conceptual modeling for information security strategy austin winkleman information security officer...
TRANSCRIPT
Conceptual Modeling for Information Security Strategy
Austin Winkleman
Information Security Officer
Saint Louis University
St Louis, MO
EDUCAUSE
Midwest Conference
May 21, 2005
Copyright Austin F Winkleman, 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Outline
• Background, Context
• Challenges and Questions
• Answers without Conceptual Model
• Answers with Conceptual Model
• The Three Models
• Q&A
The SLU Context
• 11,000 Students (3,500 Residential)• Private• Mission: Teaching, Research, Clinical• Centralized IT organization• One campus, one infrastructure (including
clinical areas)
Information Security Context, 1/2003
• Only one policy: Appropriate Use• No policy review/development structure; re-write
of the AUP was a 6-year odyssey• No existing security strategy• New position: Information Security Officer (with
no staff)• New committee for developing information
security policies• New project for infrastructure technologies
Outline
• Background, Context
• Challenges and Questions
• Answers without Conceptual Model
• Answers with Conceptual Model
• The Three Models
• Q&A
Challenges…
• Regulations: HIPAA-Security, Gramm-Leach-Bliley, and more…?
• Communications– With Executives
– Among Staff
• Questions of Priority“We must have X, or we’ll suffer consequence Y!!!”
X= [policies, anti-virus, backups, incident response, …]
…And More Challenges• Systemic issues, beyond duct tape• Efficiency of effort
– Deadlines– Minimize disruption (no false starts)– Coordinated
• Vulnerabilities in operational environment• Needed sustainable strategy for current and
long-term
Outline
• Background, Context
• Challenges and Questions
• Answers without Conceptual Model
• Answers with Conceptual Model
• The Three Models
• Q&A
Answer: Purely Technical?
• Technology implementation as the complete solution to every problem
• Tends to focus by product: - Firewall
- Intrusion detection
- Single sign-on
Purely Technical? (more)
“Here is our access strategy!”
VAX VAX VAX
Router
Router
Router
Firewall
Mainframe
Server
Server
Server
Hub
Workstation
WorkstationWorkstation
Answer: Brute Force?• Each requirement is a separate effort
– Regulation provision– Solving each technical and organizational
problem in isolation
• Direct reaction to incidents or risks
Brute Force? (more)
• Use of diagnostic model as prescription– List of characteristics of successful
completion used as a “to do list”• Lists of “Key Strategies” or “Common
Elements”• Tends to appeal to
– Non-technical staff
Problems with Technical & Brute Force Approaches…
• Insufficient representation of relationship among strategy elements– Difficult to group related items– Difficult to identify efficiencies
• Non-Intuitive– Does not enable Executive communication– Does not enable Team communication
• Difficult to measure strategic alignment
Problems (more)
• Difficult to evaluate effectiveness– may miss root causes
• Tends to isolate security function; not integrated into the organization
• Difficult to adapt over time
Outline
• Background, Context
• Challenges and Questions
• Answers without Conceptual Model
• Answers with Conceptual Model
• The Three Models
• Q&A
Using Conceptual Models• Intermediate step between the problem and
designing the solution • Represent the significant concepts
– Various types and shapes – “Make it as simple as possible, but no simpler”* – Use “Best Fit” as the standard
• Provides a common language between technical, non-technical; accessible
• Organizational responsibility– not vendors’
*Albert Einstein
“Systems” Approach
• Collective noun for Policy– Set of policies?– System of policies
• Strategy vs. Tactics– Strategy as a set of tactics?– Strategy as a system of tactics
Outline
• Background, Context
• Challenges and Questions
• Answers without Conceptual Model
• Answers with Conceptual Model
• The Three Models
• Q&A
The Three Models1. Strategy
Framework
2. Threat Levels
3. Access
•Purpose
•Structure and Rules
•Uses
•Value
•Plans
Strategy Framework Model
• Purpose: – One representation of all strategy components
and their relationships– Grouping of related components– Started with policies; scaled up to strategy
