Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

System Security Threats and Risks)


Published on

This document is a guide for the detailed development, selection implementation of information system and program level procedures to indicate the execution, effectiveness, and impact of security controls along with and other security associated activities.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

System Security Threats and Risks)

  1. 1. INFORMATION ASSURANCE METRICS System Security Threats And Risks Cleveland China Brian Palmer Ervin Kelly April 20, 2010 IFSM 485 Seth J. Hudak Page 1 of 36 4/20/2010 China/Kelly/Palmer
  2. 2. INFORMATION ASSURANCE METRICS Table of Contents 1. Introduction 1.1 System Security Threats and Risk Scope and objective This document is a guide for the detailed development, selection implementation of information system and program level procedures to indicate the execution, effectiveness, and impact of security controls along with and other security associated activities. Mell, Kent, & Nusbaum (2005) acknowledged certain guiding principles on how an organization, through the use of procedures, identifies the capability of security controls, policies, and procedures currently existing in an organization. It provides tools to help management choose where to devote additional information security resources, recognize and assess nonproductive security controls, and prioritize security controls for constant monitoring. This publication is proposed to assist organizations in understanding the threats posed by malware and alleviate the risks related to malware incidents. This manuscript will provides additionally background information on the major categories of malware, practical real world assistance on preventing malware incidents and responding to malware incidents in an effective, efficient manner (Mell, Kent, & Nusbaum, 2005). Page 2 of 36 4/20/2010 China/Kelly/Palmer
  3. 3. INFORMATION ASSURANCE METRICS 2. Definition of Information Assurance Protecting data and the platforms that accommodate it is becoming one of the most important technical jobs in many major corporations. Information assurance (IA) is the technical discipline of data protection. Keeping information and its warehousing safe are a part of general information security, which includes forecasting future dangers and preparing offensively for any possible risks that are detected. The most important factor of information assurance is keeping privileged and proprietary information out of the hands of the public. The second priority of information assurance is keeping information platforms safe from intrusions that could potentially dismantle warehousing, endangering or causing the loss of vital information. Information assurance involves protection against anyone attempting to harm the information itself as well as information storage systems, viruses, and other coded programs created by hackers to wipe out data and the storage facilities for data. Securing information must be in accordance with government standards and also “smart” and progressive enough to keep up with the changing demands coupled with handling the frequently growing viruses and malware that destroy data that is not appropriately protected. Information assurance also involves the reconstituting of data and its housing after it has been compromised. This means refurbishing, rehousing, and re-securing data as well as reestablishing the list of those with authorized access and assigning new login names and pass codes for all authorized parties (Encyclopedia of Management, 2009). 2.1.1 System Assurance Page 3 of 36 4/20/2010 China/Kelly/Palmer
  4. 4. INFORMATION ASSURANCE METRICS As stated by Liles & Kamali (2006), “Systems assurance is the practice of hardening operating systems from identified threats, analyzing and auditing hardware and devices for identified threats, and remediating the devices and computing platforms within the enterprise (Maconachy, 2001). For instance, proper configuration and defensive strategies employed for protecting a network and specifically a router would be considered systems assurance.” (Liles & Kamali, 2006, p. 3). System assurance includes making sure each user’s accounts are active and appropriately used with permissions inside of the enterprise. Table 1 Systems Assurance Courses Systems Assurance Courses Fundamentals of Information Assurance: This course covers security mechanisms, fundamental aspects, operational issues, policy, attacks, security domains, forensics, information states, security services, threat analysis, vulnerabilities, and other topics. Systems Assurance: This course covers the implementation of systems assurance with computing systems. Topics include confidentiality, integrity, authentication, non-repudiation, intrusion detection, physical security, and encryption. Extensive laboratory exercises are assigned. Assured Systems Design and Implementation: This course covers the design and implementation of assured systems in an enterprise environment. Topics include hardening of operating systems, choice of platforms, design criteria within the assured systems domain. Extensive laboratory exercises are assigned. Computer Forensics: This course covers the techniques used in the forensic analysis of computerized systems for gathering evidence to detail how a system has been exploited or used. Extensive laboratory exercises are assigned. (Liles & Kamali, 2006, p. 385) 2.1.2 Software Assurance Page 4 of 36 4/20/2010 China/Kelly/Palmer
  5. 5. INFORMATION ASSURANCE METRICS After further observation, Liles & Kamali (2006) identified that software assurance is an assortment of secondary disciplines combined into practice. “Software assurance is the practice of requirements gathering, secure coding, testing, auditing, and implementation of software in the enterprise protecting against known vulnerabilities. Software assurance involves the preparation of source codes such that recognized vulnerabilities are excluded from the product. Additionally software assurance concerns preparing strong source codes so that unidentified vulnerabilities generate protected failure conditions (Software, 1992). Preparation includes auditing commercial off the shelf software (COTS), or free open source software (F/OSS) being implemented within the enterprise, or third party prepared and/or contracted source codes. Software assurance includes normally related computer science topics such as Software Engineering (SE), Software Quality Assurance (SQA), Highly Assured Computing (HAC), Capability Maturity Model (CMM), and other development lifecycle issues. Software assurance elements include field crossing topics such as end of life cycle, maintenance, retirement, reusability, and inheritance variation strategies. Software assurance definitively includes practice oriented computing concepts including secure coding, threat modeling, vulnerability analysis, execution, auditing, and defensive incorporation of software within the enterprise” (Liles & Kamali, 2006, p. 3). Table 2 Software Assurance Courses Software Assurance Courses Programming Fundamentals: This course covers fundamental data structures, fundamental programming constructs, objectoriented programming, algorithms and problem-solving, event-driven programming, recursion, and other topics. Advanced Programming: This course covers advanced topics in programming languages, GUI development, threaded applications, components, testing and debugging methods and advanced topics in event-driven and object oriented programming techniques. Extensive laboratory exercises are assigned. Page 5 of 36 4/20/2010 China/Kelly/Palmer
