Praticas de gestão de segurança

CISSP
SP
Grupo de estudos de São Paulo - 2006
http://br.groups.yahoo.com/group/cisspbr-sp
Práticas de gestão de segurança
Anchises M. G. de Paula
Formação CISSP
Grupo de Estudos de São Paulo
Fevereiro de 2006

CISSP
SP
Principais tópicos
• Purpouse (CIA)
• Risk Analysys & Assessement
• Information Classification
• Policies, procedures, standards, etc
• Awareness
• Social Engineering

CISSP
SP
Purpose
• Purpouse of Information Security
Management
– Confidentiality
– Integrity
– Availability

CISSP
SP
Purpose
• Confidentiality
– Unauthorized people, resources and processes
cannot access the information
– Crucial aspects:
• user identification, authentication and authorization
– Threats:
• Hackers
• Masqueraders
• Unauthorized user activity
• Unprotected downloaded files
• Networks
• Trojan horses
• Social engineering

CISSP
SP
Purpose
• Integrity
– Protection from intentional or accidental
unauthorized changes
– Ensure that information and process are
maintained in the stat that users expect
– 3 basic principles are used to establish
integrity controls:
• Need-to-know access (least privilege)
• Separation of duties
• Rotation of Duties

CISSP
SP
Purpose
• Availability
– Assurance that computer systems are
acessible by authorized users whenever
needed
– Two facets:
• Denial-of-service
• Loss of data processing capabilities

CISSP
SP
Risk Analysis
• Risk Analysis is a method of identifying
risks and assessing the possible
damage that could be caused in order
to justify security safeguards.
• Risk management addresses 3
fundamental questions:
– What can be done? (risk mitigation)
– How much will it cost?
– Is it cost-effective?

CISSP
SP
Risk Analysis
• Quantitative risk analysis:
– Assign indenpendently objective numeric
numbers
• Estimate value of assets to be protected.
• Identify each threat and corresponding risk
• Estimate loss potential of each risk
• Estimate possible frequency of threat
– Recognize and recommend remedial
measures
– “fact-based”

CISSP
SP
Risk Analysis
• Qualitative risk analysis:
– Walk through different scenarios and rank
threats or sensitivity of assets.
– Techniques include judgement, intuition and
experience.
• Some methods are delphi, brainstorming, story
boarding, focus groups, surveys, questionnaires,
one-on-one meetings and interviews.
– “perception-based”

CISSP
SP
Risk Analysis
• Qualitative - Pros
– Calculations are simple and readily understood and execute
– Not necessary to determine quantitative threat frequency & impact data
– Not necessary to estimate the cost of recommended risk mitigation
measures & calculate cost/benefit
– A general indication of significant areas of risk that should be addressed is
provided
• Qualitative - Cons
– Risk assessment & results are essentially subjective in both process &
metrics. Use of independently objective metrics is eschewed.
– No effort is made to develop an objective monetary basis for the value of
targeted information assets
– No basis is provided for cost/benefit analysis of risk mitigation measures.
Only subjective indication of a problem
– It is not possible to track risk management performance objectively when
all measures are subjective

CISSP
SP
Risk Analysis
• Quantitative - Pros
– Assessment & results are based substantially on independently objective
processes & metrics. Thus, meaningful statistical analysis is supported
– The value of information (availability, confidentiality & integrity) as
expressed in monetary terms with supporting rationale, is better
understood. Thus, the basis for expected loss is better understood.
– A credible basis for cost/benefit assessment of risk mitigation measures is
provided. Thus, information security budget decision-making is supported
• Quantitative - Cons
– Calculations are complex. If they are not understood or effectively
explained, management may mistrust the results of black-box testing
– A substantial amount of information about the target information & its IT
environment must be gathered
– There is not yet a standard, independently developed & maintained threat
population & frequency knowledge base. Thus, users must rely on the
credibility of the vendors who develop & support the automated tools or do
perform the research.

