This presentation analyses, in depth, the security weaknesses present in HGA and suggests controls to protect against critical threats with a complete budgetary analysis.
Please play in Slideshow mode for complete and proper viewing of the presentation.
Security Risk Analysis of Hypothetical Government Agency (HGA)
1. SECURITY RISK ANALYSIS FOR HGA
by HARIPRIYA VENKATACHALAPATHY
10/09/2018
for SECURITY RISK MANAGEMENT AND ASSESSMENT- IA5200
2. BUSINESS NEED FOR SECURITY RISK ANALYSIS
Management
• Risk management plan
• Life cycle integration
Operational
• Physical and environmental security
• Contingency planning
• Information security
• Training and awareness
• Incident response
Technical
• Authentication
• Access control
• Audit trail
Management
• Risk management plan
• Life cycle integration
Operational
• Physical and environmental
security
• Contingency planning
• Information security
• Training and awareness
• Incident response
Technical
• Authentication
• Access control
• Audit trail
Important in a
good security plan
Controls in green- Implemented
Controls in red- Missing
• Information security plan
• Disaster response and
recovery plan
4. ASSETS, THREATS & VULNERABILITIES
Assets
Financial
Resources
System
Components
Personnel
Information
Contract
Documents
Business
Documents
Draft Regulations
Internal
Correspondence
Threats
Payroll
Fraud
Payroll
Errors
Interruption
of
Operations
Information
Disclosure
Network-
related
Others
Accidental
Loss and
Destruction
Misuse Theft
Natural
Disaster
Vulnerabilities
Payroll Fraud
Falsifying
Payroll Data
Unauthorized
Access
Bogus
Applications
Payroll Error
Vulnerabilities
Interruption to Operations
Contingency Planning
COG
Department
Specific
Virus Prevention
Accidental
Corruption and
Data Loss
Information
Disclosure
Network-
related
5. MOT COVERAGE
0
5
10
15
20
25
M1 M2 M3 M4 M5 O1 O2 O3 O4 O5 O6 O7 O8 O9 T1 T2 T3
ImplementationCount
MOT Controls
Comparison of MOT Controls
Current Controls CISO Proposed Controls Controls in VPN Server and DMZ All Controls
7. RANKING OF VULNERABILITY RISKS
$25,575,000
$24,750,000
$24,750,000
$21,450,000
Network-related
Unauthorized Access
Virus Prevention
Accidental Corruption and Data Loss
Risk Due to Vulnerabilities- Common Controls
$1,471,381
$1,430,483
$1,414,500
$1,005,926
Virus Prevention
Network-related
Accidental Corruption and Data Loss
Unauthorized Access
Risk Due to Vulnerabilities- Mixed Strategy
8. PROPOSED BUDGET
Total Budget- Approx. $4,000,000
Administrative- $50,000
OTPs & Digital Signatures- $75,000
SETA- $1,000,000
MOU- $500,000
PC Protection- $50,000
Life Cycle Planning- $25,000
Incident Response- $1,000,000
Audit Trail- $750,000
VPN and DMZ- $13,500
Overall Operational Costs- $500,000
SETA- 25%
Incident Response-
Audit Trail- 19%
9. RECOMMENDATIONS
Secure against external systems:
Clear definition of boundaries.
Rigid access control.
Encryption of data:
All states.
Audit trail.
Secure data disposal.
Integration for strong program:
Standards for current and future use.
10. SUMMARY
More focus on information security and disaster recovery specific plans.
MOT controls coverage increases.
Drop of 95% in residual security risk with mixed strategy.
Proposed budget is 4% of expected risk benefit.
Recommended controls related to data integrity, lifecycle management and audit trail mechanism.
Editor's Notes
A solid risk management plan needs to cover the major security controls in the management, operational and technical aspects which map to plans for information security and disaster response and recovery. HGA has sufficiently or moderately implemented a risk management plan, covered physical and environmental security, contingency planning, security for the information stored and provided training and awareness. It has also implemented authentication and access control mechanisms with room for more improvement. However, HGA does not have any mechanisms in place to audit security incidents and follow up with an incident response team. It also has not integrated security into its overall life cycle management plan. These shortcomings need to be covered for HGA to have a good risk management plan.
Image Source: An Introduction to Computer Security: The NIST Handbook, Barbara Guttman and Edward A. Roback
Network topology of HGA:
Mix of components owned and operated by HGA and other organizations.
System architecture:
PCs for all/most personnel.
Connected to LAN.
LAN server.
Printer pool.
Router to connect to internet for communication with outside agencies.
Modem pool enabled to allow only e-mailing.
Special console restricted ONLY to admins.
WAN to connect to other agencies- owned and operated by third party telecommunication company under government contract.
Mainframes- federal agency controls it and acts as service provider to HGA under MOU.
Assets:
Financial Resources
System Components
PCs
Printers
VPN Server
LAN Server
Console
Router
Dedicated Server
Personnel Information
Contract Documents
Draft Regulations
Internal Correspondence
Business Documents
Memos and Reports
Reputation of Agency
Employee Confidence
Critical Assets: Financial Resources, Personnel Information, Business Documents, Contract Documents– Based on the monetary values.