  6. 6. INFORMATION ASSURANCE METRICS Software Assurance: This course covers defensive programming techniques, bounds analysis, error handling, advanced testing techniques, detailed code auditing, and software specification in a trusted assured environment. Extensive laboratory exercises are assigned. (Liles & Kamali, 2006, p. 386) 2.1.3 Operations Assurance Operations assurance advocates the components of physical security and operational characteristics found in an organized information technology organization (Software,1999). The scope of operational assurance involves concepts of physical security, data center design, and legal and procedural reporting. Items of extreme concern to the enterprise would be found here, which includes disaster recovery and planning. Business continuity and risk analysis are threads of knowledge that run through the area of operations assurance. Within operations assurance one would find for example the implications of the Health Insurance Portability and accountability Act (HIPPA), Digital Millennium Copyright Act (DMCA), or the concepts of physical security. Ironically, items frequently ignored as part of information assurance would be the concept of backup and recovery testing procedures, insurance, and other litigation aspects of operations. Defining, categorizing, and applying financial loss expectation documents to management of an enterprise are a valuable skill in operations assurance (Liles & Kamali, 2006). Table 3 Operations Assurance Courses Operations Assurance Courses Ethical and Legal Issues of IT: This course covers professional communications, social context of computing, teamwork concepts and issues, intellectual properties, legal issues in computing, organization context, professional and ethical issues, responsibilities, privacy and civil liberties, and other topics. Disaster recovery and planning: This course covers risk management and business continuity. Topics include disaster recovery strategies, mitigation strategies, risk analysis, and development of contingency plans for unexpected outages and component failures. Extensive laboratory exercises are assigned. Page 6 of 36 4/20/2010 China/Kelly/Palmer
  7. 7. INFORMATION ASSURANCE METRICS Information Assurance Risk Assessment: This course covers industry and government requirements and guidelines for information assurance and auditing of computing systems. Topics include risk assessment and implementation of standardized requirements and guidelines. (Liles & Kamali, 2006, p. 386) 2.2 FIVE PILLARS OF INFORMATION ASSURANCE According to the Central Security Service, successful information assurance can be broken down into five pillars; the five pillars are availability, integrity, authentication, confidentiality, and nonrepudiation. The five pillars formulate specific information assurance policy that ensures the maximum level of success for commercial entities that relate it to their day to day business operations. “The five pillars are used by the United States government for their information assurance; the five pillars receive different amounts of use depending on the type of threat in play. The same is true for any company that uses the five pillars for the protection of information. Additionally, each company has different needs for security; each company’s needs are based on industry, size, reputation, Internet presence, and other factors. Those most widely used of the five pillars involve the education of personnel, the use of encryption, the implementation of the most up-to-date information technologies, and the use of some form of alarm system with the ability to warn personnel of an intrusion” (Encyclopedia of Management, 2009, p. 383-385). 2.3 ROLES AND RESPONSIBILITIES Roles and responsibilities for developing and implementing information security measures must be adhered to for organizational success. Information security is one of the Page 7 of 36 4/20/2010 China/Kelly/Palmer
  8. 8. INFORMATION ASSURANCE METRICS primary duties of every affiliate belonging to the organization, it is important that all members be aware of their roles and responsibilities across the entire operation (Chew et al., 2008). 2.3.1 Agency Head The Agency Head has various responsibilities related to information security measures. The Agency Head ensures that information security measures are used in support of agency’s strategic and operation planning process to secure the organization’s mission. Additionally, the Agency Head is responsible for making sure information security measures are incorporated into annual reports on the effectiveness of agency information security program by the Chief Information Officer (CIO). The Agency Head supports information security measure development and implementation, and communicates official support to the agency. They also ensure that information security measurement activities have adequate financial and human resources for success; actively promote information security measurement as an essential facilitator of information security performance improvement throughout the agency; and approve policies to officially institute measures collection (Chew et al., 2008). 2.3.2 Chief Information Officer The Chief Information Officer (CIO) is responsible for using information security measures to assist in monitoring compliance with applicable information security requirements. The CIO uses information security measures in annual reports on effectiveness of the agency information security program to the agency head. The CIO is committed to the responsibilities of assessing information security procedures that support policies routinely. Some other areas of concern for the CIO will be: 1 Properly marketing the value for using information security measures to monitor the overall health of the information security program and to conform to related regulations Page 8 of 36 4/20/2010 China/Kelly/Palmer
