information systems 365 lecture three - performing an it security risk analysis
DESCRIPTION
Lecture 3 slides for the Information Systems 365/765 class I teach at UW-Madison. If you ever had the urge to perform a 5 step quantitative IT Security Risk Analysis, then this is for you!TRANSCRIPT
Information Security 365/765, Fall Semester, 2014
Course Instructor, Nicholas DavisLecture 2, Course Introduction
04/13/23 UNIVERSITY OF WISCONSIN 2
Lecture TopicsLecture TopicsSecurity management responsibilitiesDifference between Administrative, Technical and Physical ControlsThe three main security principlesRisk management How to perform a risk analysis
04/13/23 UNIVERSITY OF WISCONSIN 3
Defining SecurityDefining SecurityManagementManagement
Risk management method (see next slide)Information Security PoliciesProceduresStandardsGuidelinesBaselinesInformation ClassificationSecurity OrganizationSecurity Education
04/13/23 UNIVERSITY OF WISCONSIN 4
Process of SecurityProcess of SecurityManagementManagement
Determination of needsAssessment of risksMonitoring and evaluation of existing systems and practicesPromote awareness of existing issuesImplementation of policies and controls to address needs
Use a “Top Down” approach, not a “Bottom Up” approach
04/13/23 UNIVERSITY OF WISCONSIN 5
Three Types of SecurityThree Types of SecurityControlsControls
AdministrativeTechnicalPhysical
04/13/23 UNIVERSITY OF WISCONSIN 6
AdministrativeAdministrativeControlsControls
These include the developing and publishing of policies, standards, procedures and guidelines for risk management, the screening of personnel, conducting security awareness training, and implementing change control procedures
04/13/23 UNIVERSITY OF WISCONSIN 7
Technical ControlsTechnical Controls(Also Called Logical (Also Called Logical
Controls)Controls)These consist of implementing and maintaining access control mechanisms, password and resource management, identification and authentication methods, security devices and the configuration of the infrastructure
Opinion note from the lecturer
04/13/23 UNIVERSITY OF WISCONSIN 8
Physical ControlsPhysical Controls
These entail controlling individual access into the facilities, locking systems, removing un-necessary access points to systems such as CD drives and USB ports, protecting the perimeter of the facility, monitoring for intrusion, and environmental controls
04/13/23 UNIVERSITY OF WISCONSIN 9
All Three ControlsAll Three ControlsMust Work TogetherMust Work Together
04/13/23 UNIVERSITY OF WISCONSIN 10
Three Core GoalsThree Core Goalsof Information Securityof Information Security
ConfidentialityIntegrityAvailability
04/13/23 UNIVERSITY OF WISCONSIN 11
AvailabilityAvailability
The systems and networks should provide adequate capacity to perform in a predictable manner, with an acceptable level of performanceThey should be able to quickly recover from disruptionSingle points of failure should be avoidedBackup measures should be taken
04/13/23 UNIVERSITY OF WISCONSIN 12
IntegrityIntegrity
Is defined as maintaining the accuracy and reliability of information systems, preventing any unauthorized modificationAttacks or mistakes by users do not compromise the integrity of the dataViruses, Logic Bombs, or back doors can all compromise the integrity of an information system
04/13/23 UNIVERSITY OF WISCONSIN 13
ConfidentialityConfidentiality
Ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.This level of confidentiality should prevail while data resides on systems within the network, as it is transmitted and once it reaches its destination.
04/13/23 UNIVERSITY OF WISCONSIN 14
More TerminologyMore Terminology
VulnerabilityThreatRiskExposure
04/13/23 UNIVERSITY OF WISCONSIN 15
VulnerabilityVulnerability
Software, hardware, physical or procedural weakness which may provide an attacker an open door into your information systems environment
04/13/23 UNIVERSITY OF WISCONSIN 16
ThreatThreat
A potential danger to an information system. The treat is that someone or something will identify and take advantage of a vulnerability. The entity which takes advantage of a vulnerability is called a threat entity
04/13/23 UNIVERSITY OF WISCONSIN 17
RiskRisk
A risk is the likelihood of a of a threat agent taking advantage of a vulnerability
04/13/23 UNIVERSITY OF WISCONSIN 18
ExposureExposure
Exposure is a single instance of the damages caused by a vulnerability being exploited by threat agent
Way too many terms here for a normal human to remember!!!