CISSP
SP
Risk Analysis
• Elements of risk metrics:
– Asset value
– Threat frequency
– Threat exposure factor
– Safeguard effectiveness
– Safeguard Cost
– Uncertainty

CISSP
SP
Risk Analysis
• Exposure Factor
– Magnitude of loss or impact on the value of the asset
– Percent (0 to 100%)
• Annualized Rate of Occurence (ARO)
– The frequency with which a threat is expected to
occur
– 50 times in a given year -> ARO = 50.0
• Single Loss Expectancy or Exposure (SLE)
– Monetary loss (impact) for a threatened event
– SLE = Asset value X Exposure Factor

CISSP
SP
Risk Analysis
• Annualized Loss Expectancy (ALE)
– Establish the basis for meaningful
cost/benefit analysis of risk reduction
measures
– ALE = SLE X ARO
– Ex:
• Threat that is expected to occur about once in 10
years (ARO = 1/10)
• Impact for the threat: $ 1.000.000 (SLE)
• ALE = $ 100.000,00

CISSP
SP
Risk Analysis
• Information Risk Management
– Establish Information Risk Management
Policy
– Establish and fund na IRM team
– Establish IRM methodology & tools
– Identify and measure risk
– Project sizing

CISSP
SP
Risk Analysis
• Remedies
– Risk Reduction - implementation of controls
to alter risk position
– Risk Transference - get insurance, transfer
cost of a loss to insurance
– Risk Acceptance - Accept the risk, absorb
loss

CISSP
SP
Risk Analysis
• Exemplo 1 (Official Guide, pg 21)
– Take a look at the risk of fire.
– Assume that the asset value is 1 M$, the exposure
factor is 50% and the annualized rate of occurance is
1/10 (once in 10 years).
– SLE = 1 M$ x 0,5 = $ 500,000
– ALE = SLE x 1/10 = $ 50K
http://urru.org

CISSP
SP
Risk Analysis
• Exemplo 2 (Harris, Shon; “Security School”)
– If ALE for a specific asset is $78,000, and after
implementation of the control the new ALE is
$20,000 and the annual cost of the control is
$60,000, what is the value of the control to the
company?
– Should the control be implemented?

CISSP
SP
Risk Analysis
• Exemplo 2
– If ALE for a specific asset is $78,000, and after
implementation of the control the new ALE is
$20,000 and the annual cost of the control is
$60,000, what is the value of the control to the
company?
– Should the control be implemented?
Safeguard benefit:
$78,000 - $20,000 = $58,000
Value of the countermeasure to the company:
$58,000 - $60,000 = -$2,000
– A countermeasure should mitigate the identified risk
and be cost-effective !

CISSP
SP
Information Classification
• The primary purpose of data
classification is to indicate the level of
confidentiality, integrity and availability
that is required for each type of
information.
• Tools:
– Policy
– Risk Analysis
– Establish classifications
– Establish mechanisms (minimum controls)

CISSP
SP
• Classifications (example):
Commercial Military
Confidential Top Secret
Private Secret
Sensitive Confidential
Public Sensitive but unclassified
Public

CISSP
SP
• Roles & responsibilities
– Information owner
– Information custodian
– Application owner
– User manager
– Security administrator
– Security analyst
– Change control analyst
– Data analyst
– Solution provider
– End user
Págs 40-44 Official Guide

CISSP
SP
Data Classification
• Layers of Responsibility:
– Information Owner: Senior management, ultimately
responsible for protection and use of data.
Determines data classification.
– Information Custodian: Responsibility for
maintenance and protection of data. Usually IT
department. Makes backups, performs restores, etc.
– End User: Any individual who routinely uses the data
for work related purposes. Also considered
“consumer” of the data. Must follow operating
procedures and take due care to protect.