  9. 9. INFORMATION ASSURANCE METRICS 2 Making certain that information security programs are established and put into practice 3 Assign sufficient monetary and human resources to the information security measurement program 4 Review resource allocation, and evaluate the information security program position and operational risks to agency information systems 5 Give information security training to staff alone with other duties (Chew et al., 2008). 2.3.3 Program Manager/Information System Owner As stated by Chew et al. (2008) “Program managers, as well as information system owners, are responsible for ensuring that proper security controls are in place to address the confidentiality, integrity, and availability of information and information systems. The program manager/information system owner has the following responsibilities related to information security measurement: 1 Participating in information security measurement program development and implementation by providing feedback on the feasibility of data collection and identifying data sources and repositories; 2 Educating staff on the development, collection, analysis, and reporting of information security measures and how it will affect information security policy, requirements, resource allocation, and budget decisions; Page 9 of 36 4/20/2010 China/Kelly/Palmer
  10. 10. INFORMATION ASSURANCE METRICS 3 Ensuring that measurement data is collected consistently and accurately and is provided to designated staff who are analyzing and reporting the data; 4 Directing full participation and cooperation of staff, when required; 5 Reviewing information security measures data regularly and using it for policy, resource allocation, and budget decisions; and 6 Supporting implementation of corrective actions, identified through measuring information security performance” (Chew et al., 2008, p. 8). 2.3.4 Information System Security Officer Acknowledging the significant duties, Chew et al. (2008) recognized “The Information System Security Officer (ISSO) has the following responsibilities related to information security measurement: 1 Participating in information security measurement program development and implementation by providing feedback on feasibility of data collection and identifying data sources and repositories; 2 Collecting data or providing measurement data to designated staff that are collecting, analyzing, and reporting the data” (Chew et al., 2008, p. 8). 2.3.5 Other Related Roles Information security measurement may require inputs from a variety of organizational personnel components or stakeholders, including incident response, information technology Page 10 of 36 4/20/2010 China/Kelly/Palmer
  11. 11. INFORMATION ASSURANCE METRICS operations, privacy, enterprise architecture, human resources, physical security, and others (Chew et al., 2008). 3. Identify Malware Categories Many organizations face threats everyday with or without warnings from the security controls set in place. The task of preventing potential attacks is getting difficult as attackers continue to find ways to bypass an organization’s security. There are different types of malware that an organization could face when protecting its information assets. However, this section of the document will focus on worms, rootkits, botnets, and denial of service/distributed denial of service (DoS/DDoS). 3.1.1 Worms “Worms are self-replicating programs that are completely self-contained, allowing it not to require a host program to infect an information system. Unlike viruses, worms also are selfpropagating, thus creating fully functional copies and executing themselves without user intervention. This has made worms increasingly popular with attackers, because a worm has the potential to infect many more systems in a short period of time than a virus can. Worms take advantage of known vulnerabilities and configuration weaknesses, such as unsecured Windows shares. Although some worms are intended mainly to waste system and network resources, many worms damage systems by installing backdoors, perform distributed denial of service (DDoS) attacks against other hosts, or perform other malicious acts. The two primary categories of worms are network service worms and mass mailing worms” (Mell, Kent, & Nusbaum, 2005, p. 17-18). Page 11 of 36 4/20/2010 China/Kelly/Palmer
  12. 12. INFORMATION ASSURANCE METRICS “Network service worms spread by exploiting vulnerability in a network service associated with an operating system (OS) or an application. Once a worm infects a system, it typically uses that system to scan for other systems running the targeted service and then attempts to infect those systems as well. Because they act completely without human intervention, network service worms can typically propagate more quickly than other forms of malware. The rapid spread of worms and the intensive scanning they often perform to identify new targets often overwhelm networks and security systems (e.g., network intrusion detection sensors), as well as infected systems” (Mell, Kent, & Nusbaum, 2005, p. 18). “Mass mailing worms are similar to e-mail-borne viruses, however mass mailing worms are self-contained instead of infecting an existing file as e-mail-borne viruses do. Once a mass mailing worm has infected a system, it typically searches the system for e-mail addresses and then sends copies of itself to those addresses, using either the system’s e-mail client or a selfcontained mailer built into the worm itself. A mass mailing worm typically sends a single copy of itself to multiple recipients at once. Besides overwhelming e-mail servers and networks with massive volumes of e-mails, mass mailing worms often cause serious performance issues for infected systems” (Mell, Kent, & Nusbaum, 2005, p. 18). 3.1.2 Rootkits According to the United States Computer Emergency Readiness Team (US-CERT), a rootkit “is a piece of software that can be installed and hidden on your computer without your knowledge. Attackers may be able to access information, monitor your actions, modify programs, or perform other functions on your computer without being detected” (McDowell, 2008, p. 1). If a rootkit has been installed, an organization may not be aware that their information system(s) has been compromised, and traditional anti-virus software may not be able Page 12 of 36 4/20/2010 China/Kelly/Palmer