04/13/23 UNIVERSITY OF WISCONSIN 19
CountermeasureCountermeasure
A safeguard put into place to mitigate a potential risk
04/13/23 UNIVERSITY OF WISCONSIN 20
Security Through ObscuritySecurity Through Obscurity
Trying to keep things safe by keeping them hidden
Bad idea – not a true security control
04/13/23 UNIVERSITY OF WISCONSIN 21
Security PlanningSecurity PlanningAreasAreas
Strategic TacticalOperational
04/13/23 UNIVERSITY OF WISCONSIN 22
StrategicStrategicLong and Broad HorizonLong and Broad Horizon
Make sure that risks are properly understoodEnsure compliance with laws and regulationsIntegrate security responsibilities throughout the organizationCreate a maturity model to allow for continual improvementUse security as a business achievement to attract more customers
04/13/23 UNIVERSITY OF WISCONSIN 23
TacticalTacticalInitiatives Supporting Initiatives Supporting
StrategyStrategyInitiatives and planning put in place to support the larger strategic plan
Putting together teams to address specific issuesHiring new employees to be responsible for specific areas such as HIPAA or PCI compliance
04/13/23 UNIVERSITY OF WISCONSIN 24
OperationalOperational
Perform security risk assessmentDo not allow security changes to decrease productivityMaintain and implement controlsContinually scan for vulnerabilities and roll out patchesTrack compliance with policies
04/13/23 UNIVERSITY OF WISCONSIN 25
Judge Against StandardsJudge Against StandardsISO 17799ISO 17799
If you know this, you will be golden in the job interview!ISO is a British organization, recognized around the world for standardsHigh level recommendations of enterprise IT security
04/13/23 UNIVERSITY OF WISCONSIN 26
Information SecurityInformation SecurityPolicy For the OrganizationPolicy For the Organization
Map of objectives to security management’s support, security goals and responsibilities
04/13/23 UNIVERSITY OF WISCONSIN 27
Creation of an InformationCreation of an InformationSecurity InfrastructureSecurity InfrastructureCreate and maintain an organizational security structure through the use of a security forum, a security officer, defining responsibilities, a method for authorizing projects, outsourcing and independent audits and reviews
04/13/23 UNIVERSITY OF WISCONSIN 28
Asset ClassificationAsset Classificationand Controland Control
Develop a security infrastructure to protect organizational assets through accountability through inventory, classification, and handling procedures
04/13/23 UNIVERSITY OF WISCONSIN 29
Personnel SecurityPersonnel Security
Reduce the risks which are inherent in human action by screening employees, defining roles and responsibilities, training employees properly and documenting the ramifications of not meeting expectations
04/13/23 UNIVERSITY OF WISCONSIN 30
Physical and EnvironmentalPhysical and EnvironmentalSecuritySecurity
Protect the organization’s assets by properly choosing a facility location, erecting and maintaining a security perimeter, physical access control, and protecting equipment
04/13/23 UNIVERSITY OF WISCONSIN 31
Communications and Communications and Operations ManagementOperations Management
Carry out operations through documented procedures, proper change control, incident handling, separation of duties, capacity planning, network management and media handling
04/13/23 UNIVERSITY OF WISCONSIN 32
Access ControlAccess Control
Control electronic access based upon business requirements, user management, authentication methods and monitoring
04/13/23 UNIVERSITY OF WISCONSIN 33
System DevelopmentSystem Developmentand Maintenanceand Maintenance
Make security an integral part of all life phases of system development and management
04/13/23 UNIVERSITY OF WISCONSIN 34
Business Continuity Business Continuity ManagementManagement
Counter disruptions of normal operations by using continuity planning and testing
04/13/23 UNIVERSITY OF WISCONSIN 35
ComplianceCompliance
Comply with regulatory, contractual and statutory requirements by using technical controls, systems audits and continuous legal and regulatory awareness Cost effective, relevant, timely, and responsive
04/13/23 UNIVERSITY OF WISCONSIN 36
Risk AnalysisRisk Analysis
A method for identifying risks and threats
04/13/23 UNIVERSITY OF WISCONSIN 37
Risk AnalysisRisk AnalysisHas Four Main GoalsHas Four Main GoalsIdentify assets and their valuesIdentify vulnerabilities and threatsQuantify the probability and business impact of these potential threatsProvide an economic balance between the impact of the threat and the cost of the countermeasure
04/13/23 UNIVERSITY OF WISCONSIN 38
Risk Analysis - Step OneRisk Analysis - Step OneAssign a Value to the AssetAssign a Value to the Asset
What is the value of this asset to the company?How much does it cost to maintain?How much does it make in profits for the company?How much would it be worth to the competition?How much would it cost to re-create or recover?
