security managment risks, controls and incidents

Security

Management:

Risks, controls

and incidents

PETER CRUICKSHANK

SCHOOL OF COMPUTING

EDINBURGH NAPIER UNIVERSITY

What is security?

Mordac the preventer of

information

2 Security management: risks, controls and incidents

© Dilbert.com

http://dilbert.com/search_results?terms=Mordac+The+Preventer



Background

Over a generation, internetworked systems, particularly the Internet, have gone from the

specialized realm of government and academic to being a substantial part (the basis?) of our

business and personal lives.

Enterprises maintain web sites, email, e-

commerce and collaboration tools

that are all connected to the

Internet.

Online banking, bill paying and shopping

have made online financial transactions

common.

Individuals have smartphones, tablets

and a myriad of other devices that

are always “online.”

Security management: risks, controls and incidents 3

The context

Computer systems

Computer Environment

Business and

application environment

Socio-economic-

legal environment


In a graph

Security management: risks, controls and incidents © 2014, ISACA

2016?

5

Information Security:

Attributes


• Authorised access only

• Protecting privacy Confidentiality

• Data and system • Protection from accidental or deliberate

(malicious) modification Integrity

• …for legitimate users

• DDoS attacks – prevention & recovery Availability

• who are you – supports non-deniability Authentication

• what can you do? Authorization

• Effective auditing and logging is the key to non-repudiation Auditing

Aim of the

lecture

SERIES OF 6

LECTURES AND

TUTORIALS

COURSEWORK

ASSIGNMENT

EXAM QUESTIONS

This lecture:

Discuss issues around threats

and their risk management

Covers incident handling

(a particular form of risk

mitigation)

Explains the relationship of

risks to controls


Risk

management

HOW DO YOU

PRIORITISE YOUR

WORK?

HOW DO YOU KNOW

WHAT’S IMPORTANT?


The security balance

Security

• Complex passwords are secure

• Encryption protects assets

Access

• Complex passwords prevent access

• Encryption slows things down


• Technology is not enough

• Controls often conflict with usability and business objectives

Risk

Risk is

...let’s start with Wikipedia:

The potential that a chosen (in)action will lead to a loss

[or a gain]

Implies that a choice having an influence on the outcome

exists (or existed)

Potential losses themselves may also be called “risks”

Almost any human endeavour carries some risk, but some

are much more risky than others.


Sources of risk

Processes

People

Systems

External events


Events related to

business operations

Outside factors

threatening

operations

Employee errors or

misdeeds

Non-employees

Technology

failure

Example: A fire destroying the IT system and causing disruption to the business

External event (fire) Systems (unavailable) processes (disrupted)

Or in

combination

Risk management

Risk management

Risk identification &

assessment Risk control

Risk response


Risk Control

Strategies

Avoidance Transference

Mitigation Acceptance


Risk LET’S LOOK AT THE

BASICS


x -

+

%

Risk is


The likelihood of the occurrence of a

vulnerability

X Multiplied by the value of the

information asset (or, the impact of the

loss)

Risk assessment

Likelihood

Expressed as fraction or %age

May be known (eg actuarial tables)

May need judgement (document the process)

Often reduced to High, Medium or Low


Risk assessment

Value (impact of loss)

Normally focuses on potential loss

It’s most straightforward to gather

Can be combined up the hierarchy

eg loss of HR for a week may have high value to them, but the

organisation will be able to carry on for a while…

(So long as payroll is OK)


Identify vulnerabilities

All threats

All assets

Vulner-abilities


Recorded in a TVA (threats, vulnerabilities & assets) worksheet

Risk assessment:

