Usable Security: Module 3 to 5

Risk Management

the process of identifying, assessing, and reducing risks facing an organization

Risk Identification

the enumeration and documentation of risks to an organization’s information assets

Risk Control

the application of controls that reduce the risks to an organization’s assets to an acceptable level

Know Yourself

identity, examine and understand the information and systems currently in place

Know Your Enemy

identity, examine and understand the threats facing the organization

Risk Appetite

It defines the quantity and nature of risk that organizations are willing to accept as trade-offs between perfect security and unlimited accessibility.

Residual Risk

the risk that has not been completely removed, shifted, or planned for

Iterative Process

Begins with the identification and inventory of assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, networking)‏

People

position name/number/ID; supervisor; security clearance level; special skills

Procedures

description; intended purpose; relation to software/hardware/networking elements; storage location for reference; storage location for the update

Data

classification; owner/creator/manager; data structure size; data structure used; online/offline; location; backup procedures employed

Asset Attribute

to be considered are name, IP address, MAC address, element type, serial number, manufacturer name, model/part number, software version, physical or logical location, and controlling entity.

Asset Inventory

• Unless information assets are identified and inventoried, they cannot be effectively protected.

• The inventory process involves formalizing the identification process in some form of organizational tool.

• Automated tools can sometimes identify the system elements that makeup hardware, software, and network components.

Asset Categorization

• People comprise employees and nonemployees.

• Procedures either do not expose knowledge useful to a potential attacker or are sensitive and could allow an adversary to gain an advantage.

• Data components account for the management of information in transmission, processing, and storage.

• Software components are applications, operating systems, or security components.

• Hardware: either the usual system devices and peripherals or part of information security control systems

Classifying, Valuing, and Prioritizing Information Assets

• Many organizations have data classification schemes (e.g., confidential, internal, public data)‏.

• Classification of components must be specific enough to enable the determination of priority levels.

• Categories must be comprehensive and mutually exclusive.

Data Classification and Management

• A variety of classification schemes are used by corporate and military organizations.

• Information owners are responsible for classifying their information assets.

• Information classifications must be reviewed periodically.

• Classifications include confidential, internal, and external.

• Security clearances

Specifying Asset Vulnerabilities

• Specific avenues threat agents can exploit to attack an information asset is called vulnerabilities.

• Examine how each threat could be perpetrated and list the organization’s assets and vulnerabilities.

• The process works best when people with diverse backgrounds within an organization work iteratively in a series of brainstorming sessions.

• At the end of the risk identification process, a prioritized list of assets with their vulnerabilities is achieved.

Risk Assessment

• Risk assessment evaluates the relative risk for each vulnerability.

• It assigns a risk rating or score to each information asset.

• Planning and organizing risk assessment

Determine the Loss Frequency

• Describes an assessment of the likelihood of an attack combined with expected probability of success

• Use external references for values that have been reviewed/adjusted for your circumstances.

• Assign a numeric value to likelihood, typically annual value.

Assessing Risk Acceptability

• For each threat and associated vulnerabilities that have residual risk, create ranking of relative risk levels.

• Residual risk is the left-over risk after the organization has done everything feasible to protect its assets.

• If risk appetite is less than the residual risk, it must look for additional strategies to further reduce the risk.

Documenting the Results of Risk Assessment

• The final summarized document is the ranked vulnerability risk worksheet.

• Worksheet describes asset, asset relative value, vulnerability, loss frequency, and loss magnitude.

• Ranked vulnerability risk worksheet is the initial working document for the next step in the risk management process: assessing and controlling risk.

The FAIR Approach to Risk Assessment

• Identify scenario components

• Evaluate loss event frequency

• Evaluate probable loss magnitude

• Derive and articulate risk

Risk Control

• Involves selection of control strategies, justification of strategies to upper management, and implementation/monitoring/ongoing assessment of adopted controls

• Once the ranked vulnerability risk worksheet is complete, the organization must choose one of five strategies to control each risk:
  –Defense

  –Transfer

  –Mitigation

  –Acceptance

  –Termination

Defense

• Attempts to prevent exploitation of the vulnerability

• Preferred approach

• Accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards

• Three common methods of risk avoidance:

–Application of policy

–Education and training

–Applying technology

Transfer

• Attempts to shift risk to other assets, processes, or organizations

• If lacking, the organization should hire individuals/firms that provide security management and administration expertise.

• The organization may then transfer the risk associated with management of complex systems to another organization experienced in dealing with those risks.

Mitigate

• Attempts to reduce impact of attack rather than reduce success of attack itself

Incident Response (IR) Plan

define the actions to take while the incident is in progress

Disaster Recovery

the most common mitigation procedure; preparations for the recovery process

Business Continuity

encompasses the continuation of business activities if a catastrophic event occurs

Acceptance

–Doing nothing to protect a vulnerability and accepting the outcome of its exploitation

–Valid only when the particular function, service, information, or asset does not justify the cost of protection

Termination

–Directs the organization to avoid business activities that introduce uncontrollable risks

–May seek an alternate mechanism to meet the customer needs

Selecting a Risk Control Strategy

• Level of threat and value of asset should play a major role in the selection of strategy.

• Rules of thumb on strategy selection can be applied:

–When a vulnerability exists

–When a vulnerability can be exploited

–When attacker’s cost is less than the potential gain

–When potential loss is substantial

Justifying Controls

• Before implementing one of the control strategies for a specific vulnerability, the organization must explore all consequences of vulnerability to information assets.

