descargar
TRANSCRIPT
Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASPAppSecJune 2004 NYC
http://www.owasp.org
ISO 17799 Project Review
Stan Guzik, CISSP, MCPChief Technology OfficerImmediatech Corp.ISO 17799 Project [email protected]
2OWASP AppSec 2004
What Will Be Covered?
Background On The ISO 17799 Project What Is Information Security? Information Security Threats Developing Security Management
Policies/Procedures What Is The ISO 17799? ISO 17799 OWASP Project Details Implementation Example Critical Success Factors OWASP Needs Your Feedback References
3OWASP AppSec 2004
Background On The ISO 17799 Project
OWASP Holistic Approach To Security Top Ten Guide Testing WebGoat ISO 17799
Challenges Of Today’s Web Applications Security - CIA 24x7x365 uptime Fast and easy to use Integration with external systems Fast SDLC due to market pressures Bug free Customers expect it at no/low cost
4OWASP AppSec 2004
Background On The ISO 17799 Project
Management Of Web Applications In Production Traditional IT organizations are not familiar with web app
security management Auditors as head of IT (EDP) Internet applications 20 Year old policy/procedures do not apply
Benefits Of Applying ISO 17799 Increased security Increased uptime ROI – Fighting Fires Keep your job
5OWASP AppSec 2004
What Is Information Security?
Information Is An Asset – Value Information Protection – Ensure Business Continuity,
minimize damage, legal requirements Information Forms – Electronic, Paper, Spoken, and etc… Information Preservation
Confidentiality – Information is not disclosed to unauthorized subjects
Integrity – Accuracy and completeness of information and only modified by authorized subjects
Availability – Authorized subjects are granted assess to information. (SLA)
Information Security Controls – Policies, procedures, practices, organizational structure, and HW/SW.
6OWASP AppSec 2004
Information Security Threats
Viruses Hackers Espionage Sabotage Vandalism Fire Flood Employee With A Big Mouth (HR Info)
7OWASP AppSec 2004
Information Security Threats
Today Organizations Are More Vulnerable Interconnected public and private networks System complexities in achieving access controls Lack of security conscious developers – focus on functionality
& performance. Shorter Time To Market
Supplement Secure Applications With Appropriate Security Management Policies/Procedures Secure applications running in an unsecured environments Secure applications and a secured environment running with
insecure operations Etc…
8OWASP AppSec 2004
Develop Security Management Policies/Procedures
Legal, Regulatory, Contractual Requirements, Due Diligence
Risk Assessment – Threats to Assets The likelihood a threat will occur and evaluate its impact on an
asset Quantitative Risk Assessment
– Annual Loss Expectancy (ALE) – Yearly cost of all instances of a specific realized threat against a specific asset:
» ALE = ARO * SLE
– Annual Rate of Occurrence (ARO) – Expected frequency that a specific threat or risk will occur (probability determination)
– Single Loss Expectancy (SLE) –- Cost associated with a single realized risk against a specific asset.
» SLE = Asset Value * EF
– Exposure Factor (EF) – Loss Potential of a specific asset by a realized risk
– Example – DOS Web Application (Input Validation)» Asset Values = $2,000,000» EF = 20%» SLE =$2,000,000 * 20% = $400,000» ARO = 10%» ALE = 10% * $400,000 = $40,000
9OWASP AppSec 2004
Qualitative Risk Assessment– Scenario/Judgment Based– Experience Based …
Risk Assessment Results Determine the appropriate management actions Set priorities for managing information security risk Implement controls to protect against realized risk
Develop Security Management Policies/Procedures
10OWASP AppSec 2004
Select Appropriate Security Controls Implement controls to ensure risks are reduced to an
acceptable level. Controls should be selected based on the cost of
implementation in relation to the risk being reduced and the potential losses if a security breach occurs.
Develop Security Management Policies/Procedures
11OWASP AppSec 2004
What Is The ISO 17799 Standard? ISO – International Organization for Standardization Complete Set Of Controls To Ensure The Best
Practices For Information Security The Major Standard - Internationally Recognized
Information Security Standard Guideline - Guiding principle providing a good starting point for
implementing information security. They are either based on essential legislative requirements or considered to be common best practices for information security. Legislative Controls
12.1.4 – Data Protection and Privacy of Personal Information 12.1.3 – Safeguarding of Organizational Records 12.1.2 – Intellectual Property Rights
Best Practices 3.1 – Information Security Policy Document 4.1.3 – Allocation of Information Security Responsibilities 6.2.1 – Information Security Education and Training 6.3.1 – Reporting Security Incidents 11.1 Business Continuity Management
12OWASP AppSec 2004
What Is The ISO 17799 Standard? 10 Sections
Security Policy – To provide management direction & support for information security
Organizational Security – Manage information security within the organization
Asset Classification and Control – To maintain appropriate protection of organizational assets
Personnel Security – To reduce the risk of human error, theft, fraud or misuse of facilities
Physical & Environmental Security – To prevent unauthorized access, damage and interference to business premises and information
Communications and Operations Management – To ensure the correct and secure operations of information processing facilities
Access Control – Control access to information System Development and Maintenance – To ensure security is built
into information systems Business Continuity Management – To counteract interruptions to
business activities and to protect critical business processes from the effects of major failures or disasters
Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual
13OWASP AppSec 2004
ISO 17799 OWASP Project Details
Documentation Project Toolbox Of Sample Templates Of ISO 17799 Policies &
Procedures
What Exists Today ISO 17799 Is A Standard Not a tool Not Many Publicly Available Templates Commercial Licensed Templates Are
Poor Quality
14OWASP AppSec 2004
Implementation Example
8.1.2 Operational Change Control Inadequate control may cause system or security failures Formal management responsibilities and procedures should be
in place Operational programs subject to strict change control
Current State Of Project Many templates Todo: Pull all templates together into
a consistent format and publish
15OWASP AppSec 2004
Critical Success Factors
Targeted Risk Assessment Implement Good Controls Use Already Proven Policies & Procedures Training & Awareness Get Some More Sleep At Night!!!
16OWASP AppSec 2004
OWASP Needs Your Feedback!
Send Us Your Templates Modifications To Existing Templates Can you get involved?
17OWASP AppSec 2004
References
ISO/IEC 17799:2000(E) CISSP:Certified Information Systems Security Professional
Study Guide, Ed Tittel OWASP ISO 17799 Project