Download presentation
Presentation is loading. Please wait.
Published byJeremy Oliver Modified over 9 years ago
1
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software Engineering Institute Carnegie Mellon University
2
© 2003 by Carnegie Mellon University page 2 Copyright Statement Copyright Carol Woody 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
3
© 2003 by Carnegie Mellon University page 3 Objectives Internet Context Security Risk Management Information Security Risk Evaluation using the OCTAVE® Approach
4
© 2003 by Carnegie Mellon University page 4 Internet Context
5
© 2003 by Carnegie Mellon University page 5 The Old ’Net
6
© 2003 by Carnegie Mellon University page 6 The New ’Net Source: http://cm.bell- labs.com/who/ches/map/gallery/index.html
7
© 2003 by Carnegie Mellon University page 7 Unwarranted Trust Address spoofing Viruses & worms Denial of service attacks Packet sniffing Password cracking
8
© 2003 by Carnegie Mellon University page 8 All Sites are Potentially Vulnerable Design Vulnerabilities Implementation Vulnerabilities Configuration Vulnerabilities Resource Vulnerabilities User Vulnerabilities Business Process Vulnerabilities
9
© 2003 by Carnegie Mellon University page 9 Growth in Number of Vulnerabilities Reported to the CERT/CC
10
© 2003 by Carnegie Mellon University page 10 Attack Impact v Intruder Knowledge Source: www.cert.org
11
© 2003 by Carnegie Mellon University page 11 Statistics from IT Security CSI & FBI 2003 Computer Crime and Security Survey 78% of 530 respondents detected Internet security breaches 30% detected internal security breaches
12
© 2003 by Carnegie Mellon University page 12 Statistics from IT Security Likely sources of attack Independent hackers Disgruntled employees (current & former) Competitors Foreign governments & corporations
13
© 2003 by Carnegie Mellon University page 13 Protection Responses Implement effective security practices Fire walls Intrusion detection Encryption and authentication Software upgrades and patching Self-hacking
14
© 2003 by Carnegie Mellon University page 14 Protection is Incomplete Security management requires a plan to recognize, resist, and recover Hackers are running programs on the Internet at all times looking for security holes (technical vulnerabilities). People using the Internet are unaware of the risks (organizational vulnerabilities)
15
© 2003 by Carnegie Mellon University page 15 Selecting Security Practices - 1 What do you need to protect? What will protection failure mean? What vulnerabilities exist in your environment? How much protection can you afford?
16
© 2003 by Carnegie Mellon University page 16 Selecting Security Practices - 2 Technical Vulnerability Management Focus is primarily on technology Led by external experts Driven by software vendor information Accurate for a very limited timeframe
17
© 2003 by Carnegie Mellon University page 17 Selecting Security Practices - 3 Security Risk Management Led by the organization Defines and prioritizes the risks based on organizational goals Includes security issues in the planning, policy and procedures of the organization Considers a wider range of risks
18
© 2003 by Carnegie Mellon University page 18 Security Risk Management
19
© 2003 by Carnegie Mellon University page 19 Risk Management Each organization must “own” its risk. Each organization has a unique set of information security risks. Information security risks can affect an organization’s ability to meet its mission.
20
© 2003 by Carnegie Mellon University page 20 Organizational Gap
21
© 2003 by Carnegie Mellon University page 21 Multiple Perspectives of Security Internal and external participants Information technology (IT) staff Employees Managers Contractors Service providers Partners and collaborators
22
© 2003 by Carnegie Mellon University page 22 Risk Management Regulations Regulations may mandate security risk management: Health Insurance Portability and Accountability Act (HIPAA) for health care organizations Gramm-Leach-Bliley Act for financial organizations
23
© 2003 by Carnegie Mellon University page 23 Risk Aware Culture Information security risks cannot be addressed if they aren’t communicated to and understood by the organization’s decision makers. Everyone must be able to identify and respond to security risks.
