ISYS 0575-01 Information Security Management
Information Security Concepts
ISYS 0575
Objectives ● Review the CIA Triad ● Learn about risk, particularly security risk ● Understand the component parts that make up risk ● Learn about the interplay between the different components of risk ● Discuss the various risk treatment options ● Learn about basic controls ● Understand the different types of attacks
The Security Triad
Confidentiality Integrity
Availability
Security Concepts and Relationships
stakeholders
controls
vulnerabilities
assetsthreats
threat agents risk
value wish to minimize
impose
to reduce
that may be reduced by
that may possess
leading to
that increase to
wish to abuse and/or may damage
may be aware of
give rise to
that exploit
Source: ISO/IEC 27032:2012
Terms and Definitions Risk — The combination of probability of an event and impact. P x I = R
Threat — Anything that is capable of acting against an asset and causing harm.
Asset — Something of either tangible or intangible value that is worth protecting.
Vulnerability — A weakness that exposes the asset to adverse impact.
Inherent risk — The risk level without taking into account management actions to protect against the risk.
Residual Risk — The risk remaining after accounting for management risk response.
Security Concepts and Relationships
stakeholders
controls
vulnerabilities
assetsthreats
threat agents risk
value wish to minimize
impose
to reduce
that may be reduced by
that may possess
leading to
that increase to
wish to abuse and/or may damage
may be aware of
give rise to
that exploit
Source: ISO/IEC 27032:2012
Risk Frameworks COBIT 5 for Risk
ISO 27005:2011 Information Security Risk Management
NIST 800-30 Guide for Conducting Risk Assessments
NIST 800-39 Managing Information Security Risk
Risk Identification (Risk Scenarios) The development of risk scenarios from imagination or based on previous occurrences
Top-down is based on business goals
Bottom-up is based on specific events that are security related
Likelihood and Impact Likelihood = Probability
Absence of a known vulnerability doesn’t = 0 likelihood
A vulnerability doesn’t mean there is a threat
A vulnerability with no control and no management acceptance indicates a weakness in the overall program
How do we quantify likelihood and impact?
Approaches to Risk Subjective or objective?
Risk tolerance
Size and scope of the environment in question
How much data do you have available?
Risk versus issue
Approaches to Managing Security Risk Ad hoc — implement controls with no particular criteria.
Compliance-based — Implement the controls regardless of need.
Risk-based — design the controls based on identified risk.
Risk Treatment Avoidance means management decides not to engage in the activity that creates the risk.
Acceptance means management acknowledges the risk, but proceeds with the activity without taking any action.
Mitigation involves management implementing controls to reduce the risk.
Transference means that management lets another party take the risk.
Security Concepts and Relationships
stakeholders
controls
vulnerabilities
assetsthreats
threat agents risk
value wish to minimize
impose
to reduce
that may be reduced by
that may possess
leading to
that increase to
wish to abuse and/or may damage
may be aware of
give rise to
that exploit
Source: ISO/IEC 27032:2012
Threat Agents European Union Agency for Network and Information Security (ENISA) conducts ongoing evaluation of the threat landscape.
Common Agents:
● Corporations ● Criminals ● Terrorists ● Nation States ● Insiders ● Hactivists ● Script Kiddies
ENISA Threat Landscape
Security Concepts and Relationships
stakeholders
controls
vulnerabilities
assetsthreats
threat agents risk
value wish to minimize
impose
to reduce
that may be reduced by
that may possess
leading to
that increase to
wish to abuse and/or may damage
may be aware of
give rise to
that exploit
Source: ISO/IEC 27032:2012
Security Controls Types of controls
Preventative, Detective, Responsive
Administrative, Technical, Physical
Security Policy Policy hierarchy
Policy
Standards
Procedures
Guidelines
Attack Attributes Risk is potential activity, an attack is the occurence of a threat.
The asset is the attackers target.
Path to target is the attack vector.
Ingress is the focus of most attack analysis.
Egress or data exfiltration is the objective of some attackers.
An exploit is used to take advantage of a vulnerability.
General Attack Process
Recon
Weaponize
Deliver
Exploit
Control
Execute
AssetAgent
Maintain
Proactive Detection and Mitigation Containment and Incident Response
“Kill Chain”
Nonadversarial Threat Event Mishandling of critical information
Incorrect privilege
Fire, flood, hurricane, earthquake
Disk errors or other equipment failure
Malware Worm - Confiker - 9 Million PCs
Virus - I Love You
Trojan Horse - Zeus
Ransomeware - WannaCry
Root Kit - Sony BMG
Social Engineering Impersonation
Phishing (and spear phishing)
Other Attacks Advanced Persistent Threat (APT)
Web attacks
Brute force attacks
DoS Attacks