Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security managment risks, controls and incidents

1,188 views

Published on

Slides for an overview lecture explaining how risk management and controls are the route to explaining why information security matters to business. Plus a bonus discussion of why incident handling is no longer optional.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Security managment risks, controls and incidents

  1. 1. Security Management: Risks, controls and incidents PETER CRUICKSHANK SCHOOL OF COMPUTING EDINBURGH NAPIER UNIVERSITY
  2. 2. What is security? Mordac the preventer of information 2Security management: risks, controls and incidents © Dilbert.com http://dilbert.com/search_results?terms=Mordac+The+Preventer
  3. 3. Background Over a generation, internetworked systems, particularly the Internet, have gone from the specialized realm of government and academic to being a substantial part (the basis?) of our business and personal lives. Enterprises maintain web sites, email, e- commerce and collaboration tools that are all connected to the Internet. Online banking, bill paying and shopping have made online financial transactions common. Individuals have smartphones, tablets and a myriad of other devices that are always “online.” Security management: risks, controls and incidents 3
  4. 4. The context Computer systems Computer Environment Business and application environment Socio- economic- legal environment Security management: risks, controls and incidents 4
  5. 5. In a graph Security management: risks, controls and incidents © 2014, ISACA  2016? 5
  6. 6. Information Security: Attributes Security management: risks, controls and incidents 6 • Authorised access only • Protecting privacyConfidentiality • Data and system • Protection from accidental or deliberate (malicious) modification Integrity • …for legitimate users • DDoS attacks – prevention & recovery Availability • who are you – supports non-deniabilityAuthentication • what can you do?Authorization • Effective auditing and logging is the key to non-repudiationAuditing
  7. 7. Aim of the lecture SERIES OF 6 LECTURES AND TUTORIALS COURSEWORK ASSIGNMENT EXAM QUESTIONS This lecture:  Discuss issues around threats and their risk management  Covers incident handling (a particular form of risk mitigation)  Explains the relationship of risks to controls Security management: risks, controls and incidents 7
  8. 8. Risk management HOW DO YOU PRIORITISE YOUR WORK? HOW DO YOU KNOW WHAT’S IMPORTANT? Security management: risks, controls and incidents 8
  9. 9. The security balance Security • Complex passwords are secure • Encryption protects assets Access • Complex passwords prevent access • Encryption slows things down 9Security management: risks, controls and incidents • Technology is not enough • Controls often conflict with usability and business objectives Risk
  10. 10. Risk is ...let’s start with Wikipedia:  The potential that a chosen (in)action will lead to a loss [or a gain]  Implies that a choice having an influence on the outcome exists (or existed)  Potential losses themselves may also be called “risks”  Almost any human endeavour carries some risk, but some are much more risky than others. 11Security management: risks, controls and incidents
  11. 11. Sources of risk Processes People Systems External events 13Security management: risks, controls and incidents Events related to business operations Outside factors threatening operations Employee errors or misdeeds Non-employees Technology failure Example: A fire destroying the IT system and causing disruption to the business External event (fire)  Systems (unavailable)  processes (disrupted) Or in combination
  12. 12. Risk management Risk management Risk identification & assessment Risk control Risk response 15Security management: risks, controls and incidents
  13. 13. Risk Control Strategies Avoidance Transference Mitigation Acceptance 16Security management: risks, controls and incidents
  14. 14. Risk LET’S LOOK AT THE BASICS Security management: risks, controls and incidents 18
  15. 15. x - + % Risk is 19Security management: risks, controls and incidents  The likelihood of the occurrence of a vulnerability X Multiplied by the value of the information asset (or, the impact of the loss)
  16. 16. Risk assessment Likelihood  Expressed as fraction or %age  May be known (eg actuarial tables)  May need judgement (document the process)  Often reduced to High, Medium or Low 20Security management: risks, controls and incidents
  17. 17. Risk assessment Value (impact of loss)  Normally focuses on potential loss  It’s most straightforward to gather  Can be combined up the hierarchy  eg loss of HR for a week may have high value to them, but the organisation will be able to carry on for a while… (So long as payroll is OK) 21Security management: risks, controls and incidents
  18. 18. Identify vulnerabilities All threats All assets Vulner- abilities 22Security management: risks, controls and incidents Recorded in a TVA (threats, vulnerabilities & assets) worksheet
  19. 19. Risk assessment: TVA worksheet extract Asset Impact Vulnerability Likelihood Risk Rating Customer service request via email 55 Disruption due to hardware failure 0.04 2.2 Disruption due to software failure 0.3 16.5 Customer order received by SSL 100 Lost order due to server hardware failure 0.05 5 Lost order due to ISP failure 0.1 10 23Security management: risks, controls and incidents
