The CIA triad
Confidentiality:Protection of organizational data from unauthorize disclosure
Integrity: Assurance that data have not been altered (i.e., that data hasn’t lost its accuracy or validity)
Availability: Protection against disruption, destruction and disasters (also referred to as business continuity)
Security Threats Types:
– Threats to business continuity: Disruption, destruction and disaster
* Loss or reduction in network service caused by viruses, hardware/software malfunctioning, natural or manmade disasters, etc.
* Can lead to destruction of data
– Threats to confidentiality: unauthorized access (i.e., intrusion by hackers [from outside the organization] or rogue employees [from inside the organization])
Controls are mechanisms that reduce/eliminate security threats and categorized as:
– Preventive controls stop a threat from occurring (Ex: passwords)
– Detective controls reveal unwanted events (Ex: auditing software)
– Corrective controls rectify an unwanted event (Ex: restoring an IS after a fire)
**“Security in layers” **means all three types of control should be combined in order to 1) prevent unwanted events from happing, 2) detect them when they couldn’t be prevented and 3) recover from them when the “damage is done”
- Controls must be periodically reviewed by external auditors to ensure that:
– They are operating effectively
– They are updated/replaced when needed
Risk Assessment
- Key process in developing a secure network by analyzing and prioritizing security risks to IT assets
Three common risk assessment frameworks (or methods):
– Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
– Control Objectives for Information and Related Technology (COBIT)
– Risk Management Guide for Information Technology Systems (NIST guide)
Risk Assessment steps
- Develop risk measurement criteria
- Inventory IT assets
- Identify threats
- Document existing controls
- Identify improvements
Develop Risk Measurement Criteria
Context: Security must first focus on IT assets with highest risk score
– A definition: Risk = Exposure to danger
– Risk Score = Priority (or likelihood) score X Impact score (“all relative”, see Slide #10)
To calculate Impact score, business managers assess how risk impacts the organization:
– They consider 4 key impact areas (see table below)
– They prioritize each impact area: 3 levels (see table below)
– They operationalize (i.e., measure the effect of) each impact level by area
Step 2: Inventory IT assets
* IT managers and Business managers must:
– Identify all organization’s IT assets (Fig. 11-2: Type of assets)
– Document and rank the importance of each asset for the organization:
* Note:Mission-criticalapplicationsanddataarethemostimportant
* Ranking must be based on answer to questions such as “what happens if
this IT asset’s C or I or A were compromised?
Illustration: Fig. 11-3 summarizes for each IT asset: – Its description and owner(s)
– Its importance (High, Medium, Low)
– Applicable security requirements (CIA)
Step 3: Identify Threats
- Threat: Any potential event that can do harm, interrupt an IS (or other components on the network) or cause a monetary loss to the organization
- IT manager must:
– Identify the threats (Can use threats and likelihood summarized in Fig. 11-4)
– Create for EACH IT asset a threat scenario that describes how that asset can be compromised by a one specific threat (therefore, it is common to have more than one threat scenario for each IT asset)
– Each threat scenario must include (1) the name of IT asset, (2) its importance, (3) the threat, (4) its likehood of occurrence, (5) the potential consequences of threat and a Risk Score used to quantify the impact and likelihood of occurrence and (6) content related to applied controls generated in Step 4 (see below and next slides)
- Illustration: See next slide or Fig. 11-5 and 11-6
– Part in white background illustrates Step 1, 2 and 3 of the risk assessment – Part in grey background illustrates Step 4 of the risk assessment
Step 4: Document existing controls
- For each threat scenario, IT manager must:
– Determine the risk control strategy: 4 options - Risk acceptance: Take no actions for risks that have low impacts
- Risk mitigation: Use of control to remove or reduce impact of threat
- Risk sharing: Transfer all or part of impact (through insurance or outsourcing)
- Risk deferring: Take no action while collecting more information about threat and risk (for non-imminent risks)
– Identify controls needed when risk control strategy is risk mitigation or risk sharing
– Document applied controls and assess their overall adequacy. Assessment can use High/Medium/Low or a letter grade, etc. - High adequacy: Control is expected to be highly effective in addressing related risk
- Medium adequacy: Some improvements are possible
- Low adequacy: Improvements are needed
- Illustration: See previous slide or Fig. 11-5 and 11-6
– Part in grey background illustrates Step 4 of the risk assessment
Step 5: Identify improvements
- This step is performed by external auditors (see 11-2 p. 297)
- They evaluate adequacy of (1) the controls and (2) degree of
risk associated with each threat - They establish priorities for their review of threat scenarios:
– First focus is on threat scenarios with highest risk scores to make sure (1) the related control adequacy is at least medium and (2) the existing controls are effective and (3) eventually recommend additional controls
– Second focus is on threat scenarios where mitigation controls have low adequacy to make sure these are all low–risk scores, otherwise new controls must be considered
Key controls for business continuity
- Antiviruses
- Traffic anomaly detector and traffic anomaly analyzer protect against Denial of Service (DoS or DDoS) attacks that prevent normal access to servers
- Physical security (i.e., using locked doors, security cables, camera, etc.) and training provide theft protection
- Protection against device failure(all devices fail eventually)
– Solution for failing component: Redundancy in the network (e.g., BBN), use of fault-tolerant servers (i.e., servers with redundant components), RAID storage technology, cluster/server farms, backup servers, etc.
– Solution for power interruption: Uninterruptible power supplies (UPS) allowing IS to operate while battery lasts and shut down properly - Protection against disaster (against hurricane, flood, fire, arson etc.)
– Solution 1: Disaster avoidance i.e., storing critical data in multiple locations
and avoiding locations prone to flood (basements) or natural disasters
– Solution 2: Disaster Recovery Plan (DRP) i.e., clear plan that (1) identifies responses to different types of disasters, (2) provides recovery of data, applications and network and (3) specifies the backup and recovery controls. DRPs can be outsourced to disaster recovery firms
Key Controls for intrusion Protection
- Security policy
- Perimeter security and firewalls
- Server and client protection
- Encryption
- User authentication
- Preventing social engineering
- Intrusion Protection Systems (IPS): Software/Hardware package designed to detect an intrusion and take action to stop it
- Intrusion recovery: – When an intrusion is detected, the first step is to identify how intruder gained
unauthorized access and prevent others from breaking in the same way
Best practice recommendations
- Good security starts with:
– A clear DRP
– A solid security policy
– User training - Commonly used security controls are antivirus software, firewalls, backups, encryption (applied to data transmission and data storage), IPS and two-factor authentication
- Future trends:
– Strong centralized desktop management: thin clients (1) not permitting changes in settings and download of external software and (2) allowing centralized install of up- to-date security patches
– Continuous content filtering using firewalls and IPS
– More encryption
