© 2005 by carnegie mellon university version 1.0 the security professionals conference. - page 1...
TRANSCRIPT
© 2005 by Carnegie Mellon University
Version 1.0 The Security Professionals Conference. - page 1
Pittsburgh, PA 15213-3890
Ways to Fit Security Risk Management to Your Environment
Using the OCTAVE Approach
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 2
Tutorial Agenda OCTAVE Overview • OCTAVE Method• OCTAVE-S • OCTAVE Tailoring is Built-in
Applying OCTAVE in higher education• OCTAVE at Maricopa Community College District• OCTAVE at California State University
OCTAVE applied to K-12 (if time permits)
© 2005 by Carnegie Mellon University
Version 1.0 The Security Professionals Conference. - page 3
Pittsburgh, PA 15213-3890
OCTAVE® OverviewOperationally Critical Threat, Asset, and Vulnerability EvaluationSM
® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon UniversitySM Operationally Critical Threat, Asset, and Vulnerability Evaluation is a service mark of Carnegie Mellon
University.
Carol Woody, Ph. D.
Senior Member of the Technical Staff
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 4
Security in a Complex Domain
Threats• People inside your organization• People outside your organization• System problems• Other problems
Security Practices• Organizational
practices• Technical practices
People Involved• IT staff• General staff• Managers• Contractors• Service providers• Partners and
collaborators• Faculty• Researchers• Students
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 5
What Is OCTAVE?
OCTAVE is a risk-based strategic assessment and planning technique for security.
• It leverages people’s knowledge of their organization’s security-related practices and processes to capture the current state of security practice within the organization.
• Risks to the most critical assets are used to prioritize areas of security practice improvement and drive the security strategy for the organization.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 6
Goal of OCTAVE
Plan how to apply good security practices to address organizational and technical vulnerabilities that could impact critical assets
Organizational VulnerabilitiesWeaknesses in policy or security practice that can result in unauthorized actions
Technical VulnerabilitiesWeaknesses in technology infrastructure that can lead directly to unauthorized actions
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 7
Underlying Philosophy
It is impossible to mitigate all information security risks.
Budget is limited and so are time and people.
You cannot prevent all determined, skilled incursions.
You need to determine the best use of your limited resources to ensure a reasonable level of security for your organization and apply good security practices that address critical needs.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 8
Selecting Security Practices
What do you need to protect? (assets)
What will protection failure mean? (impact to the organization)
What vulnerabilities exist in your environment? (both organizational and technology)
How much protection can you afford? (resources)
Security Practices – Actions that help initiate, implement, and maintain security
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 9
A Practice-Based Approach
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 10
A Broad Perspective
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 11
OCTAVE is an Evaluation
An information security risk evaluation is an integral part of an organization’s information security risk management program.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 12
Information Security Risk Management Framework
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 13
Security Practices Gaps Result From an Organizational Communication Gap
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 14
OCTAVE is an Organizational Approach to Security Risk Management
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 16
OCTAVE Analysis Team
• An interdisciplinary team (4-6) – consisting of- business or mission-related staff- information technology staff
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 17
Phase 1 Questions
What are your organization’s critical information-related assets?
What is important about each critical asset?
Who or what threatens each critical asset?
What is your organization currently doing to protect its critical assets?
What weaknesses in policy and practice currently exist in your organization?
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 18
Phase 2 Questions
How do people access each critical asset?
What infrastructure components are related to each critical asset? What are the key components of the computing infrastructure?
What technological weaknesses expose your critical assets to threats?
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 19
Phase 3 Questions
What is the potential impact on your organization due to each threat? What are your organization’s risks?
Which are the highest priority risks to your organization?
What policies and practices does your organization need to address?
What actions can your organization take to mitigate its highest priority risks?
Which technological weaknesses need to be addressed immediately?
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 20
OCTAVE Catalog of Practices
A catalog of widely accepted security practices is used to evaluate
• current security practices• current organizational vulnerabilities
The catalog provides a basis for identifying practices appropriate to developing risk mitigation plans and protection strategies for the organization.
Security practices are sourced from BS 7799 (predecessor to ISO 17799), NIST 800-14, HIPAA 1996, Gramm-Leach-Bliley, and CERT/CC
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 21
Catalog Security Practices
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 22
Strategic Practice Areas
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 23
System and Network Management
System Administration Tools
Monitoring and Auditing IT Security
Authentication and Authorization
Vulnerability Management
Encryption
Security Architecture and Design
Incident Management
General Staff Practices
Physical Security Plans and Procedures
Physical Access Control
Monitoring and Auditing Physical Security
Operational Practice Areas
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 24
Products of OCTAVE
Defines organizational direction
Plans designed to reduce risk
Near-term action items
Protection Strategy
Mitigation Plan
Action List
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 25
After the Evaluation
An organizational information security risk management program is completed through the following steps:• Improvements are made.