  13. 13. INFORMATION ASSURANCE METRICS to detect the malicious programs. Attackers are also creating more sophisticated programs that update themselves so that they are even harder to detect (McDowell, 2008). 3.1.3 Botnets Botnets are computers that are able to be controlled by one, or many, outside sources. “An attacker usually gains control by infecting the computers with a virus or other malicious code that gives the attacker access”(McDowell, 2008, p. 1). An organization’s information systems may be part of a botnet even though it appears to be operating normally. Botnets are often used to conduct a range of activities, from distributing spam and viruses to conducting denial-of-service attacks (McDowell, 2008). 3.1.4 DoS/DDoS A distributed denial-of-service attack (DDos) occurs when an attacker uses many computers to flood a network and/or attack another computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses. The attack is "distributed" because the attacker is using multiple computers to launch the denialof-service attack. However, the following symptoms could indicate a DDoS attack: 1 unusually slow network performance (opening files or accessing websites) 2 unavailability of a particular website 3 inability to access any website 4 dramatic increase in the amount of spam you receive in your account (McDowell, 2009). Page 13 of 36 4/20/2010 China/Kelly/Palmer
  14. 14. INFORMATION ASSURANCE METRICS When a DDoS attack is launced against an organization, business operations can cease from a few hours to a few days depending on how bad the attack is. The DDos can flood the network causing all network services to become unavailable. For example, organizations whom are in the e-commerce market can lose consumers because their website is not available. As a result, the organization loses out on revenue generated by everyday consumers. The risk of bad publicity can also occur if the organization does not resolve the issue quickly. 3.2 Potential Impacts from Vulnerabilities Organizations tend to focus more on outside threats than inside threats. In reality, the insider threat should be equally taken into consideration as well because there may be a risk of malicious employees attempting to perform suspicious activities on the network. There has been a realization that “the insider and outsider threats are merging as outsiders are more and more easily penetrating the security perimeters and becoming “insiders” (Gilligan, 2009, p. 5). Specific controls such as network segmentation, control of administrative rights, enforcement of need to know, data leakage protection, and effective incident response all directly address the key ways that insider threats can be mitigated. The controls implemented to limit unauthorized access within the organization work effectively to mitigate both insider and outsider threats. It is important to note that these controls are meant to deal with multiple types of attacks, including but not limited to malicious internal employees and contractors, independent individual external actors, organized crime groups, terrorists, and nation state actors, as well a combination of these different threats (Gilligan, 2009). As Gilligan (2009) states, “these controls are not limited to blocking only the initial compromise of systems, but also address detecting already‐ compromised machines, and preventing or disrupting attacker’s actions” (Gilligan, 2009, p. 6). The defenses identified through these controls deal with decreasing the initial attack surface Page 14 of 36 4/20/2010 China/Kelly/Palmer
  15. 15. INFORMATION ASSURANCE METRICS through improving architectures and hardening security, identifying already‐compromised machines to address long‐term threats inside an organization’s network, controlling users’ privileges on systems, and disrupting attackers’ command‐and‐control of implanted malicious code (Gilligan, 2009). The Figure below illustrates the scope of different kinds of attacker activities that these controls are designed to help thwart. (Gilligan, 2009, p. 6) The rings represent the actions attackers may take against target information systems. These actions include initially compromising an information system by exploiting one or more vulnerabilities (i.e., “Getting In”). Attackers can then maintain long‐term access on a system, often by creating accounts, subverting existing accounts, or altering the software on the computer to include backdoors and rootkits (i.e., “Staying In”). Attackers with access to information systems can also cause damage, which could include stealing, altering, or destroying information; impairing the system’s functionality to jeopardize its business effectiveness or mission; or using it as a jump‐off point for compromise of other systems in the environment (i.e. Page 15 of 36 4/20/2010 China/Kelly/Palmer
  16. 16. INFORMATION ASSURANCE METRICS “Acting”). Where these rings overlap, illustrates attackers having more ability to compromise sensitive information or cause damage. Outside of each set of rings in the figure, various defensive strategies are presented to help limit the abilities of attackers (Gilligan, 2009). 3.3 Threats associated with Information Security This section of the paper identifies the goals and major threats that are associated with information security. Jesan (2006) acknowledged that, “information is one of the very important assets in almost all organizations” (Jesan, 2006, p. 1). Information security is just as valuable and noteworthy as is information. The main goals of Information Security are to protect the confidentiality, integrity and availability of the information that its processes and handles within a network system. Once the networks infrastructure is connected to the internet, the information that is acquitted and processed, it becomes a potential target for cyber attacks (Jesan, 2006). Organizations and business have spent billions of dollar as a preventive measure to save the lost of value and sensitive information. Security threats and breaches remain high as a potential danger to a network infrastructure. Consequently, businesses and organizations make uses of various techniques and methods to prevent the saboteur or tampering against their networking system. Some organizations utilize a self-hacking-audit tool to eliminate any possible threats that may be of harm to their networking system. The following threats have been identified to eliminate any possible compromise or accidental lost of information that is considered dangerous to any networking system, they are: 3.3.1 Hacking Hacking is considered be nothing more than a people gaining access to a computer system without the knowledge of its owner. Once an individual gain access to a target computer Page 16 of 36 4/20/2010 China/Kelly/Palmer