Threats:
Payroll Fraud
Payroll Errors
Interruption of Operations
Disclosure or Brokerage of Information
Network-Related Attacks
Other Threats
Accidental Loss
Accidental Destruction
Loss of Information Due to Virus
Misuse of System Resources
Theft
Unauthorized Access to Telecommunication Resources
Natural Disaster
Biggest Threats: Payroll Fraud, Payroll Error, Interruption of Operations, Network-related.
Vulnerabilities:
T1:V1: Vulnerabilities Related to Payroll Fraud
V1.1: Falsified Time Sheets
V1.2: Unauthorized Access
V1.3: Bogus Time and Attendance Applications
V1.4: Unauthorized Modifications of Time and Attendance Sheets
T2:V2: Vulnerabilities Related to Payroll Errors
T3:V3: Vulnerabilities Related to Continuity of Operations
V3.1: COG Contingency Planning
V3.2: Division Contingency Planning
V3.3: Virus Prevention
V3.4: Accidental Corruption and Loss of Data
T4:V4: Vulnerabilities Related to Disclosure or Brokerage of information
T5:V5: Vulnerabilities Related to Network-Related Attacks
Biggest Vulnerabilities: Unauthorized Access, Virus Prevention, Accidental Corruption and Loss of Data, Network-related.
17 families of MOT controls are considered across 3 different scenarios.
Scenario 1: Current controls implemented by HGA: No controls are implemented for life cycle management, data integrity, incident response and audit trails.
Scenario 2: New controls proposed by the CISO: Brings about implementation of almost same number of controls as in scenario 1; no new controls are implemented.
Scenario 3: Controls implemented by bringing in a VPN server and setting up a DMZ: New controls are implemented for incident response in a preliminary manner by having IDS capabilities in the DMZ firewall; Audit trail mechanism also set up at a basic level.
Summary:
No of times each control is implemented effectively doubled from scenario 1 to a scenario where all controls are implemented together. Still, no implementation of security controls for life cycle management and data integrity.
Graph shows variations in residual security risk and the trendline across varying methods of security control implementation.
Residual security risk drops from $96m to about half the amount at $49m just by implementing new controls proposed by the CISO. It further halves when all the missing MOT controls are also included for implementation. The security risk prevention and response strategies don’t vary by much in the reduction they bring. However, when they’re combined to eliminate all critical vulnerabilities and harden all the critical assets of the HGA the residual risk is only $5m which is only 5% of the original residual risk.
With just current controls in place at HGA, vulnerabilities in the network and network-related front is high and virus prevention ranks lowest amongst all critical vulnerabilities. After including controls proposed by the CISO, covering the missing MOT controls, implementing VPN server and DMZ, encrypting communication in HGA, implementing automatic virus scanning and detection, adding redundant servers and encrypting data in all states the ranking of the vulnerabilities changes. The risk due to each of them drops from approximately $23m to $1.2m each and vulnerabilities related to virus prevention ranks the highest, closely followed by network related vulnerabilities and accidental losses.
Total budget to cover new CISO controls, implement the missing MOT controls, replace modem pool using VPN and zoning the HGA’s network to account for a DMZ is approximately $4m. Security training and awareness, incident response planning and implementing audit trail mechanisms take up 70% of the total budget clearly showing how important these controls are to the HGA and that their implementation is essential for a holistic risk management plan.
Breakdown of costs to implement VPN and DMZ:
VPN Server- $500
Dedicated Server to Implement DMZ- $3,000
Overall Implementation Cost Within HGA- $10,000
--------------------------------------------------------
Total Cost- $13,500
Securing against external systems:
The HGA needs to focus more on securing its systems from external systems; there needs to be a clear definition of what is considered external and internal systems with clear physical and logical security measures to be developed and deployed to tackle attacks across both the domains.
Encrypt data across all possible states:
Data and information in the HGA must be encrypted and protected while in transit from sender to receiver and stored with appropriate encryption and/or hashing while at rest.
Audit mechanisms implementation:
The HGA must implement audit mechanisms to set up proper audit trails following an attack; it should also ensure that real-time indicators be set up for flagging of critical threats so that the incident response team can attend to it right away with minimal to no delay.
Data disposal must be done according to policy:
COG must be responsible for recommending security measures and policies to be enforced during data disposal; these measures should be followed strictly to ensure that all sensitive data is destroyed or disposed of appropriately.
Integration of management and technical teams for strengthening the risk management program:
The HGA should work cohesively amongst its managers, supervisors and technical leads to ensure that its risk analysis and management program is effective, current and robust enough to protect the organization while also considering the time, effort and budgetary trade-offs.
Integrate all mechanisms implemented for current, standardized and future use:
The HGA must look further beyond implementing security controls as and when threats are discovered and ensure that their security measures cover any possible attack or threat- whether now or in the near or far future.
All security measures must be implemented with the aim of being easy enough to be integrated into the system seamlessly; the integration should not further propagate any new vulnerabilities or reduce the operational effectiveness of the system by, say, bringing it down during the update or following it.
All security controls must be standardized, follow specific predetermined jargon and should not be deviated from so that all employees and users of the HGA systems can adhere to it and understand it without having the need to request for support or help.