Saturday, June 9, 2012

Security: Information Security, threats, risks



Vulnerability is software, hardware, procedural, or human weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment. A vulnerability characterizes the absence or weakness of a safeguard that could be exploited.

Threat is any potential danger to information or systems. The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent.

Risk is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method.

An exposure is an instance of being exposed to losses from a threat agent.

A countermeasure, or safeguard, is put into place to mitigate the potential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit a vulnerability.


Typical Threat Agents:
  • Accidental discovery
  • Automated malware
  • curious attacker
  • Script kiddie
  • motivated attacker ( or disgruntled employee)
  • Organized crime.

 Security model

 Security Principles
  • Minimize attack surface
  • secure defaults
  • principle of least privilege
  • defense in depth
  • Fail securely
  • External systems are insecure.
  • separation of duties
    • It ensures no single person has total control over an activity or task.
    • Split knowledge and dual control are two aspects of separation of duties.
  • Do not trust security through obscurity
  • simplicity
  • fix security issues correctly
Security planning
Has various layers, but it also has different types of goals to accomplish in different time frames.
  • Strategic planning is the plans that fall in line with the business and information technology goals.
  • Tactical planning refers to the initiatives and other support that must be implemented to reach the broader goals that have been put forth by the strategic planning
  • operational planning deals with very specific plans, their deadlines, and goals.
This approach to planning is called the planning horizon.

Security Frameworks


The Control Objectives for Information and related Technology (CobiTwas created by the Information Systems Audit and Control Association (ISACA) to provide specific guidance for creating and assessing IT controls. It is a framework and set of best practices developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs. 
CobiT is broken down into four domains(34 IT processes, ranging from strategic planning to implementation, production support and monitoring):

  • Plan and Organize, 
  • Acquire and Implement, 
  • Deliver and Support, and 
  • Monitor and Evaluate.

CobiT

CobiT is a framework that defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs.

Derived from the COSO framework, developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission in 1985 to deal with fraudulent financial activities and reporting. The COSO framework is made up of the following components:

  • Control environment

 - Management's philosophy and operating style
 - Company culture as it pertains to ethics and fraud

  • Risk assessment

 - Establishment of risk objectives
 - Ability to manage internal and external change

  • Control activities

 - Policies, procedures, and practices put in place to mitigate risk

  • Information and communication

 - Structure that ensures that the right people get the right information at the right time

  • Monitoring

 - Detecting and responding to control deficiencies

COSO is a Model for corporate governance and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. COSO was formed to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and what elements lead to them.

COBIT information security topics
  • Security Policy
    A policy would typically address a specific topic such as acceptable use of company e-mail, or wireless communications.
  • Security Standards
For example, the Benchmark provided by the Center for Internet Security (CIS). This benchmark provides specific guidance for configuring security on a Windows 2000 server.
  • Access and Authentication
In addition to AA,   Includes user and account mgmt.
  • Network Security
 firewalls, intrusion detection systems (IDS), encryption, certificates.
 - antivirus is mandatory.
 - use ethical hacking or penetration testing to test systems.
  • Monitoring
invalid logins, port scans, invalid authorization requests,  use analysis tools if appt.
  • Segregation of Duties
  • Physical Security

The Information Technology Governance Institute (ITGI) is a group created to assist corporations with governing their IT and ensuring IT efficiently supports business mission and goals. ITGI has used COSO and COBIT to create a set of specific IT control objectives for SOX.

Security Standards

Guidelines are recommendations and general approaches that provide advice and flexibility. 

There are standards and industry best practices, which provide the guidance and recipe for how to set up and implement a full security program.

 A standard specifies how hardware and software are to be used. Standards are compulsory. 

The most common standard used to be ISO 17799, which was derived from the British Standard 7799
(BS7799). It is an internationally recognized Information Security Management (ISM) Standard that provides high-level conceptual recommendations on enterprise security. The British Standard actually has two parts:

  • - BS7799 Part 1: outlines control objectives and a range of controls to meet those objectives; and 
  • - BS7799 Part 2, which outlines how a security program can be set up and maintained. 


BS7799 Part 2 also served as a baseline that organizations could be certified against. To become certified against the ISO 17799, an authorized third party would evaluate the organization against the requirements in ISO 17799 Part 2. The organization could be certified against all or just a portion of ISO 17799 Part 2.

