INFORMATION SECURITY – ARCHITECTURE & RISK MANAGEMENT
by user
Comments
Transcript
INFORMATION SECURITY – ARCHITECTURE & RISK MANAGEMENT
INFORMATION SECURITY – ARCHITECTURE & RISK MANAGEMENT ADEYEMI DINA & SHITTU O. SHITTU HIGHLIGHTS • WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER • IT’S ALL ABOUT BUSINESS RISKS • SECURITY ARCHITECTURE FOR THE BUSINESS WORLD • RISK MANAGEMENT IN SECURITY ARCHITECTURE • SAFETY AND SECURITY? – QUIZ FOR THE END • QUESTIONS HIGHLIGHTS • WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER • IT’S ALL ABOUT BUSINESS RISKS • SECURITY ARCHITECTURE FOR THE BUSINESS WORLD • RISK MANAGEMENT IN SECURITY ARCHITECTURE • A WORD FOR THE MOTIVATED INFORMATION SECURITY - HIGH-LEVEL CONCEPTS • INFORMATION SECURITY (IS) IS DESIGNED TO PROTECT THE CONFIDENTIALITY, INTEGRITY AND AVAILABILITY OF COMPUTER SYSTEM DATA FROM THOSE WITH MALICIOUS INTENTIONS • INFORMATION SECURITY - THE PRACTICE OF PROTECTING INFORMATION FROM UNAUTHORIZED ACCESS, USE, DISCLOSURE, DISRUPTION, MODIFICATION, PERUSAL, INSPECTION, RECORDING OR DESTRUCTION. IT IS A GENERAL TERM USED REGARDLESS OF THE FORM THE DATA MAY TAKE (E.G. ELECTRONIC, PHYSICAL) - WIKIPEDIA • INFORMATION SECURITY IS THE COLLECTION OF TECHNOLOGIES, STANDARDS, POLICIES AND MANAGEMENT PRACTICES THAT ARE APPLIED TO INFORMATION TO KEEP IT SECURE. – OPEN UNIVERSITY • INFORMATION SECURITY IS THE SET OF BUSINESS PROCESSES THAT PROTECTS INFORMATION ASSETS REGARDLESS OF HOW THE INFORMATION IS FORMATTED OR WHETHER IT IS BEING PROCESSED, IS IN TRANSIT OR IS BEING STORED • INFORMATION SECURITY IS THE COLLECTION OF TECHNOLOGIES, STANDARDS, POLICIES AND MANAGEMENT PRACTICES THAT ARE APPLIED TO INFORMATION TO KEEP IT SECURE. WHY DOES IT MATTER? - ANY OF THESE LOOK FAMILIAR? RECENT SECURITY ISSUES Period Threats / Attacks Vulnerabilities Impact Yahoo! email hack Not disclosed 273 million reportedly hacked, specific number of affected accounts not disclosed DDoS attack on Bitcoin Code integrity No specific breach published; Jan – Mar 2014 NTP DDoS Vulnerability uncovered DDoS attack on UK Ministry of Justice Not disclosed No breach Sophisticated attack on Neiman Marcus retail infrastructure Missed detections (or insufficient data exfiltration detection capability) Credit card information of 350,000 individuals stolen. Heartbleed vulnerability published Apr – Jun 2014 Chinese individuals hacked into US companies Not disclosed Not published Public utility control system hacked in the US Brute-forced employees’ login passwords Not disclosed Evernote subjected to DDoS attack Not disclosed Service disruption to 100 million Evernote users P.F. Chang’s restaurants cardholder data infrastructure compromised Not disclosed Credit and debit card information from 33 restaurants stolen and reportedly sold online Organisers of Brazil 2014 World cup DDoS’ed Not disclosed Disruption to numerous brad Bash / ShellShock vulnerability released; affecting millions of devices worldwide July – Sep 2014 Sony pictures hack Not fully disclosed Disruption of movie production, movie revenue and employee/talent relations OpenSSL vulnerability released, affecting millions of software and hardware devices Oct – Dec 2014 Sony PlayStation and Microsoft Xbox attacked for days over the Christmas holiday Not disclosed Microsoft and Sony unable to serve millions of customers worldwide HIGHLIGHTS • WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER • IT’S ALL ABOUT BUSINESS RISKS • SECURITY ARCHITECTURE