CISSP
SP
Security Policy
• Policies, standards, baselines ando procedures
are key elements in ensuring that personnel
understand hos to handle specific job tasks.
• Objectives:
– State and clarify goals
– Define duties, responsibilities and authority
– Formalize duties
• Separation of duties
• Rotation of assignments
– Establish standards
– Provide information (communicate management
directions)
– Educate users

CISSP
SP
Separation of Duties
• The principle of separation of duties is that an
organization should carefully seperate duties, so that
people involved with checking for inappropriate use are
not also capable of making such inappropriate use. No
person should be responsible for completing a task
involving sensitive, valuable or critical information from
beginning to end. Likewise, a single person must not be
responsible for approving their own work.
• Some examples of things that should be separated are:
– development / production
– security / audit
– account payable / accounts receivable
– encryption key management / changing of keys

CISSP
SP
Security Policy
• Security Policy: General statement produced by senior
management.
• Standards: Specify a product or mechanism selected
for universal use. Usually mandatory activities, actions,
rules or regulations).
• Baseline: Mandatory descriptions of how to implement
security packages (for each platform).
• Procedures: Detailed step by step actions to achieve
the tasks necessary for compliance with standards.
• Guidelines: More general statements to provide
direction in policy grey areas (controls not covered by
procedures). Not mandatory – discretionary
recommendations.

CISSP
SP
Security Policy
• Exemplo:
– Security Policy: “Information Custodians are
responsible to provide a safe and secure processing
environment (...)”.
– Standard: “Custodians of information processing
systens must use XXXX anti-viral software to ensure
the system is free from destructive software
elements (...)”.
– Procedure: “All users utilizing XXXX anti-viral
software will have anti-viral signature files updates
weekly”.
– Guideline: All employees having acess to computer
systems should attend a trainning session on the
virus trhreat to understand the risks and damage of
a virus infection”.
Págs 51-53 Official Guide

CISSP
SP
Security Awareness Training
• Benefits of Awareness
– Measurable reduction in unauthorized
access attempts
– Increase effectiveness of control
– Help to avoid fraud and abuse
• Periodic awareness sessions for new
employees and refresh other

CISSP
SP
Social engineering
• Process of attempting to change
people´s behavior on a predictable
manner
– Sucessfull (or not) attempts to influence a
person(s) into either revealing information
or acting in a manner that would result in
unauthorized access to / unauthorized use
of / unauthorized disclosure of na
information system, a network or data.

CISSP
SP
Social engineering
• Social engineering attacks:
– Intelligence gathering
– Target Selection
– The attack:
• Ego (or vanity) attack
• Sympathy attacks
• Intimidation attacks
• Protection:
– Physical security
– Logical security
– Administrative security
• Awareness and education

CISSP
SP
Fontes
• Official (ISC)2 guide to the CISSP exam
• Ben Rothke, apresentação “Security Management
Practices” (www.securitydocs.com)
• Derek Prueitt , documento “CISSP_KEEP”
(www.securitydocs.com)
• JWG, CISSP Study Notes from CISSP Prep Guide
(www.securitydocs.com)
• Harris, Shon, Security School
(http://searchsecurity.techtarget.com/content/0,290959,sid14_gci10107
19,00.html)
• Fotos “The Hitchhiker's Guide To the Galaxy”: Yahoo! Movies
• Fotos de posters: http://www.securityawareness.com

CISSP
SP
Obrigado
Don’t panic.

CISSP
SP
Non-commercial Share Alike (by-nc-sa)
This work is licensed under the Creative Commons Attribution-
NonCommercial-ShareAlike 2.5 License. To view a copy of this
license, visit http://creativecommons.org/licenses/by-nc-sa/2.5/
or send a letter to Creative Commons, 543 Howard Street, 5th
Floor, San Francisco, California, 94105, USA.

Praticas de gestão de segurança

Recommended

Recommended

More Related Content

Similar to Praticas de gestão de segurança

Similar to Praticas de gestão de segurança (20)

More from Anchises Moraes

More from Anchises Moraes (20)

Recently uploaded

Recently uploaded (20)

Praticas de gestão de segurança