• Progress is monitored.
• Risks are re-evaluated and plans are adjusted.
• New, critical assets are analyzed.
• Periodically redo OCTAVE.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 26
OCTAVE Method (OMIG)“out of the box”
www.cert.org/octave/omig.html
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 27
OCTAVE Method
Focused on large-scale (300 or more employees) or complex organizations (piloted at DoD medical facilities)
A systematic, context-sensitive method for evaluating risks across a hierarchical organization, involving• senior managers• operational area managers• staff• IT staff
Defined by method implementation guide (procedures, guidance, worksheets, information catalogs) and training
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 28
Analysis Team in OCTAVE Method
An interdisciplinary team – consisting of• business or mission-related staff• information technology staff
Not required to understand the entire organization in-depth
Facilitates data gathering workshops with other people from the organization at the start of the evaluation
Analyzes collected data to develop a security risk evaluation of the organization
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 30
Phase 1 – Organizational View
Data gathering of the organizational perspectives on• assets • threats to the assets• security requirements of the assets• current protection strategy practices• organizational vulnerabilities
The perspectives will come from • senior managers• operational area managers (including IT)• staff (from the operational areas and IT)
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 31
Asset
Something of value to the organization that includes one or more of the following:
• information• systems• services and applications• people
Critical when there will be a large adverse impact to the organization if
• the asset is disclosed to unauthorized people.• the asset is modified without authorization.• the asset is lost or destroyed.• access to the asset is interrupted.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 32
Current Protection Strategy
Defines the current strategies that an organization uses to• enable security• initiate security• implement security • maintain security
Identified using surveys based on the catalog of practices
The surveys are different for each level of the organization to reflect the differences in the scope of work performed by staff, IT staff, and management.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 33
Security Requirements
Prioritize the qualities of an asset that are important to the organization:
• confidentiality• integrity• availability
Example for confidentiality: Personnel records can only be viewed by authorized personnel.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 34
Threat
An indication of a potential undesirable event involving a critical asset
Examples• A disgruntled employee could deliberately use network
access to view online personnel records and find out personal information about managers.
• A virus could interrupt staff members’ access to the customer database.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 35
Threat Properties
Critical Asset
Actor (human, system, other)
Motive (deliberate or accidental) – human actor only
Access (network or physical) – human actor only
Outcome• Disclosure or viewing of sensitive information• Modification of important or sensitive information• Destruction or loss of important information, hardware, or
software• Interruption of access to important information, software,
applications, or services
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 36
Threat Profiles
General set of sources of threat
• Human actors using network access
• Human actors using physical access
• System problems
• Other problems
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 37
Human Actors - Network Accessdisclosuremodificationloss/destructioninterruption
accidental
deliberate
deliberate
accidental
outside
inside
networkasset
disclosuremodificationloss/destructioninterruption
disclosuremodificationloss/destructioninterruption
disclosuremodificationloss/destructioninterruption
asset access actor motive outcome
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 38
Human Actors - Physical Accessdisclosuremodificationloss/destructioninterruption
accidental
deliberate
deliberate
accidental
outside
inside
physicalasset
disclosuremodificationloss/destructioninterruption
disclosuremodificationloss/destructioninterruption
disclosuremodificationloss/destructioninterruption
asset access actor motive outcome
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 39
System Problems
asset actor outcome
disclosuremodificationloss/destructioninterruption
software defects
viruses
LAN instability
system crashes
asset
disclosuremodificationloss/destructioninterruption
disclosuremodificationloss/destructioninterruption
disclosuremodificationloss/destructioninterruption
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 40
Other Problems
asset actor outcome
disclosuremodificationloss/destructioninterruption
natural disasters
ISP unavailable
power supply problems
telecommunications problems or unavailability
asset
disclosuremodificationloss/destructioninterruption
disclosuremodificationloss/destructioninterruption
disclosuremodificationloss/destructioninterruption
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 42
Phase 2 – Technology View
Identify technology vulnerabilities that provide opportunities for impacting critical assets: • human actors using network access• malicious code
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 43
Phase 2 - Selecting the Right Strategy
Does the IT staff have experience conducting and analyzing vulnerability studies?
Are external resources available to assist?