FOR THE BUSINESS WORLD • RISK MANAGEMENT IN SECURITY ARCHITECTURE • A WORD FOR THE MOTIVATED TO THE BUSINESS ; WHAT IS RISK? • THE EFFECT OF UNCERTAINTY ON OBJECTIVES (ISO 31000) • EFFECT IS A POSITIVE OR NEGATIVE DEVIATIONS FROM WHAT IS EXPECTED • UNCERTAINTY EXISTS WHENEVER THE KNOWLEDGE OR UNDERSTANDING OF AN EVENT, CONSEQUENCE OR LIKELIHOOD IS INADEQUATE OR INCOMPLETE Information Asset Threat Vulnerability POSITIVE PERSPECTIVE • THE EFFECT OF UNCERTAINTY ON OBJECTIVES (ISO 31000) • EFFECT IS A POSITIVE OR NEGATIVE DEVIATIONS FROM WHAT IS EXPECTED • UNCERTAINTY EXISTS WHENEVER THE KNOWLEDGE OR UNDERSTANDING OF AN EVENT, CONSEQUENCE OR LIKELIHOOD IS INADEQUATE OR INCOMPLETE Information Asset Opportunity Strength HIGHLIGHTS • WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER • IT’S ALL ABOUT BUSINESS RISKS • SECURITY ARCHITECTURE FOR THE BUSINESS WORLD • RISK MANAGEMENT IN SECURITY ARCHITECTURE • A WORD FOR THE MOTIVATED SECURITY ARCHITECTURE - HIGH-LEVEL CONCEPTS • SECURITY ARCHITECTURE - ARTIFACTS THAT DESCRIBE HOW THE SECURITY CONTROLS/COUNTERMEASURES/SAFEGUARDS ARE POSITIONED AND HOW THEY RELATE TO THE OVERALL SYSTEMS ARCHITECTURE FOR THE PURPOSE TO MAINTAINING THE SYSTEM'S QUALITY ATTRIBUTES OF CONFIDENTIALITY, INTEGRITY AND AVAILABILITY. – WIKIPEDIA • THE DESIGN ARTIFACTS THAT DESCRIBE HOW THE SECURITY CONTROLS (= SECURITY COUNTERMEASURES) ARE POSITIONED, AND HOW THEY RELATE TO THE OVERALL IT ARCHITECTURE. THESE CONTROLS SERVE THE PURPOSE TO MAINTAIN THE SYSTEM’S QUALITY ATTRIBUTES, AMONG THEM CONFIDENTIALITY, INTEGRITY, AVAILABILITY, ACCOUNTABILITY AND ASSURANCE. – OPENSECURITYARCHITECTURE.ORG • SECURITY ARCHITECTURE IS A UNIFIED SECURITY DESIGN THAT ADDRESSES THE NECESSITIES AND POTENTIAL RISKS INVOLVED IN A CERTAIN SCENARIO OR ENVIRONMENT. IT ALSO SPECIFIES WHEN AND WHERE TO APPLY SECURITY CONTROLS. THE DESIGN PROCESS IS GENERALLY REPRODUCIBLE. – TECHOPEDIA • ENTERPRISE INFORMATION SECURITY ARCHITECTURE (EISA) IS THE PRACTICE OF APPLYING A COMPREHENSIVE AND RIGOROUS METHOD FOR DESCRIBING A CURRENT AND/OR FUTURE STRUCTURE AND BEHAVIOUR FOR AN ORGANIZATION'S SECURITY PROCESSES, INFORMATION SECURITY SYSTEMS, PERSONNEL AND ORGANIZATIONAL SUBUNITS, SO THAT THEY ALIGN WITH THE ORGANIZATION'S CORE GOALS AND STRATEGIC DIRECTION. - WIKIPEDIA IT IS ABOUT … • POSITIONING • DISTINCTION AND AUTHENTICITY • … AND THE THINGS WE CARE ABOUT NIRVANA ARCHITECTURE – “NO ARCHITECTS NEEDED” Business security aspiration Common business security problem. Security Architecture bridges the gap THE MIND OF A SECURITY ARCHITECT Principles Principles (continued) Risk-based and policy-driven Secure by design Policy-based access to services Defense-in-depth Ease of use / low friction Data access control Service minimisation Segregation of trust domains Secure down to the weakest link Protection against insider and outsider attacks Trust levels Limit what your system say Least Privilege Audit Logging and Monitoring Separation of duties AN ARCHITECTURE DEVELOPMENT METHODOLOGY Focus of secure business technology outcomes; - not just security tools Ensure continuous security monitoring through integration with Security Logging and Monitoring and contract management Present implemented solution to risk owner for acceptance of residual risks. Gain authorisation for production / go-live Assess design and implementation of controls and security architecture for residual risks (Design review / Vuln Scan / Pen Test) Characterise system