06 - Information Security Best Practices
06 - Information Security Best Practices
34
Figure 4-1 Components of Risk Management
35
Risk Identification
Risk management involves identifying, classifying,
and prioritizing an organization’s assets
A threat assessment process identifies and
quantifies the risks facing each asset
Components of risk identification
People
Procedures
Data
Software
Hardware
36
Information Asset Valuation
Questions help develop criteria for asset
valuation
Which information asset:
Is most critical to organization’s success?
Generates the most revenue/profitability?
Would be most expensive to replace or protect?
Would be the most embarrassing or cause
greatest liability if revealed?
37
Identifying and Prioritizing Threats
Realistic threats need investigation;
unimportant threats are set aside
Threat assessment:
Which threats present danger to assets?
Which threats represent the most danger to
information?
How much would it cost to recover from attack?
Which threat requires greatest expenditure to
prevent?
38
Risk Assessment
Risk assessment evaluates the relative risk
for each vulnerability
Assigns a risk rating or score to each
information asset
The goal is to create a method for evaluating
the relative risk of each listed vulnerability
39
Likelihood
The probability that a specific vulnerability will be the
object of a successful attack
Assign numeric value: number between 0.1 (low)
and 1.0 (high), or a number between 1 and 100
Zero not used since vulnerabilities with zero
likelihood are removed from asset/vulnerability list
Use selected rating model consistently
Use external references for values that have been
reviewed/adjusted for your circumstances
40
Risk Determination
For the purpose of relative risk assessment:
Risk EQUALS
The likelihood of vulnerability occurrence
TIMES value (or impact)
MINUS percentage risk already controlled
PLUS an element of uncertainty
41
Example
Information asset A has a value score of 50 and has
one vulnerability. Vulnerability 1 has a likelihood of 1.0
with no current controls. You estimate that
assumptions and data are 90 percent accurate.
Asset A: Risk rating of vulnerability 1 rated as
43
Risk Control Strategies
Five strategies to control risk:
Defend - Apply safeguards that eliminate or reduce
the remaining uncontrolled risks for the vulnerability
Transfer - Transfer the risk to other areas or to outside
entities
Mitigate - Reduce the impact should the vulnerability
be exploited
Accept - Inform themselves of all of the consequences
and accept the risk without control or mitigation
Terminate
44
Defend
Attempts to prevent exploitation of the vulnerability
Preferred approach
Accomplished through countering threats, removing
asset vulnerabilities, limiting asset access, and
adding protective safeguards
Three common methods of risk avoidance:
Application of policy
Training and education
Applying technology
45
Transfer
Control approach that attempts to shift risk to
other assets, processes, or organizations
If lacking, organization should hire
individuals/firms that provide security
management and administration expertise
Organization may then transfer risk
associated with management of complex
systems to another organization experienced
in dealing with those risks
46
Mitigate
Attempts to reduce impact of vulnerability
exploitation through planning and preparation
Approach includes three types of plans
Incident response plan (IRP): define the actions to
take while incident is in progress
Disaster recovery plan (DRP): most common
mitigation procedure
Business continuity plan (BCP): encompasses
continuation of business activities if catastrophic
event occurs
47
Accept
Doing nothing to protect a vulnerability and
accepting the outcome of its exploitation
Valid only when the particular function,
service, information, or asset does not justify
cost of protection
48
Terminate
Directs the organization to avoid those
business activities that introduce
uncontrollable risks
May seek an alternate mechanism to meet
customer needs
49
Feasibility Studies
Before deciding on strategy, all information
about economic/noneconomic consequences
of vulnerability of information asset must be
explored
A number of ways exist to determine
advantage of a specific control
50
Cost Benefit Analysis (CBA)
Begun by evaluating worth of assets to be protected
and the loss in value if they are compromised
The formal process to document this is called cost
benefit analysis or economic feasibility study
Items that affect cost of a control or safeguard
include: cost of development or acquisition; training
fees; implementation cost; service costs; cost of
maintenance
Benefit: value an organization realizes using
controls to prevent losses from a vulnerability
51
Cost Benefit Analysis (CBA)
(cont’d.)
