Date post: | 20-Dec-2015 |
Category: |
Documents |
View: | 218 times |
Download: | 0 times |
Need of Enterprise-Wide Information Assurance Planning
COEN 250Fall 2007T. Schwarz, S.J.
First Perspective:Reactive / Intruder Based Long term attack trends:
Amount of time for new attacks to emerge is declining
Melissa (1999) took days to spread Love letter (2000), Code Red (2001), Nimda
(2001), hours Slammer (2003), Blaster (2003), minutes
First Perspective:Reactive / Intruder Based
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
CERT Cataloged Vulnerabilities
First Perspective:Reactive / Intruder Based
First Perspective:Reactive / Intruder Based Long term attack trends:
Increase in the number of detected vulnerabilities
Increased sophistication of attackers
First Perspective:Reactive / Intruder Based Reactive Security
Patch systems after vulnerability arises Only feasible if
attacks would be rareample warning be givenpatches can be simply installed
Second Perspective:Holistic Security
Security is hard to measureAbsence of incidents can be
result of good security inability to see incidents
No accepted metrics for characterizing security
Second Perspective:Holistic Security
Security is expensiveAdded costsDiminished performance Inconvenience
Benefits of security are cost avoidance Question: Was Y2K just hype or did the
effort pay off?
Second Perspective:Holistic Security Security Incidents are not the main cause of
system unavailability “Who Needs Hackers?” NY Times 9/12/07
Complex systems break causing spectacular failures Customs computer failure LAX, August 2007 Skype restart login deluge on MS patch day August 16, 2007
IDC 2001Downtime Analysis Malicious Events 3% Environmental Issues 19% Operator and application errors 78%
Second Perspective:Holistic Security Organizations need
framework, model, yardstick, roadmap … to place and measure themselves (current state) compare with others (future state)
to decide their desired security state or condition improvement approaches and a path to reach their
desired state coherent, organized community of practitioners and
artifacts to help guide their work
Second Perspective:Holistic Security Current / pending legislation affecting organizatorial
infrastructure management and protection of information Family Educational Rights Privacy Amendment Federal Information Systems Management Act Health Insurance Portability and Accountability Act Gramm-Leach-Bliley Act (financial institutions) Sarbanes Oxley (publicly traded institutions) Child Online Privacy Protection Act Basel II Capital Accord (financial institutions) California’s Database Security Breach Notification Act
Second Perspective:Holistic Security Vulnerability Management
Reactive Tool driven Focused on Technology Localized decision making, unconnected to business drivers Vulnerabilities change daily
Risk Management A link to business drivers Focus on critical assets and threats to assets Risk identification and prioritization based on threats to assets,
vulnerabilities, and impacts Enterprise Security Management
Select, execute, improve activities to reliably achieve and sustain a desired security state
NOT focused on symptoms instead of root causes encompasses all organizational practices relevant to security
Time / Complexity
Vul
Man
Risk
Man
ESM
Sec
urity
Desired State
Second Perspective:Holistic Security www.cert.org/octave
Operationally Critical Threat, Asset, and Vulnerability Evaluation
focuses on organizational risks and strategy Federal Agencies
Information Security Governance
Federal Information Security Practices are governed by laws, regulations, and directives U.S. Congress Office of Management and Budget (OMB)
Standards and Implementation Guidelines through National Institute of Standards and Technology Government Accountability Office (GAO)
Information Security Governance
Federal Agency Governance Requirements Government Performance and Results Act (GPRA), 1993 Paperwork Reduction Act (PRA) of 1995 Federal Financial Management Improvement Act (FFMIA) of 1996 Federal Managers Financial Integrity Act (FMFIA) of 1982 Clinger-Cohen Act of 1996
Disciplined capital planning and investment control to acquire, use, maintain, and dispose of IT resources
Establishes role of Chief Information Officer (CIO) E-Government Act of 2002 Federal Information Security Management (FISMA) Act OMB Circular A-130, Management of Federal Information
Resources, Appendix III, Security of Federal Automated Information Resources
Homeland Security Presidential Directive 12 (HSPD-12)
Information Security Governance
Key Legislative, Regulatory, and Oversight Roles
Information Security Governance Components Agencies need to integrate INFOSEC
with overall agency structure and activitiesStrategic planningorganization design and developmentestablishment of roles and responsibilities integration with enterprise architecturedocumentation of security objectives in
policies and guidance
Information Security Governance Components
INFO SEC Strategic Planning GPRA (Government Performance and Results Act)
requires federal agencies to strategic plan for program activities prepare an annual performance plan covering each program
activity set forth in the budget of such agency INFO SEC strategy should be integrated and provide
Clear and comprehensive mission, vision, goals, and objectives and how they relate to agency mission;
High-level plan for achieving information security goals and objectives
short- and mid-term objectives and performance targets specific for each goal and objective used throughout the life of this plan to manage progress toward
successfully fulfilling the identified objectives; and Performance measures to continuously monitor accomplishment
of identified goals and objectives and their progress toward stated targets.
Information Security Governance Structures Centralized Decentralized
Security Activities within the Systems Design Life Cycle Initiation Phase
Needs DeterminationSecurity Categorization
NIST SP 800-60, FIPS 199
Initial description of basic security needs of the system
Threat environment determination
Security Activities within the Systems Design Life Cycle Development / Acquisition Phase
In-depth study of needDevelop / incorporate security requirements
into specificationsAnalyze functional requirements including
security functional requirementsConduct formal risk assessment
Security Activities within the Systems Design Life Cycle Development / Acquisition Phase
Determine costs of information security over life cycle of the system
Security Planning Document agreed-upon security controls Develop system security plan Develop necessary documentation Develop awareness and training requirements
Security Control Development Security Tests and Evaluation
Security Activities within the Systems Design Life Cycle Implementation Phase
Security Test and Evaluation Develop test data Test unit, subsystem, and entire system Ensure system undergoes technical evaluation
Inspection and AcceptanceSystem Integration / InstallationSecurity Certification
Security Activities within the Systems Design Life Cycle System Implementation
Security Accreditation Authorization granted by senior organization
official Based on verified effectiveness of security control
Security Activities within the Systems Design Life Cycle Operations / Maintenance Phase
Configuration Management and Control Adequate consideration of potential security
impacts due to changes to system or environmentDevelop Configuration Management Plan
Establish baselines Identify configuration Describe configuration control process Identify schedule for configuration audits
Security Activities within the Systems Design Life Cycle Continuous Monitoring
Monitor security controls Perform security audits or other assessments
automated tools internal control audits security checklists penetration testing
Monitor system and/or users review system logs review change management monitor external sources perform periodic reaccreditation
Security Activities within the Systems Design Life Cycle Disposal Phase
Information Preservation Determine archive, discard, or destroy information
Based on legal requirements / federal records requ. Beware of obsolete technology Ensure long-term storage of cryptographic keys for
encrypted data
Media Sanitization Hardware and Software Disposal