ISO/IEC 27000


ISO 9000 series comprises many standards that deal with quality control for business processes. A new series, ISO/IEC 27000, is used for assurance and security standards. ISO has overhauled the 17799 standards to correspond with their current numbering format. Following are the ISO/IEC series that are used as blueprints for organizations to follow when developing their security program:

  • ISO/IEC 27001 Based on British Standard BS7799 Part 2, which is establishment, implementation, control, and improvement of the Information Security Management System
    • It is the standard for the establishment, implementation, control, and improvement of the Information Security Management System.
  • ISO/IEC 27002 Code of practice providing good practice advice on ISMS (previously known as ISO 17799 part 1), itself based on British Standard BS 7799 Part 1
    • It is a comprehensive set of controls comprising best practices in information security and provides guidelines on how to set up and maintain security programs.
  • ISO/IEC 27004 A standard for information security management measurements
  • ISO/IEC 27005 Designed to assist the satisfactory implementation of information security based on a risk management approach
  • ISO/IEC 27006 A guide to the certification/registration process
  • ISO/IEC 27799 A guide to illustrate how to protect personal health information
The ISO/IEC 27002 (formerly ISO 17799) domains are as follows:
  • Information security policy for the organization
  • Creation of information security infrastructure
  • Asset classification and control
  • Personnel security
  • Physical and environmental security
  • Communications and operations management
  • Access control
  • System development and maintenance
  • Business continuity management
  • Compliance

ITIL 

Where CobiT defines IT goals, ITIL provides the steps at the process level on how to achieve those goals. Although ITIL has a component that deals with security, its focus is more toward internal service level agreements between the IT department and the "customers" it serves. The customers are usually internal departments.

Security Governance

Security governance is all of the tools, personnel, and business processes necessary to ensure that the security implemented meets the organization's specific needs.

 Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly.

Security Program Development

It is important to understand that a security program has a life cycle that is always continuing, because it should be constantly evaluated and improved upon.  The security program should be integrated with current business objectives and goals.

 The life cycle of any process can be described in different ways.

1.     Plan and Organize
  • Establish management commitment.
  • Establish oversight steering committee.
  • Assess business drivers.
  • Carry out a threat profile on the organization.
  • Carry out a risk assessment.
  • Develop security architectures at an organizational, application, network, and component level.
  • Identify solutions per architecture level.
  • Obtain management approval to move forward.
2.     Implement
  • Assign roles and responsibilities.
  •  Develop and implement security policies, procedures, standards, baselines, and guidelines.
  •  Identify sensitive data at rest and in transit.
  •  Implement the following blueprints:
  •  Asset identification and management
  •  Risk management
  •  Vulnerability management
  •  Compliance
  •  Identity management and access control
  •  Change control
  •  Software development life cycle
  •  Business continuity planning
  •  Awareness and training
  •  Physical security
  •  Incident response
  •  Implement solutions (administrative, technical, physical) per blueprint.
  •  Develop auditing and monitoring solutions per blueprint.
  •  Establish goals, service level agreements (SLAs), and metrics per blueprint.
3.     Operate and Maintain
  •  Follow procedures to ensure all baselines are met
  •  Carry out internal and external audits.
  •  Carry out tasks outlined per blueprint.
  •  Manage service level agreements
4.     Monitor and Evaluate
  •  Review logs, audit results, collected metric values, and SLAs per blueprint.
  •  Assess goal accomplishments
  • quarterly meetings
  •  improvement steps and integrate into the Plan and Organize phase.

Information risk management (IRM) 

IRM is the process of identifying, assessing, and reducing risk to an acceptable level and implementing the right mechanisms to maintain that level of risk.

Proper risk management requires a strong commitment from senior management, a documented process that supports the organization's mission, an IRM policy, and a delegated IRM team.

 The risk management team should include individuals from different departments within the organization, not just technical personnel.

Threats must be identified, classified by category, and evaluated to calculate their damage potential to the company. Real risk is hard to measure, but prioritizing the potential risks in order of which ones must be addressed first is possible.

Risk analysis

which is really a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security safeguards. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats.