by defining data, classification, criticality, components and interfaces Identify threats, vulnerabilities and pairs that result in risk to the system and data. Identify high priority risks for management and control. Leverage Threat Modelling techniques. Select appropriate controls to treat high priority risks. Determine architecture and design principles and patterns – leverage available security building blocks in the proposed security architecture foundations/model. SYSTEM CHARACTERISATION • UNDERSTAND THE BUSINESS PROCESS, APPLICATION SYSTEM AND COMPONENTS • WHAT TYPE/CLASSIFICATION OF DATA IS INVOLVED • WHAT ARE THE SYSTEM BOUNDARIES • WHAT ARE THE INTERFACES TO/FROM THE SYSTEM AND WITHIN THE COMPONENTS OF THE SYSTEM • WHO HAS RISK DECISION ON THE CRITICALITY OF THE SYSTEM • WHO HAS RISK DECISION OF THE IMPACT OF SECURITY RISK ON DATA LOSS, UNAUTHORISED DISCLOSURE AND UNAUTHORISED MODIFICATION • WHAT IS THE BUSINESS IMPACT OF ANY OF THESE SECURITY CONCERNS? • WHAT ARE THE KNOWN WEAKNESSES, BUGS AND TECHNICAL SECURITY VULNERABILITIES (IF IT IS AN EXISTING SYSTEM) • CURRENT BUSINESS RISK POSTURE OF THE SYSTEM RISK ASSESSMENT – ONE OF RISK MANAGEMENT • ESTIMATE POTENTIAL DAMAGE TO THE SYSTEM IN THE EVENT OF THREAT MATERIALISING – BUSINESS IMPACT ASSESSMENT • IDENTIFY THREAT AND ESTIMATE LIKELIHOOD OF MATERIALISING – THREAT MODELLING • IDENTIFY VULNERABILITIES, WEAKNESSES AND ISSUES WITH THE SYSTEM (OR POTENTIAL ONES) AND LIKELIHOOD OF THEM BEING EXPLOITED – ISSUES IDENTIFICATION / SECURITY ASSESSMENT • USE THREAT-VULNERABILITY PAIRING TO DETERMINE MOST LIKELY RISK EVENT THAT COULD MATERIALISE – RISK SCORING • PRIORITISE THE RISK ACCORDING TO THEIR LEVELS – RISK PRIORITISATION • QUANTIFY RISKS AND REVIEW WITH STAKEHOLDERS – RISK QUANTIFICATION / COST BUDGETING SELECTION OF CONTROLS PLUS ARCHITECTURE & DESIGN • FOLLOW ORGANISATION DEFINED SECURITY GUIDELINES AND POLICIES (ACCESS CONTROL, PASSWORD MANAGEMENT, REGULATORY COMPLIANCE, BUSINESS VALUES ETC) • SELECT CONTROLS FROM DEFINED CONTROLS CATALOGUE, OR FROM INDUSTRY STANDARDS SUCH AS NIST 800-53 AND ISO 27001/2) • LEVERAGE SECURITY ARCHITECTURE BUILDING BLOCKS (FROM BEST PRACTICE FRAMEWORKS SUCH AS SABSA) • REUSE EXISTING SECURITY SERVICES, RATHER THAN BUILD NEW ONES (REUSE BEFORE BUY BEFORE BUILD) • BE CREATIVE (USING THE “MIND OF A SECURITY ARCHITECT”) IMPLEMENTATION ASSESSMENT, AUTHORISATION AND CONTINUOUS MONITORING Design reviews, build/code reviews, source code analysis, vulnerability assessment, security testing (application / penetration testing) plus remediations to acceptable risk levels Risk acceptance criteria e.g. accepts vulnerabilities with Common Vulnerability Scoring System (CVSS) of less than 4.0 to maintain PCI DSS compliance; address all DoS vulnerabilities on critical systems that require high-availability; approval to go live with the system Feeds of security events and logs to security information and event management (SIEM) tools, horizon scanning of threat intelligence and monitoring of exploits against accepted risk posture which may require revision of system characterisation. … and the cycle begins … again WHEN IS SECURITY ARCHITECTURE COMPLETE? • WHEN SECURITY ARCHITECTS & SECURITY RISK SPECIALIST (AND OTHER ARCHITECTS) ARE NO LONGER NEEDED • START LOOKING FOR ANOTHER JOB Bridging the gap HIGHLIGHTS • WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER • IT’S ALL ABOUT BUSINESS RISKS • SECURITY ARCHITECTURE FOR THE BUSINESS WORLD • RISK MANAGEMENT IN SECURITY ARCHITECTURE • A WORD FOR THE MOTIVATED RISK MANAGEMENT - HIGH-LEVEL CONCEPTS • RISK MANAGEMENT – IS THE PROCESS OF IDENTIFYING THE CRITICALITY OF AN ASSET, IDENTIFYING RISK, IDENTIFYING CONTROLS THAT ARE APPLICABLE BEARING IN MIND THE CRITICALITY OF THE ASSET, PROBABILITY OF OCCURRENCE, IMPACT AND COST OF APPLYING CONTROLS. RISK IS ASSESSED AS BOTH A PROBABILITY OF OCCURRENCE AND A MAGNITUDE OF EFFECT OR THE PRODUCT OF THE TWO. STRATEGY IS TO ACCEPT , AVOID, REDUCE OR TRANSFER RISK. • SECURITY RISK MANAGEMENT - A PROCESS FOR IDENTIFYING, PRIORITIZING AND MANAGING INFORMATION SECURITY RISK TO AN ACCEPTABLE LEVEL WITHIN AN ORGANIZATION • RISK MANAGEMENT IS A COMPREHENSIVE PROCESS THAT REQUIRES ORGANIZATIONS TO: (I) FRAME RISK (I.E., ESTABLISH THE CONTEXT FOR RISK-BASED DECISIONS); (II) ASSESS RISK; (III) RESPOND TO RISK ONCE DETERMINED; AND (IV) MONITOR RISK ON AN ONGOING BASIS USING EFFECTIVE ORGANIZATIONAL COMMUNICATIONS AND A FEEDBACK LOOP FOR CONTINUOUS IMPROVEMENT IN THE RISK-RELATED ACTIVITIES OF ORGANIZATIONS. – NIST (800-39) • RISK MANAGEMENT IS AN ACTIVITY DIRECTED TOWARDS ASSESSMENT, MITIGATION, AND MONITORING OF RISKS TO AN ORGANIZATION. INFORMATION SECURITY RISK MANAGEMENT IS A MAJOR SUBSET OF THE ENTERPRISE RISK MANAGEMENT PROCESS, WHICH INCLUDES BOTH THE ASSESSMENT OF INFORMATION SECURITY RISKS TO THE INSTITUTION AS WELL AS THE DETERMINATION OF APPROPRIATE MANAGEMENT ACTIONS AND ESTABLISHED PRIORITIES FOR MANAGING AND IMPLEMENTING CONTROLS TO PROTECT AGAINST THOSE RISKS. - CONFLUENCE RISK MANAGEMENT – AN OVERVIEW ESSENTIAL RISK MANAGEMENT – RISK PRIORITISATION Start risk prioritization Conduct summary summarylevel risk prioritization Summary level risk prioritization Review with stakeholders Conduct detailed detailedlevel risk prioritization Detailed level risk prioritization End of risk prioritization CONDUCTING SUMMARY-LEVEL RISK PRIORITIZATION 3 1 2 • High. Likely High. Likely— —one or more impacts expected within one year Medium.. Probable Medium Probable— —impact expected within two to three years Low.. Not probable— Low probable—impact not expected to occur within three years THE SUMMARY-LEVEL PRIORITIZATION INCLUDES THE FOLLOWING: 1. 2. 3. 4. DETERMINE IMPACT LEVEL ESTIMATE SUMMARY-LEVEL PROBABILITY COMPLETE THE SUMMARY-LEVEL RISK LIST REVIEW WITH STAKEHOLDERS 4 IMPLEMENTING CONTROLS 4 3 Measuring Program Effectiveness Implementing Controls • Seek a holistic approach • Organize by DefenseDefense-in in--Depth 1 Assessing Risk 2 Conducting Decision Support A GENERIC ASSET RISK ASSESSMENT APPROACH Identification & Classification Business Impact Assessment Identify Data Assets Risk Assessment Remediation Information Risk Assessment Perform Business Impact Identify Business Processes Assessment (of data assets, IT Application Risk Assessment Define Remediation Activities applications) Identify IT Applications PHASE 1 Record Risks (using bow ties) PHASE 2 PHASE 3 PHASE 4 IT SECURITY ARCHITECTURE RELATIONAL ENTITY HIGHLIGHTS • WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER • IT’S ALL ABOUT BUSINESS RISKS • SECURITY ARCHITECTURE FOR THE BUSINESS WORLD • RISK MANAGEMENT IN SECURITY ARCHITECTURE • SAFETY VS SECURITY SAFETY VS SECURITY? • SAFETY ENFOLDS, ITS INTERNAL, SAFETY IS A FEELING • SECURITY SURROUNDS AND COULD BE EXTERNAL • I.E. AN OVERACHIEVING UMBRELLA PROTECTING OUR SAFETY • SECURITY AS A SAFEGUARD • PERCEPTION IS REALITY • 100% SECURITY IS NIRVANA QUESTIONS