A-1
nrvamcni143
Chapter09.pptxManaging Risk in Information Systems
Lesson 9
Identifying and Analyzing Risk Mitigation Security Controls
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
In-Place Controls
Installed in an operational system
Replace in-place controls that don’t meet goals
Three primary objectives of controls:
Prevent
Recover
Detect
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
In-place control are for systems that currently are in operation.
It is important to continually evaluate any in-place controls to make sure they are still effective and remove or replace them as needed.
Controls have three primary objectives:
• Prevent loss • Recover after loss • Detect threats
2
Planned Controls
Those that have been approved but not yet installed
Identify planned controls before approving others
Vulnerabilities that planned controls mitigate still exist
Evaluate effectiveness of a planned control through research
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Planned controls are those that have been approved but not yet installed but must be implemented in a timely manner.
It is important to identify any planned controls before approving others. The weakness still exist. You don’t want to purchase another controls to resolve the same weakness.
You can still evaluate the effectiveness of a planned control and decide whether it will still mitigate the problem.
3
NIST SP 800-53 Control Families
Access Control (AC)
Audit and Accountability (AU)
Awareness and Training (AT)
Configuration Management (CM)
Contingency Planning (CP)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control (AC)—helps an organization implement effective access control to ensure users only have the rights and permissions they need to perform their jobs and includes principles such as least privilege and separation of duties.
Audit and Accountability (AU)—helps an organization implement an effective audit program, determine what to audit and protect the audit logs.
Awareness and Training (AT)—is implemented to raise the security awareness and help an organization identify needed training, and properly document the training.
Configuration Management (CM)—addresses both configuration management and change management. Configuration management includes configuring systems for least functionality as a primary method of hardening systems. Change control practices prevent unauthorized changes.
Contingency Planning (CP)—help an organization recover from a failures or disasters.
Identification and Authentication (IA)—identify and authenticate users. Each user should be uniquely identified.
Incident Response (IR)—covers all aspects of security incidents. They include training, testing, handling, monitoring, and reporting.
Maintenance (MA)—cover security aspects related to maintenance such as tools, maintenance personnel, and timely maintenance.
Media Protection (MP)—includes removable digital media such as tapes, external hard drives, and USB flash drives. It also includes non-digital media such as paper and film.
Personnel Security (PS)—includes personnel security and personnel screening, termination, and transfer.
4
NIST SP 800-53 Control Families (Cont.)
Physical and Environment Protection (PE)
Planning (PL)
Program Management (PM)
Risk Assessment (RA)
Security Assessment and Authorization (CA)
System and Communications Protection (SC)
System and Information Integrity (SI)
System and Services Acquisition (SA)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Physical and Environment Protection (PE)—provides controls related to physical security.
Planning (PL)—focuses on security plans for systems and covers Rules of Behavior (acceptable use policy).
Program Management (PM)—ensures compliance with FISMA. These controls complement other controls. They don’t replace them.
Risk Assessment (RA)—provides details on risk assessments and vulnerability scanning.
Certification, Accreditation, and Security Assessment (CA)—addresses steps to implement a security and assessment program and ensure only authorized systems are allowed on a network. It includes details on continuous monitoring and a plan of action and milestones.
System and Communications Protection (SC)—protects systems and communication channels to include Denial of Service protection, Boundary protection, Transmission integrity and confidentiality controls.
System and Information Integrity (SI)—provides information to maintain the integrity of systems and data to include Flaw remediation to keep systems updated and Malicious code protection to protect against malware.
System and Services Acquisition (SA)—controls the purchase of products and services as well as software usage and user installed software.
5
Functional Controls
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Preventive Controls
attempt to prevent a risk from occurring. For example, many actions taken to harden a server are preventative. This includes disabling unneeded services and removing unneeded protocols.
Detective controls
attempt to detect when a vulnerability is being exploited. Audit logs and audit trails are examples of passive detective controls. When the logs are reviewed, the incident is discovered. An intrusion detection system (IDS) is an example of an active detective control. An IDS can review logs in real time.
Corrective controls
attempt to reverse the effects of a problem. File recovery and data correction are examples of corrective controls. For example, reliable backups allow you to restore data if it becomes corrupt. Many corrective controls are also considered recovery console.
6
Controls Based on Function Being Performed
Preventive
Detective
Hardening
Patching
Audit trails
IDS
Corrective
Backups
File Recovery
Procedural Control Examples
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Policies & Procedures provide guidelines and rules for an organization. A policy provides overall direction without details. A procedure provides the detailed steps needed to implement a policy. Policies have widespread application and provide authority. Procedures are narrower in scope and more task-oriented than policies. They identify specific steps needed to implement a policy. Any policy could have multiple procedures. Examples of policies and procedures:
• Acceptable use policy identifies what a user can and cannot do on a system. AUP procedures may require users to read and acknowledge understanding of the AUP.