  17. 17. INFORMATION ASSURANCE METRICS system, sensitive and private information can be compromise and used to destroy or damage an individual identity. Hackers target eCommerence, banks and others websites that contains valuable information on an individual. Although, some hackers utilize their talent for fun, others focus on finding ways to penetrate a network by exposing their vulnerability and weakness within the infrastructure. Hackers used a variety of malicious code and viruses to find loop holes and unsecured terminals to achieve their objective (Jesan, 2006). 3.3.2 Viruses and Worms Viruses and Worms are computer programs which are released inside a computer with the sole intend to destroy or damage the equipment. Although both program are used for the same propose, their function are totally different. Both programs have the ability to replicate itself, but when they are activated on a computer network, the virus need a carrier to travel on the network to work correctly, whereas the worm has the ability to travel throughout the network without any assistance. As per Trendmicro, a total of 400 new viruses are created each month and over 60,000 viruses have been identified which spread very quickly to destroy an organization computer infrastructural (Jesan, 2006). 3.3.3 Trojan Horse Trojan Horse is a very dangerous program if manage by the wrong person. This program is a function that is used by system administrators’ to control work-station remotely. There are two components to the system administrator’s job: One program runs the clients function and the other runs as a server. This is one unique tool in which a hacker used to gain control of a network system. If a hacker gain control of this type of activity, they have the ability to monitor all transmitting data that are transmitted over a corporation network (Jesan, 2006). 3.3.4 Spoofing Page 17 of 36 4/20/2010 China/Kelly/Palmer
  18. 18. INFORMATION ASSURANCE METRICS Spoofing is the ability to deceive other computer users about the sources information being provided is actually coming form a legitimate user. Spoofing has been divided into three type spoofing technique used to prevent this type of action from happen. The following three spoofing type is: 1. IP Spoofing is the ability to changes the source-address of an IP packet, so that it identifies the sources address as a legitimate address, and not an address of a hacker. The function of an IP spoofing is to authenticate the original message to prevent a disruption within the network (Jesan, 2006). 2. DNS Spoofing utilizes a different technique of directing users to a different website for the purpose of collecting personal information. DNS spoofing control the main domain, where names and IP addresses are created. This process is very dangerous, because it gives a hacker access to the entire domain database, which creates a living nightmare for customers that has sensitive information stored (Jesan, 2006). 3. ARP(Address Resolution Protocol) Spoofing maintain the table of MAC address of the entire computer install on an organization network. All information that comes to the ARP is directly delivered to the computer based on the mapping available on the ARP’s table. This process updates all information that is transmitted to the ARP’s table, whereby hackers can update and steal IP address (Jesan, 2006). 3.3.5 Sniffing Sniffing is the procedure used to confirm that all packets of a message pass safely through the network. This technique was first used to fix network problems. Hackers Page 18 of 36 4/20/2010 China/Kelly/Palmer
  19. 19. INFORMATION ASSURANCE METRICS utilize this method to scan login IDs and passwords transmitted over the wire. Any data obtained during this process become valuable to the hacker during their attacks on the network system. To avoid sniffing attack, it is suggested that all the data transmitted over the network be encrypted for safety reason (Jesan, 2006). 3.4 Information Security Challenges The securities surrounding protecting sensitive information within an organization are careful measure as a big challenge for a security officer. Chew et al. (2008) identified certain security measures that are very beneficial to an organization. Chew recognized that gathering information successfully depends on the construction of the security plan within the unit. An existence program maturity when the organization follows all policies and procedures that have been implemented in the organization. As policies become more detailed, it is imperative that the policies become more standardized and implemented at all level of the organization. The challenges that information security faces depends on the goals and objectives that are set forth by upper-management within the organization. Each goal and objective must be fully understood and enforced at all level to be effective. Standard policies and procedures must be well documented, posted and addressed throughout the entire agency. During the implementation phase of the informational security awareness program, each challenge must be fully addressed with a resolvable solution before moving to the next phase. To overcome any challenges of an information security goal, management must establish an effective tracking system mechanism to document and quantify various aspects of the information security performance. In order for this program to be effective, each phase of the program must show mature progress and the measurement of each phase must be evaluated as an improved Page 19 of 36 4/20/2010 China/Kelly/Palmer
  20. 20. INFORMATION ASSURANCE METRICS performance. The following illustration shows a progression of an information security program (Chew et al., 2008). (Chew, et al., 2008, p. 12) 3.5 Risk Managing As security controls are implemented for an information system, concern risk and vulnerability becomes a major factor involving management at all level. Ross et al., (2007) recommended the significant elements used to manage an organization’s information security program are to provide the organization with an effective framework for selecting the appropriate security controls for an information system. Network enterprise are encourage to follow security controls such as Executive Orders, policies, regulations, directives, standards and applicable laws must be adhered to and strictly enforced. To be effective, one can apply the Page 20 of 36 4/20/2010 China/Kelly/Palmer
  21. 21. INFORMATION ASSURANCE METRICS context of the system development life cycle and the Federal Enterprise Architecture to both legacy and new information system. Listed below is a listed of the components and related activities that are associated in managing any potential risk within an organization, also known as the NIST Risk Management Framework (Ross et al., 2007). 1 “Categorize – the information systems and the information resident within that system based on FIPS 199 impact analysis. 2 Select – an initial set of security controls for the information system based on the FIPS 199 security categorization and the minimum security requirements defined in FIPS 200. 3 Supplement – the initial set of tailored security controls based on an assessment of risk and local conditions including organization-specific security requirement, specific threat information, cost-benefit analyses, or special circumstances. 4 Document – the agreed-upon set of security controls in the system security plan including the organization’s rationale for any refinements or adjustments to the initial set of controls. 5 Implement – the security controls in the information system. For legacy systems, some or all of the security controls selected may already be in place. 6 Assess – the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Page 21 of 36 4/20/2010 China/Kelly/Palmer