Do you have a good, current network map?
If not, then assume vulnerabilities and consider adding vulnerability management practices for future evaluations
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 44
OCTAVE Vulnerability Evaluation
Identify classes of infrastructure components linked to critical assets for evaluate.
Select a sample of components from each class.
Select an approach for evaluating each infrastructure component class.
Augment critical asset threat profiles with technology threats identified in the vulnerability evaluation
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 45
Potential Critical Asset Access Paths
System of Interest
Servers Desktop workstations
Security components
Networking components
Intermediate Access PointsNetworking componentsSecurity components
User Access PointsServersDesktop devices LaptopsWireless devicesHome computers
Other Access PointsStorage devices
Other SystemsSystem ASystem B
Part of the System of Interest Related to the System of Interest
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 46
Run Vulnerability Tools on Key Classes of Components
Critical Asset
Servers
Internal networks
On-site workstations
Laptops
PDAs/wireless components
Other systems
Storage devices
External networks
Home/external workstations
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 48
Phase 3 – Risk Analysis
Develop a plan on the path toward security improvement.
• Establish the risks to the organization’s critical assets.
• Define mitigation plans to protect the critical assets.
• Characterize the organization’s protection strategy.
• Identify the next steps to take after the evaluation to ensure progress is made.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 49
Risk Diagram
Threat Asset
Organizational vulnerabilities Technology vulnerabilities
Impact on organization
Event Consequence
Uncertainty
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 50
Evaluating Risks
Criteria defined by the organization is used to determine:
• impact value (high, medium, low)• which risks to mitigate, defer, or accept
Evaluation is qualitative – insufficient data for quantitative evaluations
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 51
Impact Evaluation Criteria
Define the organization’s tolerance for risk.Standard areas of impact considered include:
• reputation/customer confidence• life/health of customers• productivity• fines/legal penalties• financial• other
What does it mean to have a high, medium, or low impact from your organization’s perspective.
Impact evaluation criteria remain stable from one evaluation to the next.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 52
Expression of Risk
A risk is expressed using • a threat scenario (a branch on a threat tree)• the resulting impact on the organization
Example Viruses can interrupt staff members’ access to systems and the network. Staff work hours will be increased between 25 to 50 percent for two days to make up for lost productivity.
Impact value: medium
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 53
Evaluating the Risk of Threatsdisclosuremodificationloss/destruction Highinterruption Low
accidental
deliberate
deliberate
accidental
outside
inside
networkasset
disclosure Medium modification Highloss/destruction Highinterruption Low
disclosuremodificationloss/destructioninterruption
asset access actor motive outcome impact
disclosure Medium modification Highloss/destruction Highinterruption Low
Human Actors Using Network Access
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 54
Outputs of OCTAVE
Protection Strategy long-term(strategies to enable, initiate, implement and maintain security within the organization)
Mitigation Plan mid-term(practices to mitigate risks to critical assets)
Action List immediate(near-term actions)
Ma
inta
in S
ecu
rity
Infr
ast
ruct
ure
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 55
Protection Strategy
Structured around the catalog of practices and addresses the following areas:• Security Awareness and Training• Security Strategy• Security Management• Security Policies and Regulations• Collaborative Security Management• Contingency Planning/Disaster Recovery• Physical Security• Information Technology Security• Staff Security
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 56
Mitigation Plan
Defines the activities required to remove or reduce unacceptable risk to a critical asset.
Focus is on activities to• recognize or detect threats when they occur• resist or prevent threats from occurring• recover from threats if they occur
Mitigations that cross many critical assets might be more cost effective as protection strategies
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 57
OCTAVE-S“out of the box”
www.cert.org/octave/osig.html
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 58
OCTAVE-S
Highly structured method for evaluating risks in small organizations (less than 100 employees)
• requires less security expertise, if any, in analysis team
• analysis team has a full, or nearly full, understanding of the organization and what is important
• IT management is outsourced to a large extent• uses “fill-in-the-blank” as opposed to “essay” style
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 59
Analysis Team in OCTAVE-S
Interdisciplinary team – consisting of:
- business staff (often from different organizational levels)
- information technology staff or people who interface with service providers
Only the analysis team participates
AssumptionThe analysis team has sufficient insight into the
organization to be guided by templates to characterize the information security risks affecting the organization.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 60
OCTAVE-S Roadmap
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 61
Probability in OCTAVE-S
OCTAVE-S provides an optional approach for incorporating qualitative probability into its analysis.
Probability is used as the likelihood that a threat will occur.
