management
(IRM)
IRM is the process of identifying, assessing, and reducing risk to an acceptable level and implementing the right mechanisms to maintain that level of risk.
Proper
risk management requires a strong commitment from senior management, a
documented process that supports the organization's mission, an IRM policy, and a delegated IRM team.
The risk management team should include individuals from different departments within the organization, not just technical personnel.
Threats
must be identified, classified by category, and evaluated to calculate their
damage potential to the company. Real risk is hard to measure, but
prioritizing the potential risks in order of which ones must be addressed first
is possible.
Risk analysis
which
is really a tool for risk management, is a method of identifying
vulnerabilities and threats and assessing the possible impacts to
determine where to implement security safeguards. Risk analysis is used to
ensure that security is cost-effective, relevant, timely, and responsive
to threats.
Identifying Threats
Illogical
processing and cascading errors would mean invalid results are passed
on
to another process. Risks have loss
potential, meaning what the company would lose if a threat agent were
actually to exploit a vulnerability. Must look at delayed loss when assessing the damages that can
occur
Methodologies for Risk
Assessment
- NIST
SP 800-30 and 800-66 are methodologies that can be used by
the general public, but the initial creation of 800-66 was designed
to be implemented in the healthcare field and other regulated industries.
While 800-66 was designed to be used by HIPAA clients, it can also be
readily adopted and used by other regulated industries. The NIST
approach is specific to IT threats and is commonly used by security
consultants, security officers and internal IT departments, and
focuses mainly on computer systems
·
FRAP
Which
stands for Facilitated Risk Analysis Process. It is designed to explore a
qualitative risk assessment process in a manner that allows for tests to be
conducted on different aspects and variations of the methodology. This
will allow, through the use of a prescreening process, users to determine
the areas that really demand and need risk analysis within an
organization.
- OCTAVE (Operationally Critical Threat, Asset,
and Vulnerability Evaluation) was created by Carnegie Mellon
University's Software Engineering Institute. It is a methodology that is
intended to be used in situations where people manage and direct the
risk evaluation for information security within their company.
The limitations of OCTAVE are:
- OCTAVE is
incompatible with AS/NZS 4360, as it mandates Likelihood = 1 (i.e., It
assumes a threat will always occur)
- Consisting of 18
volumes, OCTAVE is large and complex, with many worksheets and practices
to implement.
- It does not
provide a list of “out of the box” practices for assessing and mitigating
web application security risks.
- Because of these
issues and not considering, OWASP does not anticipate that OCTAVE will be
used at large by application designers or developers
- AS/NZS
4360: While
both the NIST and OCTAVE methodologies focus on IT threats and information
security risks, AS/NZS
4360 takes a much broader approach to risk management. This
methodology can be used to understand a company's financial, capital,
human safety, and business decisions risks. Although it can be used to
analyze security risks, it was not created specifically for this
purpose.
o The advantages of AS/NZS 4360:
- AS/NZS
4360 works well as a risk management methodology for organizations
requiring Sarbanes-Oxley compliance.
- AS/NZS
4360 works well for organizations that prefer to manage risks in a
traditional way, such as just using likelihood and consequence to
determine an overall risk.
- AS/NZS
4360 is familiar to most risk managers worldwide, and your organization
may already have implemented an AS/NZS 4360 compatible approach.
- You
are an Australian organization, and may be required to use it if you are
audited on a regular basis, or to justify why you aren’t using it.
Luckily, the STRIDE/DREAD model discussed earlier is AS/NZS 4360
compatible.
- The limitations of AS/NZS 4360:
- The
AS/NZS 4360 approach works best for business or systemic risks than for
technical risks.
- AS/NZS
4360 does not define the methodology to perform a structured threat risk
modeling exercise.
- As
AS/NZS 4360 is a generic framework for managing risk, it does not
provide any structured method to enumerate web application security
risks.
Although
AS/NZS 4360 may be used to rank risks for security reviews, the lack of
structured methods of enumerating threats for web applications makes it less
desirable than other methodologies described earlier.
- CVSS:
The US Department of Homeland Security (DHS) established the NIAC
Vulnerability Disclosure Working Group, which incorporates input from Cisco
Systems, Symantec, ISS, Qualys, Microsoft, CERT/CC, and eBay. One of the
group’s outputs is the Common Vulnerability Scoring System (CVSS).
- Failure Modes
and Effect Analysis (FMEA) is a method for determining functions,
identifying functional failures, and assessing the causes of failure
and their failure effects through a structured process. While FMEA is
most useful as a survey method to identify major failure modes in a given
system, the method is not as useful in discovering complex failure
modes that may be involved in multiple systems or subsystems.
- A fault tree analysis usually
proves to be a more useful approach to identifying failures that can take
place within more complex environments and systems.