  22. 22. INFORMATION ASSURANCE METRICS 7 Authorize – information system operation based upon a determination of the risk to organizational operations, organizational assets, or to individuals resulting from the operation of the information system and the decision that this risk is acceptable. 8 Monitor and assess selected security controls in the information system on a continuous basis including documenting changes to the system, conducting security impact analyses of the associated changes, and reporting the security status of the system to appropriate organizational officials on a regular basis” (Ross et al., 2007, p. 24-23). 3.6 Security Metrics The groundwork of powerful senior level executive support is necessary for the success of the security program and others such as for the performance of a security metrics program. The support launches a focal point on security inside the highest levels of the organization. Without a steady platform the success of the security metrics program can collapse when difficulties created by politics and budget limitations. 3.6.1 Definition Based on thoughts of George Jelen, SMART is an acronym that represents specific, measurable, attainable, repeatable, and time-dependent. George Jelen is an associate of the International Systems Security Engineering Association (ISSEA). SMART can be used to define an excellent metrics. Valuable metrics specify to the extent in which security goals, such as data confidentiality, are being achieved, and they reinforce procedures taken to better an organization’s overall security plan. Making a distinction between metrics meaningful mainly to individuals with direct duty for security management separately from those that converse directly Page 22 of 36 4/20/2010 China/Kelly/Palmer
  23. 23. INFORMATION ASSURANCE METRICS to senior management interests and matters is important to maturity of an effective security metrics program (Payne, 2006). 3.6.2 Build To make possible comprehension and acceptance at every stages of a new security metrics plan, it is sensible to position the plan in course of action enhancement frameworks that are already known to the organization. For instance, the Dupont Corporation program foundation is based on “Six Sigma Breakthrough Strategy”, an advertised management method that shed spotlight on defect elimination. There are numerous other corporations that attach their metrics program to corporate security standards compliance. No matter what the core framework is; seven essential approaches for establishing a security metrics plan can be used as a guide. 1. Define the metrics program goal(s) and objectives 2. Decide which metrics to generate 3. Develop strategies for generating the metrics 4. Establish benchmarks and targets 5. Determine how the metrics will be reported 6. Create an action plan and act on it, and 7. Establish a formal program review/refinement cycle (Payne, 2006) Page 23 of 36 4/20/2010 China/Kelly/Palmer
  24. 24. INFORMATION ASSURANCE METRICS 3.6.3 Value An extensively accepted management belief is that an action cannot be controlled if it cannot be measured. Security settles under this rubric. Metrics can be a valuable utensil for security executives to distinguish the success of different mechanisms of their security programs, the security of a precise system, product or process, and the skill of staff or departments inside an organization to tackle security concerns for which they are accountable. Metrics could also assist with discovering the level of risk in not taking a given action, and in that way give supervision in putting into place corrective procedures. Also, metrics might be used to elevate the level of security responsiveness inside the organization. Lastly, security administrators can better respond to difficult questions from their senior managers and others like; are we better protected today than we were previous, how do we measure up to others in this regard, or are we safe enough, all due to understanding achieved through metrics (Payne, 2006). 3.6.4 7-Step Methodology Step 1: Define the metrics program goal(s) and objectives Since creating and sustaining a security metrics plan could require substantial effort and reroute assets away from other safety measures actions, therefore distinct and decided target(s) with intentions of the program is important to be settled upon up front. A lone objective that evidently states the end toward which all measurement and metrics assembling efforts should be intended for is a good approach, even though there is no solid and quick rule about this. For instance, a target avowal might be: “Afford metrics that plainly and purely express how professionally and successfully Page 24 of 36 4/20/2010 China/Kelly/Palmer
  25. 25. INFORMATION ASSURANCE METRICS our company is harmonizing security risks and protective measures, so that investments in our security program can be properly sized and targeted to meet our overall security goals” (Payne, 2006, p. 3-4). Step 2: Decide which metrics to generate To give an idea of this step, a “Six Sigma” approach would focus on security processes for which defects could be detected and managed, and Step 2 duty of crafting a metrics plan would be to point out those specific safety procedures. A conformity-based advance would evaluate how closely recognized security values are being adhered to. Either a top-down or a bottom-up approach for deciding which metrics might be wanted would provide support if any preexisting framework was missing. The top-down tactic begins with the goals of the security program, and followed by backward duty identifying detailed metrics that would assist to determine if those goals are being achieved, and to finish measurements needed to produce those metrics. (Payne, 2006, p. 4) The bottom-up approach initially captures describing which security processes, products, services, and so on are in place that can be or already are measured, then bearing in mind which Page 25 of 36 4/20/2010 China/Kelly/Palmer