TVA worksheet extract

Asset Impact Vulnerability Likelihood Risk Rating

Customer

service

request via

email

55 Disruption due

to hardware

failure

0.04 2.2

Disruption due

to software

failure

0.3 16.5

Customer

order received

by SSL

100 Lost order due

to server

hardware failure

0.05 5

Lost order due

to ISP failure 0.1 10


Risk according to OWASP1

Risk

Likelihood

Threat agent

Skill Motive Oppor-tunity

Capacity Resour-

ces, Size

Vulnerability

Ease of disc-overy

Ease of exploit

Aware-ness

Detec-tion if

exploit-ed

Impact

Technical

Loss of C, I, A

Business

Finan-cial,

Reput-ational

Comp-liance, Privacy

OR

1 https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology Security management: risks, controls and incidents 24

https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology



Risk

management

Choose a risk posture

Analyse impact of threats

business impacts and other,

non-financial impacts

Identify and analyse risks

Determine risk treatment

Determine security strategy

options based on risk profile

Steps that enterprises should

perform when implementing

(information security) steps and

measures



http://thegreatgildersleeve.tumblr.com/post/708013469/bolted-and-barricaded-door-behind-empty-k-mart
















Risk Control

Risk appetite

The goal is not risk elimination

It is risk minimisation

What costs can you bear

What impact has risk control on your business

At what point are you prevented from doing anything

Leaving organisation with residual risk

Aim: reduce residual risk to match risk appetite


Choose a risk posture

Minimalist

• Reduce actions and investment to a minimum

• Comparatively high level of residual risk.

Balanced

• comprehensive security investment

• Moderate level of residual risk

Conservative

• Aim for a precautionary, comparatively high, investment

• Little or no tolerance for residual risk.


This is also known

as ‘Risk Appetite’

Threats


http://www.justsaypictures.com/verbal-threat.html




Threat actors:

categorisation

Location

Internal

Staff

Cont-ractors Should they be internal?

External

Busi-ness

part-ner

Regu-lator

Com-petitor

& their governm

ents

Motivation

Friendly Hostile

Capability &

expertise

Script kiddies

GCHQ, the

NSA, the PLA


Building risk scenario

Risk scenario

Actor

• Internal

•External

Threat type

•Malicious

•Accidental / error

•Failure /nature

•External requirement

Event

•Disclosure

• Interruption

•Modification

•Theft

•Destruction

• Ineffective design/execution

•New rules

• Inappropriate use

Asset / resource

•People & skills

•Organisation structures

•Process

•Facilities

• IT infrastructure

• Information

•Application

Time

•Duration

•Criticality

•To detection

•Time lag to respond


Scenario-based

approaches are

sometimes preferred

over ‘pure’ risk

catalogues

Analyse Business Impact

What could go wrong?

How would it affect the business?

• Discard if impact is negligible

Judge likelihoods

• Discard if unlikely

Plan for what’s left


Analyse Business Impact


x -

+

%

Risk is (therefore)


The likelihood of the occurrence of a

vulnerability

X Multiplied by the value of the

information asset

- Minus the percentage of the risk

mitigated by current controls

+ Plus the uncertainty of current

knowledge of the vulnerability

Risk analysis cycle


Asset

identification

& valuation

Threat

assessment Counter-

measures

Vulnerability

assessment

Risk

assessment

Control

evaluation

Residual

risk

Action

Plan Review

Source: ITGI IT Governance Implementation Guide, 2 ed, 2007

Risk management

concepts

Risk management

Risk identification &

assessment

Inventory

Classification

Threat Identification

Risk control

Risk avoidance

Reduce and mitigate

Risk reduction Risk transfer

Risk sharing

Risk retention

Risk response

Incident handling

Disaster recovery


44

Security management: risks, controls and

incidents

Back to controls

Controls

Control activities are:

actions, supported by policies and procedures that,

when carried out properly and in a timely manner,

manage or reduce risks.


Controls

Prevent Controls Preventive controls attempt to

deter or prevent undesirable events from occurring.

They are proactive controls that help to prevent a loss.

Examples of preventive controls are separation of duties, proper authorisation, adequate documentation, and physical control over assets.

Detect Controls Detective controls, on the other

hand, attempt to detect undesirable acts.

They provide evidence that a loss has occurred but do not prevent a loss from occurring.

Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.


These examples are from general business:

Can you think of the equivalent in information systems?