• Vulnerability scanning policy provides authority to perform regular scans. Vulnerability scanning procedures would specify how scans are documented and reported.
• Removable media policy might restrict the use of USB Flash drives. Removable media enforcement procedures enforce the restriction of removable media.
Security Plans are common to most organizations. They include Business Continuity Plans, Disaster Recovery Plans, Backup Plans, Incident Response Plans.
Insurance and Bonding. When damage is low and impact is high, insurance is used to transfer risks. Bonding is a type of insurance to cover against losses by theft, fraud, or dishonesty.
Background and Financial Checks. Background checks identify any criminal behavior on the part of a prospective employee and Financial checks to look at credit ratings.
7
Policies and procedures
Security plans
Insurance and bonding
Background and financial checks
Procedural Control Examples (Cont.)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data Loss Prevention Programs helps a company prevent data loss. Data loss leads to Loss of Confidentiality when users view data they shouldn’t see or Loss due to corruption when files become corrupted. Data loss prevention identifies data that is important to the organization.
Awareness Training ensures employees are aware of an organization’s security standards and know how to implement security controls. Awareness programs are generic and apply to all personnel. Training is provided for different audiences and specific groups.
Rules of Behavior let users know what they can and cannot do. Users agree to these rules before being granted access to a system. They include Privacy that stress users have no expectation of privacy and Restricted activities that restrict certain kinds of activities and E-mail usage that identifies email restrictions and Protection of credentials to protect user names and passwords and Consequences or penalties for noncompliance —to reprimand or suspend privileges.
Software Testing starts with a policy mandating software testing of new systems and system changes.
8
Data loss prevention program
Awareness training
Rules of behavior
Software testing
Technical Control Examples
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Technical controls are software tools that automate protection.
A logon identifier or user account uniquely identifies the user. Every time the user logs in, this account is used. A logon identifier is needed for access control. Audit logs use logon identifiers.
Session Timeout ensure unauthorized user doesn’t have access to a session without providing credentials.
System Logs and Audit Trails log different types of events. Logs need to be reviewed. System logging tracks events on the operating system. Security logging focuses on security events. Do not log all events.
Data Range and Reasonableness Checks ensure valid data is received. Data range checks ensure data is within a certain range. Reasonableness checks ensure that the entered data is reasonable.
Firewalls and Routers are used as technical controls in a network. They control the traffic by allowing some traffic and blocking other traffic. Firewalls use rules to identify allowed traffic. Routers use access control lists (ACLs) to identify allowed traffic and provide basic filtering of traffic. Router ACLs evaluate a single packet at a time while firewalls evaluate all of the traffic between them.
Encryption changes plain text data into ciphered data. Data can be encrypted at rest (when stored on media), or when transferred. Encryption is classified as either Symmetric (one key) or Asymmetric (Public and Private Keys)
Public Key Infrastructure provides support for certificates to include Certification authority (issue and manage certificates), Certificates (identification and to aid in encryption), and Public and private keys
9
Login identifier
Session timeout
System logs and audit trails
Data range and reasonableness checks
Firewalls and routers
Encryption
Public key infrastructure (PKI)
Using Digital Signatures
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Digital Signatures is the method used for the identification of documents.by creating a message hash and encrypting the hash with the sender’s private key. A hash is a number created by running an algorithm. The hash is then encrypted with the sender’s private key. A digital signature is not possible without a PKI and provides Authentication of the Sender (the matching public key decrypts the hash and verifies it came from the sender’s private key), Nonrepudiation (guarantees it was sent from the sender) and Integrity (only the public key can decrypt the hash).
10
Physical Control Examples
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Physical Controls protect the physical environment. They include
Locked doors, guards, access logs, and closed-circuit television
Fire detection and suppression
Water detection
Temperature and humidity detection
Electrical grounding and circuit breake
11
Locked doors, guards, CCTV
Fire detection and suppression
Water detection
Temperature and humidity detection
Electrical grounding and circuit breakers
Best Practices for Risk Mitigation Security Controls
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
12
Ensure the control is effective
Review controls in all areas
Review NIST SP 800-53 families
Redo a risk assessment if a control is changed
Summary
Identify procedural controls
Identify technical controls
Identify physical controls
Compare functional controls
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
13
Controls Perform Different Roles
Procedural
Technical
Physical
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
14