Identifying Threats

Illogical processing and cascading errors would mean invalid results are passed
on to another process. Risks have loss potential, meaning what the company would lose if a threat agent were actually to exploit a vulnerability. Must look at delayed loss when assessing the damages that can occur

Methodologies for Risk Assessment

  • NIST SP 800-30 and 800-66 are methodologies that can be used by the general public, but the initial creation of 800-66 was designed to be implemented in the healthcare field and other regulated industries. While 800-66 was designed to be used by HIPAA clients, it can also be readily adopted and used by other regulated industries. The NIST approach is specific to IT threats and is commonly used by security consultants, security officers and internal IT departments, and focuses mainly on computer systems

·        FRAP

Which stands for Facilitated Risk Analysis Process. It is designed to explore a qualitative risk assessment process in a manner that allows for tests to be conducted on different aspects and variations of the methodology. This will allow, through the use of a prescreening process, users to determine the areas that really demand and need risk analysis within an organization. 
  • OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) was created by Carnegie Mellon University's Software Engineering Institute. It is a methodology that is intended to be used in situations where people manage and direct the risk evaluation for information security within their company. 
         The limitations of OCTAVE are:
  1. OCTAVE is incompatible with AS/NZS 4360, as it mandates Likelihood = 1 (i.e., It assumes a threat will always occur)
  2. Consisting of 18 volumes, OCTAVE is large and complex, with many worksheets and practices to implement.
  3. It does not provide a list of “out of the box” practices for assessing and mitigating web application security risks.
  4. Because of these issues and not considering, OWASP does not anticipate that OCTAVE will be used at large by application designers or developers

  • AS/NZS 4360: While both the NIST and OCTAVE methodologies focus on IT threats and information security risks, AS/NZS 4360 takes a much broader approach to risk management. This methodology can be used to understand a company's financial, capital, human safety, and business decisions risks. Although it can be used to analyze security risks, it was not created specifically for this purpose.
o   The advantages of AS/NZS 4360:
      • AS/NZS 4360 works well as a risk management methodology for organizations requiring Sarbanes-Oxley compliance.
      • AS/NZS 4360 works well for organizations that prefer to manage risks in a traditional way, such as just using likelihood and consequence to determine an overall risk.
      • AS/NZS 4360 is familiar to most risk managers worldwide, and your organization may already have implemented an AS/NZS 4360 compatible approach.
      • You are an Australian organization, and may be required to use it if you are audited on a regular basis, or to justify why you aren’t using it. Luckily, the STRIDE/DREAD model discussed earlier is AS/NZS 4360 compatible.
    • The limitations of AS/NZS 4360:
      • The AS/NZS 4360 approach works best for business or systemic risks than for technical risks.
      • AS/NZS 4360 does not define the methodology to perform a structured threat risk modeling exercise.
      • As AS/NZS 4360 is a generic framework for managing risk, it does not provide any structured method to enumerate web application security risks.
              Although AS/NZS 4360 may be used to rank risks for security reviews, the lack of structured methods of enumerating threats for web applications makes it less desirable than other methodologies described earlier.
  • CVSS: The US Department of Homeland Security (DHS) established the NIAC Vulnerability Disclosure Working Group, which incorporates input from Cisco Systems, Symantec, ISS, Qualys, Microsoft, CERT/CC, and eBay. One of the group’s outputs is the Common Vulnerability Scoring System (CVSS).
  • Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. While FMEA is most useful as a survey method to identify major failure modes in a given system, the method is not as useful in discovering complex failure modes that may be involved in multiple systems or subsystems. 
  • A fault tree analysis usually proves to be a more useful approach to identifying failures that can take place within more complex environments and systems.

Quantitative risk analysis 

attempts to assign real and meaningful numbers to all elements of the risk analysis process. These elements may include safeguard costs, asset value, business impact, threat frequency, safeguard effectiveness, exploit probabilities, and so on. Purely quantitative risk analysis is not possible because the method attempts to quantify qualitative items, and there are always uncertainties in quantitative values

Note Quantitative analysis uses risk calculations that attempt to predict the level of monetary losses and the probability for each type of threat. Qualitative analysis does not use calculations. Instead, it is more opinion-and scenario based.

The Single loss expectancy is a dollar amount that is assigned to a single event that represents the company's potential loss amount if a specific threat were to take place:
  •             SLE = asset value × exposure factor (EF)
exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset
  • annualized loss expectancy (ALE) = SLE × annualized rate of occurrence (ARO)

annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a specific threat taking place within a one-year timeframe.