Controls

Both types of controls are essential to an effective internal

control system

From a quality standpoint, preventive controls are

essential because they are proactive and emphasize

quality

However, detective/corrective controls play a critical role providing evidence that the

preventive controls are functioning and preventing

losses


Controls and audit:

Key facts

Controls are an expense

Controls that aren’t consistently used are no good

An audit is basically a check that the controls are • Well designed (and cost effective)

• Have been operated consistently & correctly


Controls: Take 10

Prevent Detect Recover /

mitigate

People

Process

Technology

Physical


Think of one IT-related control to go in each box

Risk assessment

Effect of controls

Current controls mitigate the threat

Possible controls can be identified

Different types of control

eg Access control: role-based, task-based


People Process Tech

Prevent

Detect

Recover/

mitigate

This is one way of reviewing

how you are controlling a risk

in depth

Incident

response


Context: Resilience

In the traditional sense, ‘resilience’ means the ability of a

material to revert to its original shape after it has been

deformed.

In information security (and in business continuity),

resilience describes the ability of an enterprise to recover

and absorb external shocks or events and their internal

impacts.

Incident handling is a type of risk mitigation


Business impact analysis

Results of business impact analysis (BIA) and risk assessment

specific risks and scenarios, threats and vulnerabilities analysis, etc.

clustered (aggregated) risk

potential impacts and strategic options (with residual risk)

Key technologies

Cloud, network interconnections, supervisory control and data acquisition (SCADA) and other industrial control systems.

Focus is: what if they fail?


Incident strategy: two

aspects

Knowing what do to

Incident reporting

Policies, reporting lines, authorities, etc.

Testing it

Participation in & integration with

exercises

(EU/national/ industry wide)


Not all events are incidents

Distinguish between events and incidents.

NIST defines an event as “any observable occurrence in

a network or system.”

This includes normal network operations, such as

connections to servers, email transactions and database

updates.

A computer security incident is “a violation or imminent

threat of violation of computer security policies,

acceptable use policies, or standard security practices.”


Incident response

Despite an organisation’s best efforts, attackers are

sometimes successful.

When this happens, an incident occurs.

When incidents occur, it is essential to have a plan in

place to handle them

The purpose of incident response.

Terminology:

The people trained to deal with incidents are called incident

handlers

They are part of an incident response team.


Incident response phases

Preparation

Detection & analysis

Containment, eradication,

recovery

Post incident activity

Preparation to establish roles, responsibilities and plans for how an incident will be handled

Detection and Analysis capabilities to identify incidents as early as possible and effectively assess the nature of the incident

Investigation capability if identifying an adversary is required

Mitigation and Recovery procedures to contain the incident, reduce losses and return operations to normal

Post-incident Analysis to determine corrective actions to prevent similar incidents in the future


Conclusion

The principles of risk

management

How risks and controls relate

An outline of an incident

handling plan

Today, we have covered


Final though:

What is security?

If we make security trade-offs based on the feeling of security rather than the

reality, we choose security that makes us feel more secure over security that

actually makes us more secure. And that’s what governments, companies,

family members, and everyone else provide. Of course, there are two ways to

make people feel more secure.

The first is to make people actually more secure, and hope they notice.

The second is to make people feel more secure without making them

actually more secure, and hope they don’t notice.

The key here is whether we notice. The feeling and reality of security tend to

converge when we take notice, and diverge when we don’t. People notice

when 1) there are enough positive and negative examples to draw a conclusion,

and 2) there isn’t too much emotion clouding the issue.

The feeling and the reality of security Schneier 2008


“

”

65

Security management: risks, controls and

incidents

…Watch for Security theatre

that iS…

“

”

Thank you

PETER CRUICKSHANK

Lecturer in Information Systems. School of Computing,

Edinburgh Napier University

@spartakan | [email protected]


Sources and references

A good general source on this material is

Whitman & Mattord’s Management of Information Security (many editions)

Some of the material in this lecture is sourced from the following ISACA documents:

• Cybersecurity Student Book (2014)

• European Cybersecurity Implementation: Overview (2014)