Quantitative risk
analysis
attempts
to assign real and meaningful numbers to all elements of the risk analysis
process. These elements may include safeguard costs, asset value, business
impact, threat frequency, safeguard effectiveness, exploit probabilities, and
so on. Purely quantitative risk analysis is not possible because the
method attempts to quantify qualitative items, and there are always
uncertainties in quantitative values
Note Quantitative analysis uses risk calculations that attempt
to predict the level of monetary losses and the probability for each type
of threat. Qualitative analysis does not use calculations. Instead, it is more
opinion-and scenario based.
The
Single loss expectancy is a dollar amount that is assigned to a single event
that represents the company's potential loss amount if a specific threat
were to take place:
-
SLE = asset value × exposure
factor (EF)
exposure
factor (EF) represents
the percentage of loss a realized threat could have on a certain asset
- annualized loss
expectancy (ALE) = SLE ×
annualized rate of occurrence (ARO)
annualized
rate of occurrence (ARO) is the value that represents the
estimated frequency of a specific threat taking place within a one-year
timeframe.
Qualitative Risk Analysis
Does
not assign numbers and monetary values to components and
losses.
Instead, qualitative methods walk through different scenarios of risk
possibilities and rank the seriousness of the threats and the validity of
the different possible countermeasures based on opinions.
A qualitative rating would be expressed in high, medium, or low, or on a scale of 1 to 5 or 1 to 10. A quantitative result would be expressed in dollar amounts and percentages.
In risk analysis, uncertainty refers to the degree to which you
lack confidence in an estimate.
The
Delphi technique is a group decision method used to
ensure that each member gives an honest opinion of what he or she thinks
the result of a particular threat will be.
Advantages of Qualitative
Requires
no calculations
Provides
general areas and indications of risk
Provides
the opinions of the individuals who know the processes best.
Advantages of
Quantitative.
Uses
independently verifiable and objective metrics
Is
easier to automate and evaluate
Very
less guesswork
Provides
credible cost/benefit analysis
Used
in risk management performance tracking
A
security countermeasure,
sometimes called a safeguard,
must make good business sense, meaning it is cost-effective (its benefit
outweighs its cost). This requires another type of analysis: a cost/benefit
analysis. A commonly used cost/benefit calculation for a given safeguard
is
(ALE
before implementing safeguard) - (ALE after implementing safeguard) - (annual
cost of safeguard) = value of safeguard to the company
Total Risk vs. Residual
Risk
- threats ×
vulnerability × asset value = total risk
- (threats ×
vulnerability × asset value) × controls gap = residual risk
Handling Risk
Project sizing, which means to understand and document the scope of the project, must be done before a risk analysis is performed.
The main goals of risk analysis are the following: identify assets and assign values to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the safeguards.
Steps
of a Risk Analysis
- Step 1: Assign
Value to Assets
- When determining the value of information, the following issues must be considered: the cost to acquire and develop data; the cost to maintain and protect data; the value of the data to owners, users, and adversaries; the cost of replacement if the data is lost; the price others are willing to pay for the data; lost opportunities; and the usefulness of the data
- Step 2: Estimate
Potential Loss Per Threat (including SLE)
- Step 3: Perform
a Threat Analysis
- Step 4: Derive
the Overall Annual Loss Potential Per Threat
- Step 5: Reduce,
Transfer, Avoid, or Accept the Risk
3
Main steps for Risk Analysis:
- Asset and
Information value assignment
- Risk Analysis
and assessment
- countermeasure
selection and implementation
Risk Management could take the input from
Planning and collecting information and defining the recommendations. It can
then handle the risk as:
- Risk transfer
- Risk Avoidance
- Risk Mitigation
- Risk Acceptance
Automated risk analysis tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures.
Security Policy
A security policy is a statement by management dictating the role security plays in the organization. A
security policy can be an organizational policy, an
issue-specific policy, or a system-specific policy.
Due
diligence is
an understanding of the current threats and risks, and due care is implementing countermeasures
to provide protection from those threats. If a company does not practice due
care and due diligence pertaining to the security of its assets, it can be
legally charged with negligence and held accountable for any ramifications
of that negligence.
Other
regulations also call out requirements of boards of directors, as in the Gramm-Leach-Bliley Act (GLBA).
But SOX is a
regulation that holds the members of the board personally responsible, thus
they can each be fined or go to jail.
Principles
of Federal Prosecution of Business Organizations
The
Department of Justice provides the following guidelines for attorneys when
attempting to prosecute corporate wrongdoings:
Do
the corporation's directors exercise independent review over proposed corporate
actions rather than unquestioningly ratifying officers' recommendations; are
the directors provided with information sufficient to enable the exercise of
independent judgment; are internal audit functions conducted at a level
sufficient to ensure their independence and accuracy; and have the directors
established an information and reporting system in the organization reasonably
designed to provide management and the board of directors with timely and
accurate information sufficient to allow them to reach an informed decision
regarding the organization's compliance with the law.
International
Requirements
If
the organization is exchanging data with European entities, it may need to
adhere to the safe
harbor requirements. outlines
how any entity that is going to move privacy data to and from Europe must
go about protecting it.
