Security Risks Analysis

1

Security Risks AnalysisMGMT755

Dr. Arafat Awajan2006

Introduction

2

11/17/2006 Dr. Arafat Awajan 3

Introduction

Information technology is critical to business and society: most organizations recognize the critical role that information technology (IT) plays in supporting their business objectives.But today's highly connected IT infrastructures exist in an environment that is increasingly hostile—attacks are being mounted with increasing frequency and are demanding ever shorter reaction times


Introduction

IT is the vehicle used to store, manipulate, and transport information What happens if the vehicle breaks down, even for a little while.Computer security is evolving into information securityInformation security is more general

3


Introduction

Information security is the responsibility of every member of an organization, but managers play a critical role

Managing information SecurityProblem: Organizations are unable to react to new security threats before their business is impacted

Security Risks Analysis and management


Introduction

Information security involves three distinct communities of interest

Information security managers and professionalsInformation technology managers and professionals Non-technical business managers and professionals

4


Communities of Interest

Information Security community: protect information assets from threats

IT community: support business objectives by supplying appropriate information technology

Business community: articulates and communicates policyallocates resources to the other groups


What Is Security?

“The quality or state of being secure—to be free from danger”

Security is achieved using several strategies usually undertaken simultaneously

5


Security and ControlExamples

Physical security: workplace and physical assetsPersonal security: peopleOperations security: operations without interruption or compromiseCommunications security: media and contentNetwork security: devices, content, connections


Security and ControlControls Objectives

Prevention – Detection – RecoveryAnticipation, Corrective

Types of ControlsPhysical ControlsTechnical ControlsAdministrative

6


InfoSec Components


Information Main Features

The C.I.A. triangle is made up ofConfidentialityIntegrityAvailability

CIA represent the critical features of informationOver time the list of characteristics has expanded, but these three remain central

7


NSTISSC Security Model (4011)


Key Concepts: Confidentiality

Confidentialityonly those with sufficient privileges may access certain information

To protect confidentiality:Information ClassificationSecure Document storageGeneral Security PoliciesEducation and training

8


Key Concepts: Confidentiality

Some threats: Some threatsHackersMasqueradersUnauthorized usersUnprotected download of filesLANSTrojan horses


Key Concepts: IntegrityIntegrity

Integrity is the quality or state of being whole, complete, and uncorrupted

ThreatsCorruptionDestruction

Other issuesOrigin integrityData integrity

9


Key Concepts: AvailabilityAvailability

making information accessible to user access without interference or obstruction and in the required formatIt does mean availability to authorized users (person/other computer system)

SurvivabilityEnsuring availability in presence of attacks


Key Concepts: privacy

PrivacyInformation is to be used only for purposes known to the data ownerThis does not focus on freedom from observation, but rather that information will be used only in ways known to the owner

10


Key Concepts: Identification

IdentificationInformation systems possess the characteristic of identification when they are able to recognize individual usersIdentification and authentication are essential to establishing the level of access or authorization that an individual is granted


Key Concepts: Authentication & Authorization

AuthenticationAuthentication occurs when a control provides proof that a user possesses the identity that he or she claims

Authorizationauthorization provides assurance that the user has been specifically and explicitly authorized by the proper authority to access the contents of an information asset

11


Key Concepts: Accountability; Assurance

AccountabilityThe characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process

AssuranceAssurance that all security objectives are met


What Is Management?A process of achieving objectives using a given set of resourcesTo manage the information security process,

First, understand core principles of managementSecond, understand IT Third, understand security

12


What Is Management?A manager is

“someone who works with and through other people by coordinating their work activities in order to accomplish organizational goals”


Managerial Roles

Informational role: Collecting, processing, and using information to achieve the objectiveInterpersonal role: Interacting with superiors, subordinates, outside stakeholders, and otherDecisional role: Selecting from alternative approaches and resolving conflicts, dilemmas, or challenges

13


Characteristics of Management

Principle of management:PlanningOrganizingLeading:

Staffing directing

Controlling


The Planning–Controlling Link

14


Planning & Organization

Planning: process that develops, creates, and implements strategies for the accomplishment of objectivesThree levels of planning

StrategicTacticalOperational

• Organization: structuring of resources to support the accomplishment of objectives


Leadership

Encourages the implementation of the planning and organizing functions, this includes supervising employee:

behavior,performanceattendanceattitude

Leadership generally addresses the direction and motivation of the human resource

15


Control

Control:Monitoring progress toward completionMaking necessary adjustments to achieve the desired objectives

Controlling function determines what must be monitored as well as using specific control tools to gather and evaluate information


