Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISSeG Integrated Site Security for Grids WP2 - Methodology

Similar presentations


Presentation on theme: "ISSeG Integrated Site Security for Grids WP2 - Methodology"— Presentation transcript:

1 ISSeG Integrated Site Security for Grids WP2 - Methodology
Methodology for Site Security Assessment JSPG Meeting, 27 June 2007 Lionel Cons, CERN © Members of the ISSeG Collaboration, 27 June 2007

2 (inputs on the left came initially from ISO-17799:2005)
Proposed Methodology (inputs on the left came initially from ISO-17799:2005) © Members of the ISSeG Collaboration, 27 June 2007

3 Step 1 – Find The Assets Asset = Anything that has value to the organization [ISO :2004] Five identified asset categories: Organizational (intellectual property rights, public image…) Human Information / data (administrative, personal, physics…) Service (network, authentication, , office…) Hardware These are currently merged with “security requirements” © Members of the ISSeG Collaboration, 27 June 2007

4 Baseline Assets Preliminary list of asset types likely to be present everywhere: Locally managed PC Network Backup Office servers Application servers Centralized authentication © Members of the ISSeG Collaboration, 27 June 2007

5 Specific Assets Preliminary list of asset types that may be site specific: Expensive and/or dangerous equipment Provide services across Internet Local service Exchange confidential data Stores confidential information High-availability services Internal resources available to visitors External users Centralized backup service © Members of the ISSeG Collaboration, 27 June 2007

6 Step 2 – Find The Threats Threat = Potential cause of an incident that may result in harm to a system or organization [ISO :2004 section 2.25] A generic list of threats has been compiled Around 50 threats identified Need to set the relevance of each threat for the given site Linked to the role profiles (user / admin / developer / manager) and the asset types © Members of the ISSeG Collaboration, 27 June 2007

7 Examples of Threats Threat Id Threat description Relevance1 T1
Faulty access rights management 3 T2 Password compromising T3 Intrusion by scanning techniques T4 Intrusion (unauthorized network access) T5 Data interception techniques (sniffing/man in the middle attacks,...) T6 Fraudulent connection (theft of credentials) T7 Exploiting software vulnerabilities T8 Fraudulent use of systems (misappropriation…) T9 Repudiation (system usage) T10 Repudiation (sending/receiving of data) T11 Saturation of resources (accidental) T12 Saturation of resources (intentional - denial of service) T13 Software alteration (time bomb, worm, trojan, virus…) T14 Theft of mobile equipment or media T15 Propagation of false or misleading information T16 Use of insecure/unauthorized software T17 Hardware failure (computer, storage device, network equipment…) T18 Hardware malfunction T19 Software malfunction T20 Network failure (cabling, network device…) © Members of the ISSeG Collaboration, 27 June 2007

8 Step 3 – Find The Risks Risk = Combination of the probability of an event and its consequence [based on the ISO standards] We focus on threats Threats are linked to asset types Need to know the relative importance of the asset types Threats are linked to controls (aka mitigation techniques) Need to know how well the controls are applied We could look at “best practices” too © Members of the ISSeG Collaboration, 27 June 2007

9 Examples of Controls (based on ISO 17799)
© Members of the ISSeG Collaboration, 27 June 2007

10 Examples of Controls (based on ISO 17799)
© Members of the ISSeG Collaboration, 27 June 2007

11 Examples of Controls (based on OCTAVE)
1. Security Awareness and Training Step 3a Statement To what extent is this statement reflected in your organization? Staff members understand their security roles and responsibilities. This is documented and verified. Very Much Somewhat Not At All Don’t Know There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. Staff members follow good security practice, such as securing information for which they are responsible not divulging sensitive information to others (resistance to social engineering) having adequate ability to use information technology hardware and software using good password practices understanding and following security policies and regulations recognizing and reporting incidents © Members of the ISSeG Collaboration, 27 June 2007

12 Step 4 – Find The Countermeasures
Step 3 gives a prioritized list of threats From threats, we can link to recommendations and best practices Step 3 also gives the list of controls that can be improved and have a high impact on the overall security From controls, we can also link to recommendations and best practices © Members of the ISSeG Collaboration, 27 June 2007


Download ppt "ISSeG Integrated Site Security for Grids WP2 - Methodology"

Similar presentations


Ads by Google