  26. 26. INFORMATION ASSURANCE METRICS significant metrics could be resulting from those measurements. It concludes reviewing how sound those metrics link to the overall security program goals (Payne, 2006). (Payne, 2006, p. 5) Step 3: Develop Strategies for Generating the Metrics Strategies for gathering required information and deriving the metrics must be crafted after what is to be measured is well comprehended. These strategies must identify several goals which are: the source of the information, the rate of recurrence of information collection, and the person accountable for raw information correctness, information collection into measurements, and creation of the metric (Payne, 2006). Step 4: Establish benchmarks and targets During this stage suitable targets would be acknowledged and enhancement targets positioned. This course of action offers new thoughts for supervising an activity, but also can provide relative information required to create metrics more significant. Benchmarks assist with instituting attainable targets for enforcing enhancements in existing practices. Benchmarking is ultimately the practice of contrasting one’s personal duty and obligations against teammates inside the business or noted “best practice” organizations outside the business. A security Page 26 of 36 4/20/2010 China/Kelly/Palmer
  27. 27. INFORMATION ASSURANCE METRICS administrator must seek advice from industry-specific information resources for probable benchmarks and best practices (Payne, 2006). Step 5: Determine how the metrics will be reported Security metrics efforts have to be successfully communicated in order to get positive results. Only distribute metrics to personnel it pertains to such as the security manager and staff. Other metrics may be utilized for corrective measures within an organization. The context, format, frequency, distribution method, and responsibility for reporting metrics must be clear up front, so the end product can be pictured by those involved in establishing the metrics and the individuals using the metrics for decision-making (Payne, 2006). Step 6: Create an action plan and act on it The action plan must enclose all tasks to be accomplished to begin the security metrics program, to include projected end dates and assignments. Action items should be derived from the objectives. So all involved understands and stay focused on the importance of an action plan you must document the connection of actions to the objectives. The plan must have a testing process. Deficiencies may show some metrics to be impractical and need reconsideration of what is to be measured and how (Payne, 2006). Step 7: Establish a formal program review/refinement cycle Finally, the whole security metrics program should formal and habitual be checked, this must be instilled into the overall process. During the assessment process questions like; is there motive to distrust the accurateness of any of the metrics? Are the metrics helpful in deciding new strategy for the overall security program? How much energy will it take to produce the metrics? These questions and others will be imperative to answer. A new look into security metrics Page 27 of 36 4/20/2010 China/Kelly/Palmer
  28. 28. INFORMATION ASSURANCE METRICS standards and finest practices inside and outside the business must also be carried out to aid in identifying new improvements and opportunities to tweak the program (Payne, 2006). 3.7 Metrics Program Implementation The metrics program implementation practice works a metrics program that is iterative by character and guarantees that suitable features of Information Technology (IT) security are considered for a particular moment in time. Implementation of Information Technology security metrics involves using Information Technology security metrics for monitoring IT security control performance and using the outcomes of the observing to start performance enhancement activities. The iterative process entails six segments, which, when completely carried out, will guarantee uninterrupted use of Information Technology security metrics for security managed performance monitoring and enhancement. Illustrated below is a figure of the Information Technology security metrics program implementation process (Chew et al., 2008). (Chew et al., 2008, p. 35) 4.1 Malware Incident Preventive Malware incident prevention consists of a few key rudiments which are policy, awareness, vulnerability mitigation, and threat mitigation. Making certain that policies Page 28 of 36 4/20/2010 China/Kelly/Palmer
  29. 29. INFORMATION ASSURANCE METRICS concentrate on malware deterrence it supplies a foundation for putting into practice preventive controls. Human error that is the cause for unpleasant incident can be lessened by instituting and upholding common malware awareness programs for every user plus particular awareness training for the Information Technology personnel directly concerned with malware prevention related activities. A number of potential attack vectors can be eradicated by applying effort on defenselessness alleviations. By putting into service a mixture of threat mitigation methods and tools like antivirus software and firewalls, can stop threats from effectively attacking systems and networks. When setting up a method to malware prevention, organizations must be aware of the attack vectors that are almost certain to be executed at present and in the near future. They must also think about how much control they will have over their systems are in relation to manage/non-manage settings; this has important posture on the success of a variety of protective measures. Also, businesses should integrate established protective means into their malware prevention efforts. Conversely, businesses ought to be conscious to the fact that no matter how much time and energy they devote to malware incident prevention, incidents will still take place. That's why, organizations must encompass healthy malware incident treatment functions to limit the harm that malware can cause and restore data and services proficiently (Mell, Kent, & Nusbaum, 2005). 4.2 Malware Incident Response As defined in NIST SP 800-61, Computer Security Incident Handling Guide, the incident response process has four major phases: preparation, detection and analysis, containment/eradication/recovery, and post-incident activity (Mell, Kent, & Nusbaum, 2005). Page 29 of 36 4/20/2010 China/Kelly/Palmer
  30. 30. INFORMATION ASSURANCE METRICS (Mull, Kent, & Nusbaum, 2005, p. 4-1) The first stage of malware incident response entails carrying out introductory activities, for instance like creating particular malware incident managing procedures and training courses for incident response teams. The prep period also invests energy and time in policy usage, awareness activities, weakness mitigation, and safety tools to diminish the amount of malware incidents. Reoccurring risk will without doubt continue, and no tactic is fail-safe, regardless of measures. Detection of malware infections is thus necessary to alert the organization whenever incidents occur. Fast discovery is vital for malware incidents since they are more likely than other kind of incidents to distress countless users and systems in little time, and sooner discovery can assist in lessen the amount of contaminated systems. The business ought to act fittingly depending on the severity of the incident, and that’s for every incident to alleviate its impact by controlling it, wiping out infections, and eventually recovering from the incident. This can be very difficult during extensive contagion, especially when majority of an organization’s systems may be infected all at once. Following an incident, the organization should present a description that delivers the fine points for cause and cost of the incident along with the steps the organization must take to avoid unforeseen incidents and to get ready more effectively to attack incidents that do transpire. Even though the rudimentary incident conduct process is the alike for Page 30 of 36 4/20/2010 China/Kelly/Palmer
