ISYS 0575-01 Information Security Management

profileEva Chan
InformationSecurityConcepts.pdf

Information Security Concepts

ISYS 0575

Objectives ● Review the CIA Triad ● Learn about risk, particularly security risk ● Understand the component parts that make up risk ● Learn about the interplay between the different components of risk ● Discuss the various risk treatment options ● Learn about basic controls ● Understand the different types of attacks

The Security Triad

Confidentiality Integrity

Availability

Security Concepts and Relationships

stakeholders

controls

vulnerabilities

assetsthreats

threat agents risk

value wish to minimize

impose

to reduce

that may be reduced by

that may possess

leading to

that increase to

wish to abuse and/or may damage

may be aware of

give rise to

that exploit

Source: ISO/IEC 27032:2012

Terms and Definitions Risk — The combination of probability of an event and impact. P x I = R

Threat — Anything that is capable of acting against an asset and causing harm.

Asset — Something of either tangible or intangible value that is worth protecting.

Vulnerability — A weakness that exposes the asset to adverse impact.

Inherent risk — The risk level without taking into account management actions to protect against the risk.

Residual Risk — The risk remaining after accounting for management risk response.

Security Concepts and Relationships

stakeholders

controls

vulnerabilities

assetsthreats

threat agents risk

value wish to minimize

impose

to reduce

that may be reduced by

that may possess

leading to

that increase to

wish to abuse and/or may damage

may be aware of

give rise to

that exploit

Source: ISO/IEC 27032:2012

Risk Frameworks COBIT 5 for Risk

ISO 27005:2011 Information Security Risk Management

NIST 800-30 Guide for Conducting Risk Assessments

NIST 800-39 Managing Information Security Risk

Risk Identification (Risk Scenarios) The development of risk scenarios from imagination or based on previous occurrences

Top-down is based on business goals

Bottom-up is based on specific events that are security related

Likelihood and Impact Likelihood = Probability

Absence of a known vulnerability doesn’t = 0 likelihood

A vulnerability doesn’t mean there is a threat

A vulnerability with no control and no management acceptance indicates a weakness in the overall program

How do we quantify likelihood and impact?

Approaches to Risk Subjective or objective?

Risk tolerance

Size and scope of the environment in question

How much data do you have available?

Risk versus issue

Approaches to Managing Security Risk Ad hoc — implement controls with no particular criteria.

Compliance-based — Implement the controls regardless of need.

Risk-based — design the controls based on identified risk.

Risk Treatment Avoidance means management decides not to engage in the activity that creates the risk.

Acceptance means management acknowledges the risk, but proceeds with the activity without taking any action.

Mitigation involves management implementing controls to reduce the risk.

Transference means that management lets another party take the risk.

Security Concepts and Relationships

stakeholders

controls

vulnerabilities

assetsthreats

threat agents risk

value wish to minimize

impose

to reduce

that may be reduced by

that may possess

leading to

that increase to

wish to abuse and/or may damage

may be aware of

give rise to

that exploit

Source: ISO/IEC 27032:2012

Threat Agents European Union Agency for Network and Information Security (ENISA) conducts ongoing evaluation of the threat landscape.

Common Agents:

● Corporations ● Criminals ● Terrorists ● Nation States ● Insiders ● Hactivists ● Script Kiddies

ENISA Threat Landscape

Security Concepts and Relationships

stakeholders

controls

vulnerabilities

assetsthreats

threat agents risk

value wish to minimize

impose

to reduce

that may be reduced by

that may possess

leading to

that increase to

wish to abuse and/or may damage

may be aware of

give rise to

that exploit

Source: ISO/IEC 27032:2012

Security Controls Types of controls

Preventative, Detective, Responsive

Administrative, Technical, Physical

Security Policy Policy hierarchy

Policy

Standards

Procedures

Guidelines

Attack Attributes Risk is potential activity, an attack is the occurence of a threat.

The asset is the attackers target.

Path to target is the attack vector.

Ingress is the focus of most attack analysis.

Egress or data exfiltration is the objective of some attackers.

An exploit is used to take advantage of a vulnerability.

General Attack Process

Recon

Weaponize

Deliver

Exploit

Control

Execute

AssetAgent

Maintain

Proactive Detection and Mitigation Containment and Incident Response

“Kill Chain”

Nonadversarial Threat Event Mishandling of critical information

Incorrect privilege

Fire, flood, hurricane, earthquake

Disk errors or other equipment failure

Malware Worm - Confiker - 9 Million PCs

Virus - I Love You

Trojan Horse - Zeus

Ransomeware - WannaCry

Root Kit - Sony BMG

Social Engineering Impersonation

Phishing (and spear phishing)

Other Attacks Advanced Persistent Threat (APT)

Web attacks

Brute force attacks

DoS Attacks