• Several ways to determine the advantages/disadvantages of a specific control

• Items that affect the cost of control or safeguard include the cost of development or acquisition, training fees, implementation cost, service costs, and cost of maintenance.

• Asset valuation involves estimating real/perceived costs associated with design, development, installation, maintenance, protection, recovery, and defense against loss/litigation.

• Process result is the estimate of potential loss per risk.

The Cost Benefit Analysis (CBA)

Determines if an alternative being evaluated is worth the cost incurred to control vulnerability. Is most easily calculated using the ALE from earlier assessments, before implementation of the proposed control:

ALE (Prior)

Is the annualized loss expectancy of risk before implementation of control.

ALE (Post)

Is the estimated ALE based on control being in place for a period of time.

ACS

Is the annualized cost of the safeguard.

CBA Formula

CBA = ALE(prior) – ALE(post) – ACS

Implimentation, Monitoring, and Assessment of Risk Controls

• The selection of the control strategy is not the end of a process.

• Strategy and accompanying controls must be implemented and monitored on ongoing basis to determine effectiveness and accurately calculate the estimated residual risk.

• Process continues as long as the organization continues to function.

Quantitative VS Qualitative Risk Control Practices

• Performing the previous steps using actual values or estimates is known as quantitative assessment.

• Possible to complete steps using an evaluation process based on characteristics using non-numerical measures, called qualitative assessment

• Utilizing scales rather than specific estimates relieves the organization from the difficulty of determining exact values.

Benchmarking

the process of seeking out and studying practices in other organizations that one’s own organization desires to duplicate

Metric-based measures

based on numerical standards

Process-based measures

more strategic and less focused on numbers

Standard of Due Care

when adopting levels of security for a legal defense, the organization shows it has done what any prudent organization would do in similar circumstances.

Baselining

–Performance value or metric used to compare changes in the object being measured.

–In information security, baselining is the comparison of past security activities and events against an organization’s future performance.

–Useful during baselining to have a guide to the overall process

Organizational

Assesses how well the proposed IS alternatives will contribute to an organization’s efficiency, effectiveness, and overall operation

Operational

Assesses user and management acceptance and support, and the overall requirements of the organization’s stakeholders

Technical

Assesses if the organization has or can acquire the technology necessary to implement and support proposed control

Political

Defines what can/cannot occur based on the consensus and relationships among communities of interest

Recommended Risk Control Practices

• Convince budget authorities to spend up to the value of assets to protect from the identified threats.

• Chosen controls may be a balanced mixture that provides the greatest value to as many asset-threat pairs as possible.

• Organizations looking to implement controls that don’t involve such complex, inexact, and dynamic calculations.

Access Control

method by which systems determine whether and how to admit a user into a trusted area of the organization

Mandatory Access Control

use data classification schemes

Discretionary Access Control

allow users to control and possibly provide access to information/resources at their disposal

Identification

mechanism whereby unverified entities seeking access to a resource (supplicants) provide a label by which they are known to the system

Authentication

the process of validating a supplicant’s purported identity

Password

a private word or a combination of characters that only the user should know

Passphrase

a series of characters, typically longer than a password, from which a virtual password is derived

Dumb Card

ID or ATM card with magnetic stripe

Smart Card

contains a computer chip that can verify and validate information

Authentication

the matching of an authenticated entity to a list of information assets and corresponding access levels

Accountability (Auditability)

ensures that all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity

Biometrics

Approach based on the use of measurable human
characteristics/traits to authenticate identity

Trusted Computing Base (TCB)

Part of TCSEC Rainbow Series. Used to enforce security policy (rules of system
configuration)

ITSEC

an international set of criteria for evaluating computer systems

The Common Criteria

Considered successor to both TCSEC and ITSEC

Bell-LaPadua Confidentiality Model

Model of an automated system able to manipulate its state or status over time

Biba Integrity

Based on “no write up, no read down” principle

Graham-Denning Access Control Model

Composed of set of objects, set of subjects, and set of rights

Harrison-Ruzzo-Ullman Model

Defines method to allow changes to access rights and addition/removal of subjects/objects

Brewer-Nash Model

Designed to prevent conflict of interest between two parties

Firewall

Prevent specific types of information from moving
between an untrusted network (the Internet) and a
trusted network (organization’s internal network)

Packet Filtering Firewalls

examine the header information of data packets.

Static Filtering

requires that filtering rules be developed and installed within the firewall

Dynamic Filtering

allows firewall to react to emergent event and update or create rules to deal with event

Stateful Inspection

allows firewall to react to emergent event and update or create rules to deal with event

Application Layer Firewall

Frequently installed on a dedicated computer; also
known as a proxy server

MAC Layer Firewalls

Designed to operate at media access control sublayer of network’s data link layer

Hybrid Firewalls

Combine elements of other types of firewalls, that is, elements of packet filtering and proxy services, or of packet filtering and circuit gateways

Firewall Architectures

Firewall devices can be configured in several
network connection architectures

Packet Filtering Routers

Most organizations with Internet connection have a
router at the boundary between internal networks
and external service provider.

Bastion Hosts

Commonly referred to as sacrificial host, as it stands
as sole defender on the network perimeter

Screened Host Firewalls

Combines packet-filtering router with separate,
dedicated firewall such as an application proxy
server

Screened Subnet Firewall

Is the dominant architecture used today