Control ToolsFour categories:

InformationInformation flows/ communications

FinancialGuide use of monetary resources

OperationalGantt, process flow

BehavioralHuman resources

16


The Control Process


Solving Problems

Step 1: Recognize and Define the ProblemStep 2: Gather Facts and Make AssumptionsStep 3: Develop Possible Solutions (Brainstorming)Step 4: Analyze and Compare the Possible Solutions (Feasibility analysis)Step 5: Select, Implement, and Evaluate a Solution

17


Feasibility AnalysesEconomic feasibility assesses costs and benefits of a solutionTechnological feasibility assesses an organization’s ability to acquire and manage a solutionBehavioral feasibility assesses whether members of the organization will support a solutionOperational feasibility assesses if an organization can integrate a solution


Principles Of Information Security Management

The extended characteristics of information security are:

PlanningPolicyProgramsProtectionPeopleProject Management

18


InfoSec Planning

Planning as part of InfoSec management is an extension of the basic planning model of management

The InfoSec planning model includes the activities necessary to support the design, creation, and implementation of information security strategies as they exist within the IT planning environment


InfoSec Planning TypesSeveral types of InfoSec plans exist:

Incident responseBusiness continuityDisaster recoveryPolicyPersonnelTechnology rollout Risk managementSecurity program including education, training and awareness

19


PolicyPolicy: set of organizational guidelines that dictates certain behavior within the organizationIn InfoSec, there are three general categories of policy:

General program policy (Enterprise Security Policy)An issue-specific security policy (ISSP)

Ex: email, Intenert useSystem-specific policies (SSPs)

Ex: Access control list (ACLs) for a device


ProgramsPrograms are operations managed as

specific entities in the information security domainExample:

A security education training and awareness (SETA) program is one such entity

Other programs that may emerge include a physical security program, complete with fire, physical access, gates, guards, and so on

20


Protection

Risk management activities, including risk assessment and control

Protection mechanisms, technologies & toolsEach of these mechanisms represents some aspect of the management of specific controls in the overall security plan


PeoplePeople are the most critical link in the information security program

Human firewallIt is imperative that managers continuously recognize the crucial role that people play; includes

information security personnel and the security of personnel, as well as aspects of the security education training and awareness program

21


Project ManagementProject management discipline should be present throughout all elements of the information security programInvolves

Identifying and controlling the resources applied to the projectMeasuring progress and adjusting the process as progress is made toward the goal


22


Risk Management

Risk Management: RM is the process of identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the information stored and processed by the organization


Risk Management

To better understand the risk analysis phase of the Security policy, you should know something about the kinds of threats facing organizationsA threat is an object, person, or other entity that represents a constant danger to an asset

23


Key TermsAttack: deliberate act that exploits a vulnerability to achieve the compromise of a controlled system

Accomplished by a threat agent that damages or steals an organization’s information or physical asset

Exploit: technique or mechanism used to compromise a systemVulnerability: identified weakness of a controlled system in which necessary controls are not present or are no longer effective


Threats to Information Security

24


Some Common AttacksMalicious codeHoaxesBack doorsPassword crackBrute forceDictionaryDenial-of-service (DoS) and distributed denial-of-service (DDoS)

SpoofingMan-in-the-middleSpamMail bombingSnifferSocial engineeringBuffer overflowTiming


Risk ManagementUse some method of prioritizing risk posed by each category of threat and its related methods of attackTo manage risk, you must identify and assessthe value of your information assetsRisk assessment assigns comparative risk rating or score to each specific information asset

25


Conclusion

Often, organizations are unable to react to new security threats before their business is impacted. Managing the security of their infrastructures—and the business value that those infrastructures deliver—has become a primary concern for IT departments.


Conclusion

New legislation that stems from privacy concerns, financial obligations, and corporate governance is forcing organizations to manage their IT infrastructures more closely and effectively than in the past. Failure to proactively manage security may put executives and whole organizations at risk due to legal responsibilities.

26


Conclusion

The approach to manage risk, varies for every organization. There is no right or wrong answer; there are many risk management models in use today. Each model has tradeoffs that balance accuracy, resources, time, complexity, and subjectivity. Security risk management will fail without executive support and commitment.


Conclusion

Risk management identifies vulnerabilities in an organization’s information systems and takes carefully reasoned steps to assure the confidentiality, integrity, and availability of all the components in organization’s information system.

Date post:	23-Jan-2022
Category:	Documents
Upload:	others
View:	6 times
Download:	0 times

Security Risks Analysis

Documents