  31. 31. INFORMATION ASSURANCE METRICS any sort of malware incident, ubiquitous infections offer various challenges that the normal incident response process does not address (Mell, Kent, & Nusbaum, 2005). 4.3 The Future of Malware The future of malware starts with the preventive measures that are put in place by organizations and businesses to defend potential attacks against viruses, threats and malicious codes. Larks (2007) predicted that 40% of motivated cyber crime will target organizations network infrastructure for a financial gain. These figures point out the events surrounding the uses of malware as an encouraging factor to promote the financial gain for cyber criminals (Larks, 2007). Although the future of malware is unpredictable, organizations are recording all known existing threats to create a database as a baseline for future study. Due to the variation of the increase of IT solutions and security controls that are in place, criminals often exploited all possible ways of attacking a network infrastructure from multiple routes. As technology continues to press forward in the 21st century, electronic devices such as cell phones and PDA’s are potential target equipment used to help transmit worms, malicious codes and viruses to attack non-traditional platforms. To effectively control malware incidents and malware prevention, businesses and organizations must developed a short and long term preventive system to mitigate all activities that would increase the response of effectively stopping a malicious code from destroying a informational technology infrastructure. Page 31 of 36 4/20/2010 China/Kelly/Palmer
  32. 32. INFORMATION ASSURANCE METRICS 4.4 Acronyms Capability Maturity Model (CMM) Chief Information Officer (CIO) Commercial off the Shelf Software (COTS) Denial of Service/Distributed Denial of Service (DoS/DDoS) Digital Millennium Copyright Act (DMCA) Federal Information Processing Standards (FIPS) Free Open Source Software (F/OSS) Health Insurance Portability and accountability Act (HIPAA) Highly Assured Computer (HAC) Information Assurance (IA) International Systems Security Engineering Association (ISSEA) Information System Security Officer (ISSO) Information Technology (IT) National Institute of Standards and Technology (NIST) Operating System (OS) Software Engineering (SE) Software Quality Assurance (SQA) Specific Measurable Attainable Repeatable and Time-dependent (SMART) United States Computer Emergency Readiness Team (US-CERT) Page 32 of 36 4/20/2010 China/Kelly/Palmer
  33. 33. INFORMATION ASSURANCE METRICS 5. Conclusion As new threats and attacks are created daily, the implementation of a system security threats and risk analysis will assist an organization of safeguarding the authentication, confidentiality, integrity, availability, and non-repudiation of data relevant to an organization. Though every incident cannot be prevented, the mechanisms and tools involved will ensure business operations can continue during and/or after an incident occurs. The organization’s essential personnel such as the CIO, and ISSO will oversee this information security program is maintaining its overall performance for the organization. The information security challenges facing an organization can be minimal once the proper execution, effectiveness, and impact of security controls, and other security associated activities are achieved. As a result, the organization will be able to carry out the mission, goals, and objectives of its business operations. Page 33 of 36 4/20/2010 China/Kelly/Palmer
  34. 34. INFORMATION ASSURANCE METRICS REFERENCES Bryant, A. (2007). Developing a Framework for Evaluating Organization Information Assurance Metric Programs. Retrieved February 8, 2010, from c.pdf Chew, E., Swanson, M., Stine, K., Bartol, N., Brown, A., & Robinson, W. (2008). Performance Measurement Guide for Information Security, National Institute of Standards and Technology, Retrieved February 24, 2010, from Choo, K. R. (2007). Trends & issues in crime and criminal justice no. 333: Zombies and Botnets. Australian Institute of Criminology, Retrieved February 18, 2010, from Encyclopedia of Management. 6th ed. Detroit: Gale, Retrieved February 17, 2010, from 2.1&u=umuc&it=&r&p=GVRL&sw=w Gilligan, J. (2009). Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance. Retrieved February 26, 2010, from Jesan, J. (2006). Information Security. Ubiquity, (v) 2. Retrieved February 23, 2010, from &dl=ACM&CFID=77541277&CFTOKEN=20025986 Page 34 of 36 4/20/2010 China/Kelly/Palmer
  35. 35. INFORMATION ASSURANCE METRICS (Con’t) REFERENCES Larks, T. (2007). THE FUTURE OF SECURITY. MicroScope,37. Retrieved March 17, 2010, from ABI/INFORM Trade & Industry. (Document ID: 1386198221). Liles, S. & Kamali, R., (2006) An Information and Security Curriculum Implementation, (v) 3. Retrieved March 13, 2010 from McDowell, M. (2008). Understanding Hidden Threats: Rootkits and Botnets. United States Computer Emergency Readiness Team. Retrieved February 16, 2010, from McDowell, M. (2009). Understanding Denial-of-Service Attacks. United States Computer Emergency Readiness Team. Retrieved February 17, 2010, from Mell, P., Kent, K., & Nusbaum (2005). Guide to Malware Incident Prevention and Handling. National Institute of Standards and Technology. Retrieved February 27, 2010, from Payne, S. C. (2006). A guide to security metrics. SANA Security Essentials GSEC Practical Assignment Version 1.2e. Retrieved February 10, 2010, from Peng T., Leckie, C., & Ramamohanarao, K. (2007). Survey of network-based mechanisms Countering the DoS and DDoS problems. ACM Computing Surveys, 39(1), 1-42. doi: 10.1145/1216370.1216373 Page 35 of 36 4/20/2010 China/Kelly/Palmer
  36. 36. INFORMATION ASSURANCE METRICS (Con’t) REFERENCES Rees, J., & Allen, J. (2008). The state of risk assessment practices in information security: An exploratory investigation. Journal of Organizational Computing and Electronic Commerce, 18, 255-277. doi:10.1080/10919390802421242 Ross, R., Katzke, S., Johnson, A., Swanson, M., Stoneburner, G., & Rogers, G.(2008). Recommended Security Control for Federal Information Systems, National Institute of Standards and Technology, Retrieved February 25, 2010, from Page 36 of 36 4/20/2010 China/Kelly/Palmer