Defense In Depth Using NIST 800-30


Published on

This is a presentation I delivered to Western Connecticut State University\'s Information Assurance class on September 30, 2010.

Defense In Depth Using NIST 800-30

  1. 1. A Simple Strategy to Combat Many Security Issues Kevin M. Moker, CISSP-ISSMP, CISM, ACP Manager, Information Security Risk Management Services
  2. 2. What is Risk Management What is Defense In Depth Questions & Answer Session
  3. 3. What is Risk? Risk is the potential loss from a threat-source attacking a vulnerability. Example: Joe Cracker (threat-source) knows that an online banking company has not patched (vulnerability) their backend databases. Joe Cracker exploits (loss) the system and steals money.
  4. 4. Target Audience Senior Management Middle Management Technology Management
  5. 5. Risk Integration into the SDLC Risk Assessment Identifying risk Risk Mitigation Figuring out how to control the risk Controls Evaluation Control recommendations – what should be used to control the risk
  6. 6. Systems Development Life-Cycle (SDLC) Normal phases of SDLC Initiation Build or Acquire Implementation Operation and Maintenance Disposal or End-of-Life
  7. 7. Phase 1 – Initiation Phase Characteristics The need for an IT system is expressed and the purpose and scope of the IT system is documented Support from Risk Management Activities Identified risks are used to support the development of the system requirements, including security requirements, and a security concept of operations (strategy)
  8. 8. Phase 2 – Build or Acquire Phase Characteristics The IT system is designed, purchased, programmed, developed, or otherwise constructed Support from Risk Management Activities The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development
  9. 9. Phase 3 – Implementation Phase Characteristics The system security features should be configured, enabled, tested, and verified Support from Risk Management Activities The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation
  10. 10. Phase 4 – Operation & Maintenance Phase Characteristics The system performs its functions. Typically the system is being modified on an ongoing basis through the addition of hardware and software and by changes to organizational processes, policies, and procedures Support from Risk Management Activities Risk management activities are performed for periodic system reauthorization or whenever major changes are made to an IT system in its operational, production environment (e.g., new system interfaces)
  11. 11. Phase 5 – Disposal or End-of-Life Phase Characteristics This phase may involve the disposition of information, hardware, and software. Activities may include moving, archiving, discarding, or destroying information and sanitizing the hardware and software Support from Risk Management Activities Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner
  12. 12. Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization
  13. 13. Step 1: System Characterization Step 2: Threat Identification Step 3: Vulnerability Identification Step 4: Control Analysis Step 5: Likelihood Determination Step 6: Impact Analysis Step 7: Risk Determination Step 8: Control Recommendation Step 9: Results Documentation
  14. 14. System Characterization Inputs What type of hardware will be used? What software will be used? What other software will this software “talk” to or interface with? What type of data/information will be housed in the software? Who will use this software/hardware? What’s the mission of this software/hardware? Outputs Scope: What the software will include and not include Function: What business process the software will support Data Criticality: The importance of the information Data Sensitivity: The sensitivity of the information
  15. 15. Threat Identification Inputs Is there a history of system attacks? Is there an incident database to leverage? Is there any data from media sources or government sources? Are there known threat areas from known popular software sources? (e.g., Microsoft) Outputs General threat statements E.g., Windows 7 has 120 known threats. Media sources indicate that 4 of the known threats have zero-day exploits. Furthermore, internal incident management databases have revealed malicious code outbreak.
  16. 16. Vulnerability Identification Inputs Are there any vulnerabilities discovered from past risk assessments? Are there any audit reports that reveal potential vulnerabilities? What are the security requirements for the proposed software? (e.g., access control, encryption) Did the security test results result in any potential vulnerabilities? Outputs List of Potential Vulnerabilities (e.g., Weak access control system, 56 bit DES encryption used.
  17. 17. Control Analysis Inputs What are the current controls for the software compared to the internal policy controls? What are the planned controls for those controls not adequately documented in current policy? Outputs List of current controls List of planned controls
  18. 18. Likelihood Determination Inputs What would be the motivation for a malicious person to attack this software? What is the capacity of the malicious actor? E.g., time, money, support How easy is it to exploit the vulnerability? E.g, ease of exploiting the vulnerability Outputs Likelihood rating High Risk Moderate Risk Low Risk
  19. 19. Impact Anlaysis Inputs Is there a business continuity plan that discusses the mission impact analysis? Is there an asset criticality documented in the business continuity plan? What is the data criticality? What is the data sensitivity? Outputs Impact Rating High Impact Moderate Impact Low Impact
  20. 20. Risk Determination Inputs What is the likelihood of the threat exploitation? If the threat did exploit the vulnerability, what would be the impact? Are the current controls adequate (tested by audit or self-assessment)? Outputs List of risks and associated risk levels
  21. 21. Control Recommendations Recommended controls E.g, encryption, strong password controls
  22. 22. Results Documentation Risk Assessment Report
  23. 23. Let’s look at a practical approach of how to implement this “stuff”
  24. 24. Let’s explore the defense-in-depth strategy to understand where risk should be addressed.
  25. 25. Information Security/Assurance is a tricky game. It is by no-means perfect and you can NEVER reduce risk to zero. This Defense-In-Depth strategy will help an organization reduce risk a an acceptable level if management is committed to the strategy.
  26. 26. Crucial for any Information Security Program Necessary in most of today’s markets Being compliant does not mean secure Being secure does not mean compliant
  27. 27. Information Security Policies Staff Responsibility Definitions (RACI) Security Standards and Guidelines Security Training Awareness Communications Policy Enforcement Security Monitoring Tools (Physical & Logical)
  28. 28. Vendor Management Penetration Testing Vulnerability Scanning Access Control Management
  29. 29. Data Center Hardening Physical Access Control Management Critical Building Hardening (non-data center) Internal Physical Security Officers Hostile Environment Prevention Program External Media Protection Program Paper-based Protection Program
  30. 30. Network Intrusion Prevention Program Virtual Networks Physical Compartmentalizing Penetration Testing Access Control Management
  31. 31. Patch Management Program Access Control Management Internal Scanning Program Encryption
  32. 32. Code Review Program Information Security Readiness Review Penetration Testing Program Vulnerability Testing Program
  33. 33. Data Classification User Access Encryption
  34. 34. This is not a perfect process. Information Security mixes science and art. Risk management and defense in depth is part science and part art. The goal is to try to reduce the impacts and likelihood of certain threats. Things WILL happen, but this program will make the best effort to minimize threats and impacts.
  35. 35. What did you get from this presentation? Do you think that this information is useful? Do you think you could apply this to your life and not just systems?