security managment risks, controls and incidents

Security

Management:

Risks, controls

and incidents

PETER CRUICKSHANK

SCHOOL OF COMPUTING

EDINBURGH NAPIER UNIVERSITY

What is security?

Mordac the preventer of

information

2 Security management: risks, controls and incidents

http://dilbert.com/search_results?terms=Mordac+The+Preventer

Background

Over a generation, internetworked systems, particularly the Internet, have gone from the

specialized realm of government and academic to being a substantial part (the basis?) of our

business and personal lives.

Enterprises maintain web sites, email, e-

commerce and collaboration tools

that are all connected to the

Internet.

Online banking, bill paying and shopping

have made online financial transactions

common.

Individuals have smartphones, tablets

and a myriad of other devices that

are always “online.”

Security management: risks, controls and incidents 3

The context

Computer systems

Computer Environment

Business and

application environment

Socio-economic-

legal environment

In a graph

Information Security:

Attributes

• Authorised access only

• Protecting privacy Confidentiality

• Data and system • Protection from accidental or deliberate

(malicious) modification Integrity

• …for legitimate users

• DDoS attacks – prevention & recovery Availability

• who are you – supports non-deniability Authentication

• what can you do? Authorization

• Effective auditing and logging is the key to non-repudiation Auditing

Aim of the

lecture

SERIES OF 6

LECTURES AND

TUTORIALS

COURSEWORK

ASSIGNMENT

EXAM QUESTIONS

This lecture:

Discuss issues around threats

and their risk management

Covers incident handling

(a particular form of risk

mitigation)

Explains the relationship of

risks to controls

management

HOW DO YOU

PRIORITISE YOUR

HOW DO YOU KNOW

WHAT’S IMPORTANT?

The security balance

Security

• Complex passwords are secure

• Encryption protects assets

Access

• Complex passwords prevent access

• Encryption slows things down

• Technology is not enough

• Controls often conflict with usability and business objectives

Risk is

...let’s start with Wikipedia:

The potential that a chosen (in)action will lead to a loss

[or a gain]

Implies that a choice having an influence on the outcome

exists (or existed)

Potential losses themselves may also be called “risks”

Almost any human endeavour carries some risk, but some

are much more risky than others.

Sources of risk

Processes

People

Systems

External events

Events related to

business operations

Outside factors

threatening

operations

Employee errors or

misdeeds

Non-employees

Technology

failure

Example: A fire destroying the IT system and causing disruption to the business

External event (fire) Systems (unavailable) processes (disrupted)

combination

Risk management

Risk identification &

assessment Risk control

Risk response

Risk Control

Strategies

Avoidance Transference

Mitigation Acceptance

Risk LET’S LOOK AT THE

BASICS

Risk is

The likelihood of the occurrence of a

vulnerability

X Multiplied by the value of the

information asset (or, the impact of the

Risk assessment

Likelihood

Expressed as fraction or %age

May be known (eg actuarial tables)

May need judgement (document the process)

Often reduced to High, Medium or Low

Risk assessment

Value (impact of loss)

Normally focuses on potential loss

It’s most straightforward to gather

Can be combined up the hierarchy

eg loss of HR for a week may have high value to them, but the

organisation will be able to carry on for a while…

(So long as payroll is OK)

Identify vulnerabilities

All threats

All assets

Vulner-abilities

Recorded in a TVA (threats, vulnerabilities & assets) worksheet

Risk assessment:

TVA worksheet extract

Asset Impact Vulnerability Likelihood Risk Rating

Customer

service

request via

55 Disruption due

to hardware

failure

0.04 2.2

Disruption due

to software

failure

0.3 16.5

Customer

order received

by SSL

100 Lost order due

to server

hardware failure

0.05 5

Lost order due

to ISP failure 0.1 10

Risk according to OWASP1

Likelihood

Threat agent

Skill Motive Oppor-tunity

Capacity Resour-

ces, Size

Vulnerability

Ease of disc-overy

Ease of exploit

Aware-ness

Detec-tion if

exploit-ed

Impact

Technical

Loss of C, I, A

Business

Finan-cial,

Reput-ational

Comp-liance, Privacy

1 https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Security management: risks, controls and incidents 24

management

Choose a risk posture

Analyse impact of threats

business impacts and other,

non-financial impacts

Identify and analyse risks

Determine risk treatment

Determine security strategy

options based on risk profile

Steps that enterprises should

perform when implementing

(information security) steps and

measures

http://thegreatgildersleeve.tumblr.com/post/708013469/bolted-and-barricaded-door-behind-empty-k-mart