Qualitative Risk Analysis

Does not assign numbers and monetary values to components and
losses. Instead, qualitative methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures based on opinions.

 A qualitative rating would be expressed in high, medium, or low, or on a scale of 1 to 5 or 1 to 10. A quantitative result would be expressed in dollar amounts and percentages. 

     In risk analysis, uncertainty refers to the degree to which you lack confidence in an estimate.

The Delphi technique is a group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result of a particular threat will be.

Advantages of Qualitative

Requires no calculations 
Provides general areas and indications of risk 
Provides the opinions of the individuals who know the processes best.


Advantages of Quantitative.

Uses independently verifiable and objective metrics
Is easier to automate and evaluate
Very less guesswork 
Provides credible cost/benefit analysis 
Used in risk management performance tracking 

A security countermeasure, sometimes called a safeguard, must make good business sense, meaning it is cost-effective (its benefit outweighs its cost). This requires another type of analysis: a cost/benefit analysis. A commonly used cost/benefit calculation for a given safeguard is
(ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of safeguard) = value of safeguard to the company

Total Risk vs. Residual Risk

  • threats × vulnerability × asset value = total risk
  • (threats × vulnerability × asset value) × controls gap = residual risk

Handling Risk

Project sizing, which means to understand and document the scope of the project, must be done before a risk analysis is performed.

The main goals of risk analysis are the following: identify assets and assign values to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the safeguards.

Steps of a Risk Analysis
  • Step 1: Assign Value to Assets
    • When determining the value of information, the following issues must be considered: the cost to acquire and develop data; the cost to maintain and protect data; the value of the data to owners, users, and adversaries; the cost of replacement if the data is lost; the price others are willing to pay for the data; lost opportunities; and the usefulness of the data
  • Step 2: Estimate Potential Loss Per Threat (including SLE)
  • Step 3: Perform a Threat Analysis
  • Step 4: Derive the Overall Annual Loss Potential Per Threat
  • Step 5: Reduce, Transfer, Avoid, or Accept the Risk

3 Main steps for Risk Analysis:

  • Asset and Information value assignment
  • Risk Analysis and assessment
  • countermeasure selection and implementation
Risk Management could take the input from Planning and collecting information and defining the recommendations. It can then handle the risk as:
  • Risk transfer
  • Risk Avoidance
  • Risk Mitigation
  • Risk Acceptance
Automated risk analysis tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures. 

Security Policy

A security policy is a statement by management dictating the role security plays in the organization. A security policy can be an organizational policy, an issue-specific policy, or a system-specific policy.

Due diligence is an understanding of the current threats and risks, and due care is implementing countermeasures to provide protection from those threats. If a company does not practice due care and due diligence pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence. 

Other regulations also call out requirements of boards of directors, as in the Gramm-Leach-Bliley Act (GLBA). But SOX is a regulation that holds the members of the board personally responsible, thus they can each be fined or go to jail.

Principles of Federal Prosecution of Business Organizations

The Department of Justice provides the following guidelines for attorneys when attempting to prosecute corporate wrongdoings:
Do the corporation's directors exercise independent review over proposed corporate actions rather than unquestioningly ratifying officers' recommendations; are the directors provided with information sufficient to enable the exercise of independent judgment; are internal audit functions conducted at a level sufficient to ensure their independence and accuracy; and have the directors established an information and reporting system in the organization reasonably designed to provide management and the board of directors with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization's compliance with the law.

International Requirements

If the organization is exchanging data with European entities, it may need to adhere to the safe harbor requirements. outlines how any entity that is going to move privacy data to and from Europe must go about protecting it.
Global organizations that move data across other country boundaries must also be aware of and follow the
Organisation for Economic Co-operation and Development (OECD) Guidelines and transborder information flow rules.

Summary: Security management 

A security program should address issues from a strategic, tactical, and operational view.

 A key element during the initial security planning process is to define reporting relationships.