  20. 20. Risk according to OWASP1 Risk Likelihood Threat agent Skill Motive Oppor- tunity Capacity Resour- ces, Size Vulnerability Ease of disc- overy Ease of exploit Aware- ness Detec- tion if exploit- ed Impact Technical Loss of C, I, A Business Finan- cial, Reput- ational Comp- liance, Privacy OR 1 https://www.owasp.org/index.php/OWASP_Risk_Rating_MethodologySecurity management: risks, controls and incidents 24
  21. 21. Risk management  Choose a risk posture  Analyse impact of threats  business impacts and other, non-financial impacts  Identify and analyse risks  Determine risk treatment  Determine security strategy options based on risk profile Steps that enterprises should perform when implementing (information security) steps and measures Security management: risks, controls and incidents 25
  22. 22. Security management: risks, controls and incidents 26 http://thegreatgildersleeve.tumblr.com/post/708013469/bolted-and-barricaded-door-behind-empty-k-mart
  23. 23. Risk Control Risk appetite  The goal is not risk elimination  It is risk minimisation  What costs can you bear  What impact has risk control on your business  At what point are you prevented from doing anything  Leaving organisation with residual risk Aim: reduce residual risk to match risk appetite 27Security management: risks, controls and incidents
  24. 24. Choose a risk posture Minimalist • Reduce actions and investment to a minimum • Comparatively high level of residual risk. Balanced • comprehensive security investment • Moderate level of residual risk Conservative • Aim for a precautionary, comparatively high, investment • Little or no tolerance for residual risk. Security management: risks, controls and incidents 28 This is also known as ‘Risk Appetite’
  25. 25. Threats 30Security management: risks, controls and incidents http://www.justsaypictures.com/verbal-threat.html
  26. 26. Threat actors: categorisation Location Internal Staff Cont- ractors Should they be internal? External Busi- ness part-ner Regu- lator Com- petitor & their governm ents Motivation Friendly Hostile Capability & expertise Script kiddies GCHQ, the NSA, the PLA Security management: risks, controls and incidents 31
  27. 27. Building risk scenario Risk scenario Actor •Internal •External Threat type •Malicious •Accidental / error •Failure /nature •External requirement Event •Disclosure •Interruption •Modification •Theft •Destruction •Ineffective design/execution •New rules •Inappropriate use Asset / resource •People & skills •Organisation structures •Process •Facilities •IT infrastructure •Information •Application Time •Duration •Criticality •To detection •Time lag to respond Security management: risks, controls and incidents 34 Scenario-based approaches are sometimes preferred over ‘pure’ risk catalogues
  28. 28. Analyse Business Impact What could go wrong? How would it affect the business? • Discard if impact is negligible Judge likelihoods • Discard if unlikely Plan for what’s left Security management: risks, controls and incidents 35
  29. 29. Analyse Business Impact Security management: risks, controls and incidents 36
  30. 30. x - + % Risk is (therefore) 40Security management: risks, controls and incidents  The likelihood of the occurrence of a vulnerability X Multiplied by the value of the information asset - Minus the percentage of the risk mitigated by current controls + Plus the uncertainty of current knowledge of the vulnerability
  31. 31. Risk analysis cycle 41Security management: risks, controls and incidents Asset identification & valuation Threat assessment Counter- measures Vulnerability assessment Risk assessment Control evaluation Residual risk Action Plan Review Source: ITGI IT Governance Implementation Guide, 2 ed, 2007
  32. 32. Risk management concepts Risk management Risk identification & assessment Inventory Classification Threat Identification Risk control Risk avoidance Reduce and mitigate Risk reduction Risk transfer Risk sharing Risk retention Risk response Incident handling Disaster recovery 42Security management: risks, controls and incidents
  33. 33. 44 Security management: risks, controls and incidents Back to controls
  34. 34. Controls  Control activities are:  actions, supported by policies and procedures that, when carried out properly and in a timely manner, manage or reduce risks. 45Security management: risks, controls and incidents
  35. 35. Controls Prevent Controls  Preventive controls attempt to deter or prevent undesirable events from occurring.  They are proactive controls that help to prevent a loss.  Examples of preventive controls are separation of duties, proper authorisation, adequate documentation, and physical control over assets. Detect Controls  Detective controls, on the other hand, attempt to detect undesirable acts.  They provide evidence that a loss has occurred but do not prevent a loss from occurring.  Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits. Security management: risks, controls and incidents 46 These examples are from general business: Can you think of the equivalent in information systems?
  36. 36. Controls Both types of controls are essential to an effective internal control system From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality However, detective/corrective controls play a critical role providing evidence that the preventive controls are functioning and preventing losses 47Security management: risks, controls and incidents