Probability evaluation criteria define a standard set of definitions for qualitative probability values.
• high• medium• low
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 62
Worksheets
Worksheet content is highly structured (e.g., multiple choice, fill in the blanks).
Security concepts are embedded into the worksheets.• Requires less security expertise to use.• Certain aspects of OCTAVE-S can be more difficult to
tailor than the OCTAVE Method (limited flexibility).
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 63
Financial Impact Criteria Example
Impact Type Low Impact Medium Impact High Impact
Operating Costs
Increase of less than ___2___% in yearly
operating costs.
Yearly operating costs increase by ___2___to __15___%.
Yearly operating costs increase by more than __15___%
Revenue Loss
Less than ___5___% yearly revenue loss.
___5___to ___20__% yearly revenue loss.
Greater than ___20__% yearly revenue loss.
One-Time Financial Loss
One-time financial cost of less than $__250,000__.
One-time financial cost of $__250,000__ to $_1
million __.
One-time financial cost greater than
$_1 million __.
Other:
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 64
OCTAVE-S Threat Profile
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 65
Current and Future Security Practices Example
Step 28 Step 32Responsibility
Task
Using system and network monitoring tools to track system and network activity
Auditing the firewall and other security components periodically for compliance with policy
Investigating and addressing any unusual activity that is identified
______________________________________________
Inte
rnal
Ext
erna
l
Com
bine
d
Inte
rnal
Ext
erna
l
Com
bine
d
Current Change
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 66
OCTAVE Tailoring is Built-in
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 67
Tailoring OCTAVE
Options include tailoring• evaluation scope• participants• evaluation process• artifacts and templates
Use the OCTAVE criteria to define the boundaries of what can be tailored.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 68
Tailoring the Evaluation ScopeScoping is the selection of operational areas to include in the evaluation. General recommendation is four different areas of operation plus IT. Consider
• primary areas crucial to mission or business objectives
• major support functions• remote operations• areas that require electronic information to operate
Options:Focus initially on one operational area or business areaSelect focus areas linked by a business processFocus on a key information assetRun concurrent assessments in multiple areas
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 69
Tailoring Participants
Adjust participants in the data gathering workshopsDetermine who represents the following:
• senior managers• managers of the selected operational areas• staff from the selected operational areas• IT staff
Consider including faculty, researchers, students(requires artifact tailoring, too)
Establish independent analysis team to address a range of evaluations across the organization
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 70
Tailoring the Evaluation Process• Reorder data gathering steps
• Link with other reviews (policy, safety, regulatory
compliance)
• Schedule evaluation workshops in increments/blocks
• Adjust number and format of data gathering workshops
• Augment with physical security evaluations
• Leverage expert assistance
- technology vulnerability assessment
- facilitation, planning, risk management
• Assemble automated tools for data content
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 71
Tailoring Major Artifacts
Expand or replace catalog of practices• ISO 17799• Regulations (FERPA, HIPAA, etc.)• Incorporate technology accreditation and certification
(DITSCAP, NITSCAP)
Expand generic threat profile• Additional actors (student, researcher, faculty)• Additional threats (union strike, layoff from funding
loss, student demonstration)• Adjust definition of insider/outsider for each asset
Worksheets• Apply portions of OCTAVE-S templates to OMIG
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 72
When to Tailor
Consider using OCTAVE “out of the box” the first time to see what really needs to be tailored and why. If you are not extremely familiar with the process, tailoring could make the evaluation more difficult.
Test major changes with a small group and one asset.
Verify your tailored version against the OCTAVE criteria to ensure that you haven’t lost something vital.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 73
OCTAVE Criteria
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 74
OCTAVE Criteria
Defines the requirements of an OCTAVE evaluation• principles - the fundamental concepts that drive the
evaluation process• attributes - the distinctive qualities or characteristics of
the evaluation• outputs - the required results of the evaluation
Technical Note: OCTAVE Criteria Version 2.0http://www.cert.org/archive/pdf/01tr016.pdf
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 75
Information Security Risk Management Principles
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 76
Required Components of the OCTAVE ApproachCritical assets
Threat profiles
Organizational risk evaluation criteria
Multidisciplinary analysis team
Three phases
Catalog of practices
Defined outputs
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 77
OCTAVE InformationVisit http://www.cert.org/octave
• Introduction to the OCTAVE Approach
• OCTAVE Method Implementation Guide
• OCTAVE-S (version 0.9)
Book: Managing Information Security Risks: The OCTAVE Approach by Christopher Alberts and Audrey Dorofee from Addison-Wesley.