Security management embodies the administrative and procedural activities necessary to support and protect information and company assets throughout the enterprise. 
  • Management must define the scope and purpose of security management, provide support, appoint a security team, delegate responsibility, and review the team's findings.
  • It includes development and enforcement of security policies and their supporting mechanisms: procedures, standards, baselines, and guidelines. 
  • It encompasses risk management, security awareness training, and proper countermeasure selection and implementation. 
  • Personnel (hiring, terminating, training, and management structure) and operational (job rotation and separation of duties) activities must also be conducted properly to ensure a secure environment. 
  • Management must understand the legal and ethical responsibilities it is required to respect and uphold.
  • Security management should work from the top down (from senior management down to the staff).
Summary
  • The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources.
  • Security components can be technical (firewalls, encryption, and access control lists) or nontechnical (security policy, procedures, and compliance enforcement).
  • Asset identification should include tangible assets (facilities and hardware) and intangible assets (corporate data and reputation).
  • Assurance is a degree of confidence that a certain security level is being provided.
  • Procedures are detailed step-by-step actions that should be followed to achieve a certain task.
  • A baseline is a minimum level of security. 
  • Job rotation is a control to detect fraud.
  • Mandatory vacations are a control type that can help detect fraudulent activities. 
  • Data is classified to assign priorities to data and ensure the appropriate level of protection is provided.
  • Data owners specify the classification of data.
  • Security has functional requirements, which define the expected behavior from a product or system, and assurance requirements, which establish confidence in the implemented products or systems overall.
  • Safeguards should default to least privilege, and have fail-safe defaults and override capabilities.
  • Safeguards should be imposed uniformly so everyone has the same restrictions and functionality.
  • The data custodian (information custodian) is responsible for maintaining and protecting data.
  • A security analyst works at a strategic level and helps develop policies, standards, and guidelines, and also sets various baselines.
  • Application owners are responsible for dictating who can and cannot access their applications, as well as the level of protection these applications provide for the data they process and for the company.

Appendix A: Microsoft Threat Modelling


Should fit alongside the "methodologies for Risk assessment" above.

STRIDE

STRIDE is a classification scheme for characterizing known threats according to the kinds of exploit that are used (or motivation of the attacker). 
Spoofing Identity “Identity spoofing” is a key risk for applications that have many users but provide a single execution context at the application and database level. 
Tampering with Data Users can potentially change data delivered to them, return it, and thereby potentially manipulate client-side validation, GET and POST results, cookies, HTTP headers, and so forth. 
Repudiation Users may dispute transactions if there is insufficient auditing or recordkeeping of their activity. 
Information Disclosure. Therefore, applications must include strong controls to prevent user ID tampering and abuse, particularly if they use a single context to run the entire application.
Denial of Service Application designers should be aware that their applications may be subject to a denial of service attack.
Elevation of Privilege If an application provides distinct user and administrative roles, then it is vital to ensure that the user cannot elevate his/her role to a higher privilege one.

DREAD

DREAD is a classification scheme for quantifying, comparing and prioritizing the amount of risk presented by each evaluated threat. T
Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5
The calculation always produces a number between 0 and 10; the higher the number, the more serious the risk.

Threat Modeling Process

  • Identify assets.
  • Create an architecture overview.
    • Identify what the application does.
    • Create an architecture diagram.
    • Identify the technologies.
  • Decompose the application.
    •  
    • Identify trust boundaries.
    • Identify data flow.
    • Identify entry points.
    • Identify privileged code.
    • Document the security profile.
  • Identify the threats(you can use STRIDE).
    •  
    • Identify network threats.
    • Identity host threats.
    • Identify application threats.
      •  
      • Using Attack Trees and Attack Patterns
        • An attack tree is a way of collecting and documenting the potential attacks on your system in a structured and hierarchical manner. The tree structure gives you a descriptive breakdown of various attacks that the attacker uses to compromise the system.
      • Attack Patterns
        • Attack patterns are generic representations of commonly occurring attacks that can occur in a variety of different contexts. 
  • Document the threats.
  • Rate the threats.
    • You can  use the DREAD model to rate the threats or use a quantitative approach.
For more details on alternative Threat modeling systems refer: 



These are my notes collected from various sources and this is not claimed as original content.


Posted by at
Labels:

1 comment:

  1. AnonymousJune 11, 2012 at 4:45 AM

    nice blog thanks for posting nice information provided.

    ISO Certification

    ReplyDelete

Subscribe to: Post Comments (Atom)