  37. 37. Controls and audit: Key facts Controls are an expense Controls that aren’t consistently used are no good An audit is basically a check that the controls are • Well designed (and cost effective) • Have been operated consistently & correctly Security management: risks, controls and incidents 48
  38. 38. Controls: Take 10 Prevent Detect Recover / mitigate People Process Technology Physical Security management: risks, controls and incidents 49 Think of one IT-related control to go in each box
  39. 39. Risk assessment Effect of controls  Current controls mitigate the threat  Possible controls can be identified  Different types of control  eg Access control: role-based, task-based Security management: risks, controls and incidents 50 People Process Tech Prevent  Detect  Recover/ mitigate  This is one way of reviewing how you are controlling a risk in depth
  40. 40. Incident response Security management: risks, controls and incidents 51
  41. 41. Context: Resilience  In the traditional sense, ‘resilience’ means the ability of a material to revert to its original shape after it has been deformed.  In information security (and in business continuity), resilience describes the ability of an enterprise to recover and absorb external shocks or events and their internal impacts.  Incident handling is a type of risk mitigation Security management: risks, controls and incidents 52
  42. 42. Business impact analysis  Results of business impact analysis (BIA) and risk assessment  specific risks and scenarios, threats and vulnerabilities analysis, etc.  clustered (aggregated) risk  potential impacts and strategic options (with residual risk)  Key technologies  Cloud, network interconnections, supervisory control and data acquisition (SCADA) and other industrial control systems.  Focus is: what if they fail? Security management: risks, controls and incidents 53
  43. 43. Incident strategy: two aspects Knowing what do to Incident reporting Policies, reporting lines, authorities, etc. Testing it Participation in & integration with exercises (EU/national/ industry wide) Security management: risks, controls and incidents 54
  44. 44. Not all events are incidents  Distinguish between events and incidents.  NIST defines an event as “any observable occurrence in a network or system.”  This includes normal network operations, such as connections to servers, email transactions and database updates.  A computer security incident is “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.” Security management: risks, controls and incidents 55
  45. 45. Incident response  Despite an organisation’s best efforts, attackers are sometimes successful.  When this happens, an incident occurs.  When incidents occur, it is essential to have a plan in place to handle them  The purpose of incident response.  Terminology:  The people trained to deal with incidents are called incident handlers  They are part of an incident response team. Security management: risks, controls and incidents 56
  46. 46. Incident response phases Preparation Detection & analysis Containment, eradication, recovery Post incident activity  Preparation to establish roles, responsibilities and plans for how an incident will be handled  Detection and Analysis capabilities to identify incidents as early as possible and effectively assess the nature of the incident  Investigation capability if identifying an adversary is required  Mitigation and Recovery procedures to contain the incident, reduce losses and return operations to normal  Post-incident Analysis to determine corrective actions to prevent similar incidents in the future Security management: risks, controls and incidents 57
  47. 47. Conclusion  The principles of risk management  How risks and controls relate  An outline of an incident handling plan Today, we have covered Security management: risks, controls and incidents 63
  48. 48. Final though: What is security? If we make security trade-offs based on the feeling of security rather than the reality, we choose security that makes us feel more secure over security that actually makes us more secure. And that’s what governments, companies, family members, and everyone else provide. Of course, there are two ways to make people feel more secure.  The first is to make people actually more secure, and hope they notice.  The second is to make people feel more secure without making them actually more secure, and hope they don’t notice. The key here is whether we notice. The feeling and reality of security tend to converge when we take notice, and diverge when we don’t. People notice when 1) there are enough positive and negative examples to draw a conclusion, and 2) there isn’t too much emotion clouding the issue. The feeling and the reality of security Schneier 2008 64Security management: risks, controls and incidents “ ”
  49. 49. 65 Security management: risks, controls and incidents …Watch for Security theatre that iS…
  50. 50. “ ” Thank you PETER CRUICKSHANK Lecturer in Information Systems. School of Computing, Edinburgh Napier University @spartakan | p.cruickshank@napier.ac.uk Security management: risks, controls and incidents 66
  51. 51. Sources and references A good general source on this material is Whitman & Mattord’s Management of Information Security (many editions) Some of the material in this lecture is sourced from the following ISACA documents: • Cybersecurity Student Book (2014) • European Cybersecurity Implementation: Overview (2014) Security management: risks, controls and incidents 67

×