04/13/23 UNIVERSITY OF WISCONSIN 39
Risk Analysis - Step OneRisk Analysis - Step OneAssign a Value to the AssetAssign a Value to the Asset
How much did it cost to acquire or develop this asset?How much liability do you face if the asset is compromised?
04/13/23 UNIVERSITY OF WISCONSIN 40
Risk Analysis – Step 2Risk Analysis – Step 2Estimate Potential Loss Per Estimate Potential Loss Per
ThreatThreatWhat physical damage could the threat cause and how much would that cost?How much loss of productivity could the threat cause and how much would that cost?What is the value lost if the confidential information is disclosed?What is the cost of recovering from this threat?What is the value of the loss if critical devices were to fail?What is the Single Loss Expectancy (SLE) for each asset and each threat?
04/13/23 UNIVERSITY OF WISCONSIN 41
Risk Analysis – Step ThreeRisk Analysis – Step ThreePerform a Threat AnalysisPerform a Threat Analysis
Gather information about the likelihood of each threat taking place, from people in each department. Examine past records which provide this type of dataCalculate the Annualized Rate of Occurrence (ARO), which is the number of times the threat can take place in a twelve month period
04/13/23 UNIVERSITY OF WISCONSIN 42
Risk Analysis – Step FourRisk Analysis – Step FourDerive the Overall Annual Loss Derive the Overall Annual Loss
Per ThreatPer ThreatCombine potential loss and probabilityCalculate the Annualized Loss Expectancy (ALE) per threat, by using the information calculated in the first three stepsChoose remedial measures to counteract each threatCarry out cost-benefit analysis on the identified countermeasures04/13/23 UNIVERSITY OF WISCONSIN 43
Risk Analysis – Step 5Risk Analysis – Step 5Reduce, Transfer, Avoid or Reduce, Transfer, Avoid or
Accept the RiskAccept the RiskInstall security controlsImprove proceduresAlter the environmentProvide early detection methods to catch the threat as it is happening and reduce possible damage it can causeProduce a contingency plan of how a business can continue if a specific threat takes place, reducing further damages
04/13/23 UNIVERSITY OF WISCONSIN 44
Risk Analysis – Step 5Risk Analysis – Step 5Reduce, Transfer, Avoid or Reduce, Transfer, Avoid or
Accept the RiskAccept the RiskPut up barriers to the threatCarry out security awareness trainingPerform risk transfer (buy insurance and make it someone else’s problem)Risk acceptance (live with the risks and spend no more money for protection)Risk avoidance (discontinue the activity that is causing the risk)
04/13/23 UNIVERSITY OF WISCONSIN 45
Results of the Risk AnalysisResults of the Risk Analysis
1. Monetary values are assigned to assets
2. You have a comprehensive list of all possible and significant threats
3. You have a probability of the occurrence rate of each threat
4. You have the loss potential which the company can endure per threat, annually.
5. A list of recommended safeguards, countermeasures and actions
04/13/23 UNIVERSITY OF WISCONSIN 46
Countermeasure SelectionCountermeasure Selection
Product costsDesign and planning costsImplementation costsEnvironment modificationsCompatibility with other countermeasuresMaintenance requirementsTesting requirements
04/13/23 UNIVERSITY OF WISCONSIN 47
Countermeasure SelectionCountermeasure Selection
Repair, replacement or update costsOperating and support costsEffects on productivitySubscription costsExtra person hoursTolerance for headaches caused by new countermeasure
04/13/23 UNIVERSITY OF WISCONSIN 48
Next TimeNext Time
Security policiesInformation classificationSecurity awareness training
04/13/23 UNIVERSITY OF WISCONSIN 49
04/13/23 UNIVERSITY OF WISCONSIN 50