Asset valuation: process of assigning financial value
or worth to each information asset
Process result is estimate of potential loss per risk
Expected loss per risk stated in the following
equation:
Annualized loss expectancy (ALE) =
single loss expectancy (SLE) ×
annualized rate of occurrence (ARO)
SLE = asset value × exposure factor (EF)
52
CCNA Security
(Study Guide) Tim
Boyles
Benchmarking and Best Practices
An alternative approach to risk management
Benchmarking: process of seeking out and studying practices in
other organizations that one’s own organization desires to
duplicate
One of two measures typically used to compare practices:
Metrics-based measures - measures are comparisons based on
numerical standards, such as:
Numbers of successful attacks
Staff-hours spent on systems protection
Dollars spent on protection
Numbers of security personnel
Estimated losses in dollars of information due to successful attacks
Loss in productivity hours associated with successful attacks
Process-based measures
generally less number-focused and more strategic than metrics-based measures
primary focus is the method the organization uses to accomplish a particular
process, rather than the outcome
54
Policy and Risks
Management
55
Function of Policy
Defines what security should be within an
organization
defines the proper mechanisms to use to protect
information and systems -> e.g. configurations on
computer systems
defines how employees should perform security related
duties
defines how employees are expected to behave when
using organization computer systems
defines how organizations should react when things do
not go as expected
56
Policies
Many different types of policies and procedures
are available:
Information policy
Security policy
Computer usage policy
Internet usage policy
E-mail policy
Backup policy
User management procedure
System administration procedure
Incident response procedure
57
Information Policy
Defines what is considered sensitive information
within an organization and how that information
should be protected
For an organization, payroll and medical insurance
information, company financial information
For a university, students’ records, examination
questions, teaching records
Example: Information accessible to lecturers vs.
information accessible to students in the university
58
Security Policy – user control
It defines how a system or network administrator
should configure a system securely
requirements in the policy should be communicated to
the general user community
The security policy should define how users will
be identified, such as user IDs
Also define authentication mechanism to be used for
normal system users and administrators
If password, then the policy should also define the
minimum password length, the maximum and minimum
password ages, and password content requirements
Example: Lecturer ID card vs Student ID card,
Lecturer login vs Student login
59
Security Policy – files control
Should define the standard requirement for file access
controls. Two requirements should be defined:
user-defined access control
must be available for each file on a computer system and should
work with the authentication mechanism to make sure that only
authorized users can gain access to files
allow for specifying which users have access to files for read, write,
and execute permissions
Example: Any files from a company’s workstation that are
transferred/copied to an external drive/network/email
(outside the company’s domain) will be automatically
encrypted
60
Security Policy - audit
Define the types of events to be audited on all systems.
Normally, the following events are audited:
Logins (successful and failed)
Logouts
Failed access to files or system objects
Remote access (successful and failed)
Privileged actions (those performed by administrators, both
successes and failures)
System events (such as shutdowns and reboots)
The security policy should specify
how long the audit records should be kept and how they should be
stored
how they should be reviewed and examined, including how often
61
Security Policy - network
Should specify the rules for network connectivity
Example: Usage of VPN to access the university’s
library database
For Permanent network connections
Firewall should be used to protect the internal network
Policy should define a basic network access control
policy to be implemented on the firewall
Example: All network connection within the
university’s campus has to be through the proxy
server
62
Security Policy - antivirus
Should specify details about security programs
(antivirus software)
Installed at locations like file servers, and e-mail servers
requirement for security programs to examine specific
file types and to check files when they are opened or on
a scheduled basis
require updates of signatures for security programs on a
periodic basis
63
Security Policy – data security
Should define acceptable encryption algorithms
for sensitive data
for use within the organization to protect sensitive
information
should also specify the required procedures for key
management
64
Internet Usage Policy
The Internet use policy defines the appropriate
uses of the Internet (business sites, e-mail, etc)
can be included in the more general computer use
policy or as a separate policy
may also define inappropriate uses (such as visiting
non-business-related Web sites, downloading
copyrighted software, trading music files, or sending
chain letters)
Example: Internet traffic and usage within the
University are monitored.
65
E-mail Policy
E-mail leaving an organization may contain sensitive
information
policy should state under what conditions this is acceptable
and refer to information policy on how this information should
be protected (encryption, etc)
organization may place a disclaimer or signature at the
bottom of outgoing electronic mail to indicate that proprietary
information must be protected
Testing inbound file attachments for viruses
policy should point back to the organization’s security policy
for the appropriate anti-virus configuration issues
Example: Certain bank institutions in Malaysia only
allow their staffs to access the company’s email
account within the physical building location.
66
Backup Policy
Defines how system backups are to be performed
should identify how often backups actually occur ->
usually full backups one day per week with incremental
backups taken every other day
incremental backup only backs up files that have
changed since the last backup -> runs faster and takes
a smaller amount of space
should also point to the information policy to determine
how long the files must be kept before the tape can be
reused
store media used for backups in a secure location
67
Incident Response Procedures
Defines who has the authority, and the objectives
of the organization when handling an incident
before an incident is declared, procedure for
investigation should be undertaken to determine if the
incident actually occurred
specify an escalation procedure as more information
about the event is determined, usually activation of an
incident response team
attempt to control the information about the incident that
is released, so that will not affect customers and should
reflect positively on the organization
the response an organization makes to an incident is
directly related to the objectives of the IRP
68
Design of Security Architecture
Defense in depth
Implementation of security in layers
Requires that organization establish sufficient
security controls and safeguards so that an
intruder faces multiple layers of controls
77