24
© 2003 by Carnegie Mellon University page 24 Risk - 1 The possibility of suffering harm or loss Risk consists of an event consequence uncertainty
25
© 2003 by Carnegie Mellon University page 25 Risk - 2 Event Consequence Uncertainty
26
© 2003 by Carnegie Mellon University page 26 Risk - 3 Threat Actor Asset Organizational vulnerabilities Technology vulnerabilities Impact on organization Event Consequence Uncertainty
27
© 2003 by Carnegie Mellon University page 27 Effective Risk Management Effective information security risk management requires: a systematic process experience and expertise information (e.g., risks, lessons learned) a risk-aware culture
28
© 2003 by Carnegie Mellon University page 28 Information Security Risk Management Framework
29
© 2003 by Carnegie Mellon University page 29 The OCTAVE ® Approach Operationally Critical Threat, Asset, and Vulnerability Evaluation SM ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon University SM Operationally Critical Threat, Asset, and Vulnerability Evaluation is a service mark of Carnegie Mellon University.
30
© 2003 by Carnegie Mellon University page 30 Establish a Shared Risk Language
31
© 2003 by Carnegie Mellon University page 31 OCTAVE Approach Use OCTAVE to identify, analyze, and plan security risk management.
32
© 2003 by Carnegie Mellon University page 32 OCTAVE Phases OCTAVE is structured into the following three phases: Phase 1: Build Asset-Based Threat Profiles Phase 2: Identify Infrastructure Vulnerabilities Phase 3: Develop Security Strategy and Plans
33
© 2003 by Carnegie Mellon University page 33
34
© 2003 by Carnegie Mellon University page 34 OCTAVE Analysis Team An interdisciplinary team – consisting of -teaching and administrative staff -information technology staff
35
© 2003 by Carnegie Mellon University page 35 Catalog of Security Practices Security Practice Survey OCTAVE Catalog of Practices Protection Strategy Mitigation Plan
36
© 2003 by Carnegie Mellon University page 36 Catalog Structure
37
© 2003 by Carnegie Mellon University page 37 Strategic Practice Areas
38
© 2003 by Carnegie Mellon University page 38 System and Network Management System Administration Tools Monitoring and Auditing IT Security Authentication and Authorization Vulnerability Management Encryption Security Architecture and Design Incident Management General Staff Practices Physical Security Plans and Procedures Physical Access Control Monitoring and Auditing Physical Security Operational Practice Areas
39
© 2003 by Carnegie Mellon University page 39 Outputs of the OCTAVE Approach Defines organizational direction Plans designed to reduce risk Near-term action items Protection Strategy Mitigation Plan Action List
40
© 2003 by Carnegie Mellon University page 40 OCTAVE Method Focused on large-scale (300 or more employees) or complex organizations A systematic, context-sensitive method for use across the organization, involving multiple organizational levels and IT Uses open-ended “essay” worksheets for information collection Requires moderate level of security expertise
41
© 2003 by Carnegie Mellon University page 41 OCTAVE-S Focused on small (less than 100 employees) or simple organizations Requires analysis team to have a full, or nearly full, understanding of the organization and what is important Uses “fill-in-the-blank” worksheets in a structured process Requires less security expertise
42
© 2003 by Carnegie Mellon University page 42 Key Selection Question - 1 Does the analysis team (i.e., 3-5 people) have sufficient insight into the organization to characterize the information security risks affecting the organization?
43
© 2003 by Carnegie Mellon University page 43 Key Selection Question - 2 Does the organization have the capability (security expertise) to conduct the Phase 2 vulnerability evaluation?
44
© 2003 by Carnegie Mellon University page 44
45
© 2003 by Carnegie Mellon University page 45 OCTAVE Information Visit http://www.cert.org/octave Introduction to the OCTAVE® Approach OCTAVE® Method Implementation Guide OCTAVE®-S (preliminary version)
46
© 2003 by Carnegie Mellon University page 46 Additional Options OCTAVE® Transition Partners: licensed to train and assist organizations in using the OCTAVE Approach Book: Managing Information Security Risks: The OCTAVE SM Approach Public Training at the SEI http://www.sei.cmu.edu/products/courses/
47
© 2003 by Carnegie Mellon University page 47 Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.