Global
organizations that move data across other country boundaries must also be aware
of and follow the
Organisation
for Economic Co-operation and Development (OECD) Guidelines and transborder
information flow rules.
Summary:
Security management
A
security program should address issues from a strategic, tactical, and
operational view.
A key element during the initial security planning process is to define reporting relationships.
Security
management embodies the administrative and procedural activities necessary to
support and protect information and company assets throughout the
enterprise.
- Management must define the scope and purpose of security management, provide support, appoint a security team, delegate responsibility, and review the team's findings.
- It includes
development and enforcement of security policies and their supporting
mechanisms: procedures, standards, baselines, and guidelines.
- It encompasses
risk management, security awareness training, and proper
countermeasure selection and implementation.
- Personnel
(hiring, terminating, training, and management structure) and
operational (job rotation and separation of duties) activities must also
be conducted properly to ensure a secure environment.
- Management must
understand the legal and ethical responsibilities it is required to
respect and uphold.
- Security management should work from the top down (from senior management down to the staff).
Summary
- The objectives
of security are to provide availability, integrity, and confidentiality
protection to data and resources.
- Security
components can be technical (firewalls, encryption, and access control
lists) or nontechnical (security policy, procedures, and compliance
enforcement).
- Asset
identification should include tangible assets (facilities and hardware)
and intangible assets (corporate data and reputation).
- Assurance is a
degree of confidence that a certain security level is being provided.
- Procedures are
detailed step-by-step actions that should be followed to achieve a certain
task.
- A baseline is a
minimum level of security.
- Job rotation is
a control to detect fraud.
- Mandatory
vacations are a control type that can help detect fraudulent activities.
- Data is
classified to assign priorities to data and ensure the appropriate level
of protection is provided.
- Data
owners specify the classification of data.
- Security
has functional requirements, which define the expected behavior from a
product or system, and assurance requirements, which establish
confidence in the implemented products or systems overall.
- Safeguards
should default to least privilege, and have fail-safe defaults and
override capabilities.
- Safeguards
should be imposed uniformly so everyone has the same restrictions and
functionality.
- The data
custodian (information custodian) is responsible for maintaining and
protecting data.
- A security
analyst works at a strategic level and helps develop policies, standards,
and guidelines, and also sets various baselines.
- Application
owners are responsible for dictating who can and cannot access their
applications, as well as the level of protection these applications
provide for the data they process and for the company.
Appendix A: Microsoft Threat
Modelling
Should
fit alongside the "methodologies for Risk assessment" above.
STRIDE
STRIDE is a classification
scheme for characterizing known threats according to the kinds of exploit that
are used (or motivation of the attacker).
Spoofing Identity “Identity spoofing”
is a key risk for applications that have many users but provide a single
execution context at the application and database level.
Tampering with Data Users can
potentially change data delivered to them, return it, and thereby potentially
manipulate client-side validation, GET and POST results, cookies, HTTP headers,
and so forth.
Repudiation Users may dispute
transactions if there is insufficient auditing or recordkeeping of their
activity.
Information Disclosure. Therefore, applications
must include strong controls to prevent user ID tampering and abuse,
particularly if they use a single context to run the entire application.
Denial of Service Application
designers should be aware that their applications may be subject to a denial of
service attack.
Elevation of Privilege If an application
provides distinct user and administrative roles, then it is vital to ensure
that the user cannot elevate his/her role to a higher privilege one.
DREAD
DREAD is a classification
scheme for quantifying, comparing and prioritizing the amount of risk presented
by each evaluated threat. T
Risk_DREAD = (DAMAGE
+ REPRODUCIBILITY + EXPLOITABILITY + AFFECTED
USERS + DISCOVERABILITY) / 5
The calculation always
produces a number between 0 and 10; the higher the number, the more serious the
risk.
Threat
Modeling Process
- Identify assets.
- Create an
architecture overview.
- Identify what
the application does.
- Create an
architecture diagram.
- Identify the
technologies.
- Decompose the
application.
-
- Identify trust
boundaries.
- Identify data
flow.
- Identify entry
points.
- Identify
privileged code.
- Document the
security profile.
- Identify the
threats(you can use STRIDE).
-
- Identify
network threats.
- Identity host
threats.
- Identify
application threats.
-
- Using Attack
Trees and Attack Patterns
- An attack
tree is a way of collecting and documenting the potential attacks on
your system in a structured and hierarchical manner. The tree structure
gives you a descriptive breakdown of various attacks that the attacker
uses to compromise the system.
- Attack
Patterns
- Attack
patterns are generic representations of commonly occurring attacks that
can occur in a variety of different contexts.
- Document the
threats.
- Rate the
threats.
- You can
use the DREAD model to rate the threats or use a quantitative
approach.
For more details
on alternative Threat modeling systems refer:
These are my notes collected from various sources and this is not claimed as original content.