Risk Control

Risk appetite

The goal is not risk elimination

It is risk minimisation

What costs can you bear

What impact has risk control on your business

At what point are you prevented from doing anything

Leaving organisation with residual risk

Aim: reduce residual risk to match risk appetite

Choose a risk posture

Minimalist

• Reduce actions and investment to a minimum

• Comparatively high level of residual risk.

Balanced

• comprehensive security investment

• Moderate level of residual risk

Conservative

• Aim for a precautionary, comparatively high, investment

• Little or no tolerance for residual risk.

This is also known

as ‘Risk Appetite’

Threats

http://www.justsaypictures.com/verbal-threat.html

Threat actors:

categorisation

Location

Internal

Cont-ractors Should they be internal?

External

Busi-ness

part-ner

Regu-lator

Com-petitor

& their governm

Motivation

Friendly Hostile

Capability &

expertise

Script kiddies

GCHQ, the

NSA, the PLA

Building risk scenario

Risk scenario

• Internal

•External

Threat type

•Malicious

•Accidental / error

•Failure /nature

•External requirement

•Disclosure

• Interruption

•Modification

•Theft

•Destruction

• Ineffective design/execution

•New rules

• Inappropriate use

Asset / resource

•People & skills

•Organisation structures

•Process

•Facilities

• IT infrastructure

• Information

•Application

•Duration

•Criticality

•To detection

•Time lag to respond

Scenario-based

approaches are

sometimes preferred

over ‘pure’ risk

catalogues

Analyse Business Impact

What could go wrong?

How would it affect the business?

• Discard if impact is negligible

Judge likelihoods

• Discard if unlikely

Plan for what’s left

Analyse Business Impact

Risk is (therefore)

The likelihood of the occurrence of a

vulnerability

X Multiplied by the value of the

information asset

- Minus the percentage of the risk

mitigated by current controls

+ Plus the uncertainty of current

knowledge of the vulnerability

Risk analysis cycle

identification

& valuation

Threat

assessment Counter-

measures

Vulnerability

assessment

Control

evaluation

Residual

Action

Plan Review

Source: ITGI IT Governance Implementation Guide, 2 ed, 2007

Risk management

concepts

Risk management

Risk identification &

assessment

Inventory

Classification

Threat Identification

Risk control

Risk avoidance

Reduce and mitigate

Risk reduction Risk transfer

Risk sharing

Risk retention

Risk response

Incident handling

Disaster recovery

Security management: risks, controls and

incidents

Back to controls

Controls

Control activities are:

actions, supported by policies and procedures that,

when carried out properly and in a timely manner,

manage or reduce risks.

Controls

Prevent Controls Preventive controls attempt to

deter or prevent undesirable events from occurring.

They are proactive controls that help to prevent a loss.

Examples of preventive controls are separation of duties, proper authorisation, adequate documentation, and physical control over assets.

Detect Controls Detective controls, on the other

hand, attempt to detect undesirable acts.

They provide evidence that a loss has occurred but do not prevent a loss from occurring.

Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.

These examples are from general business:

Can you think of the equivalent in information systems?

Controls

Both types of controls are essential to an effective internal

control system

From a quality standpoint, preventive controls are

essential because they are proactive and emphasize

quality

However, detective/corrective controls play a critical role providing evidence that the

preventive controls are functioning and preventing

losses

Controls and audit:

Key facts

Controls are an expense

Controls that aren’t consistently used are no good

An audit is basically a check that the controls are • Well designed (and cost effective)

• Have been operated consistently & correctly

Controls: Take 10

Prevent Detect Recover /

mitigate

People

Process

Technology

Physical

Think of one IT-related control to go in each box

Risk assessment

Effect of controls

Current controls mitigate the threat

Possible controls can be identified

Different types of control

eg Access control: role-based, task-based

People Process Tech

Prevent

Detect

Recover/

mitigate

This is one way of reviewing

how you are controlling a risk

in depth

Incident

response

Context: Resilience

In the traditional sense, ‘resilience’ means the ability of a

material to revert to its original shape after it has been

deformed.

In information security (and in business continuity),

resilience describes the ability of an enterprise to recover

and absorb external shocks or events and their internal

impacts.

Incident handling is a type of risk mitigation

Business impact analysis

Results of business impact analysis (BIA) and risk assessment

specific risks and scenarios, threats and vulnerabilities analysis, etc.

clustered (aggregated) risk

potential impacts and strategic options (with residual risk)

Key technologies

Cloud, network interconnections, supervisory control and data acquisition (SCADA) and other industrial control systems.

Focus is: what if they fail?

Incident strategy: two

aspects

Knowing what do to

Incident reporting

Policies, reporting lines, authorities, etc.

Testing it

Participation in & integration with

exercises

(EU/national/ industry wide)

Not all events are incidents

Distinguish between events and incidents.

NIST defines an event as “any observable occurrence in

a network or system.”

This includes normal network operations, such as

connections to servers, email transactions and database

updates.

A computer security incident is “a violation or imminent

threat of violation of computer security policies,

acceptable use policies, or standard security practices.”

Incident response

Despite an organisation’s best efforts, attackers are

sometimes successful.

When this happens, an incident occurs.

When incidents occur, it is essential to have a plan in

place to handle them

The purpose of incident response.

Terminology:

The people trained to deal with incidents are called incident

handlers

They are part of an incident response team.

Incident response phases

Preparation

Detection & analysis

Containment, eradication,

recovery

Post incident activity

Preparation to establish roles, responsibilities and plans for how an incident will be handled

Detection and Analysis capabilities to identify incidents as early as possible and effectively assess the nature of the incident

Investigation capability if identifying an adversary is required

Mitigation and Recovery procedures to contain the incident, reduce losses and return operations to normal

Post-incident Analysis to determine corrective actions to prevent similar incidents in the future

Conclusion

The principles of risk

management

How risks and controls relate

An outline of an incident

handling plan

Today, we have covered

Final though:

What is security?

If we make security trade-offs based on the feeling of security rather than the

reality, we choose security that makes us feel more secure over security that

actually makes us more secure. And that’s what governments, companies,

family members, and everyone else provide. Of course, there are two ways to

make people feel more secure.

The first is to make people actually more secure, and hope they notice.

The second is to make people feel more secure without making them

actually more secure, and hope they don’t notice.

The key here is whether we notice. The feeling and reality of security tend to

converge when we take notice, and diverge when we don’t. People notice

when 1) there are enough positive and negative examples to draw a conclusion,

and 2) there isn’t too much emotion clouding the issue.

The feeling and the reality of security Schneier 2008

Security management: risks, controls and

incidents

…Watch for Security theatre

that iS…

Thank you

PETER CRUICKSHANK

Lecturer in Information Systems. School of Computing,

Edinburgh Napier University

@spartakan | p.cruickshank@napier.ac.uk

Sources and references

A good general source on this material is

Whitman & Mattord’s Management of Information Security (many editions)

Some of the material in this lecture is sourced from the following ISACA documents:

• Cybersecurity Student Book (2014)

• European Cybersecurity Implementation: Overview (2014)

security managment risks, controls and incidents

Business

pipeline oil spill risks - washington...pipeline incidents...

plant roll-over risks during road construction€¦ ·...

presentación de powerpoint · litigation risks,...

11 december 2018 cyber risks and cyber security …...cyber...

hospital managment

transmission managment

managment basics

risk issue managment€¦ · risk & issue . managment . ......

major reasons of electrical incidents & risks which are...

hazardous materials security awareness - us forest … ·...

channel managment

risk managment -...

kvantitativni managment

managment presentation

school managment

expect the unexpected. assess your risks. prevent...

disaster managment

emerging food safety risks: new developments...emerging food...

stretegic managment

coso-focused cyber risk assessment for internal auditors ·...