Strategy Framework Structure
Oversight of InformationHandling
Information Security PolicyCommittee Physical ProvisionsPlanning Evaluation
Access
Users Data Media
Oversight Level
Direct Handling Level
Level 1: OversightOversight of Information
Handling
InformationSecurity Policy
Committee
PhysicalProvisionsPlanning Evaluation
• Planning
• Policy Development
• Physical Provisions
• Evaluation
Level 2: Direct Handling
Access
Users Data Media
• Access– Users– Data– Media
• Level 2 inherits characteristics from Level 1
Each Component
• Represents a Strategy Component, addressing the aspects of:– Policy– Process– People– Mechanisms
Each Component May Have Sub-Components; Planning
• Strategic Planning• Contingency
Planning– Business Continuity
– Technical Recovery
Planning
BusinessContinuity
ContingencyPlanning
Strategic Planning
TechnicalRecovery
Evaluation Component
• Regulation Compliance
• Program Compliance
• Industry• Risks• Contracts
Evaluation
Contracts
Compliance withProgram
Compliance withRegulations
IndustryStandards and
Norms
Risks
Policy Development Component
• Policy Committee oversees two functions– Change Review– Vulnerability
Oversight
Policy Committee
Response
VulnerabilityOversight
Change Review
Prevention
Physical Provisions
• Facilities
• IT Assets (as a group)
• External World
PhysicalProvisions
External WorldIT AssetsFacilities
Users Component
• Internal– Basic– Power– Administrator
• External– Guest– Anonymous
ExternalInternal
Users
Data Component• Classification
• Encryption
• Types– Teaching/Learning– Research– Clinical– Administrative
Data
Classification Data TypesEncryption
Uses of the Model• Enabled view of (new) policies as a system• Priorities in perspective• Policy grouping and consolidation options• Representation of combined policy requirements of
HIPAA-Security, GLB, and our goals• Shifted policy development focus from wording to
strategy• Integrated technologies and policy in each
component, then processes and people
Value• Answers the first question:
“Where does it fit?”
Four Phases of Technology Assimilation
1. Initiation; Where does it fit?
2. Contagion; What can’t this solve?
3. Control; Where is all the money going?
4. Maturity; What is the appropriate, managed use?
(Gibson-Nolan 1974)
Value (more)• Realized need for role of Data Steward
– Key to strategy for data component– Responsible for knowing locations and uses of
a category of data (Health, Student, Financial)– Integrated; Existing position in area – Role in assessing risk, policy review and
development, and operational handling of information
Value (more)
• Focus of each proposed policy for a specific purpose (e.g. Dial-in Policy and Password Policy: one policy, or two?)
• Separation of policy from procedure and standards
• For planning and development phases• Discussion of level of generalization– avoid
race to the details
Plans
• Develop documented strategy per component
• Develop “people” aspect more
• Proposed use as governance structure for administrative information
Strategy Framework Structure
Oversight of InformationHandling
Information Security PolicyCommittee Physical ProvisionsPlanning Evaluation
Access
Users Data Media
Oversight Level
Direct Handling Level
The Three Models1. Strategy
Framework
2. Threat Levels
3. Access
•Purpose
•Structure and Rules
•Uses
•Value
•Plans
Model of Threat Levels• Purpose:
– To represent threats on a single scale– To use a metric for communicating posture:
current and planned
• Within strategy framework: – Level 1 (Oversight)– Component of Vulnerability Oversight
NIST 800-53* Threat Types• Origin: local or remote• Sophistication level: low or high• Access: insider or outsider• Resource level: minimal, moderate, or substantial• Intent: malicious or not
• 48 combinations• Simplify: Segment Automated vs. Human
*First Draft, October 2003
Automated Attack Threat• Examples of malware (virus, worm, Trojan horse)• Origin and access: external• Sophistication: low (does not adapt)• Resource level: low to moderate• Malicious intent: usually low
• Automated defense system• Entry point to more sophisticated attacks• High probability, high damage
Human Attack Threat• Sophistication level:
– Low: • Noisy
• Brute force entry, “script kiddie”
– High: • Quiet, “low and slow”
• Skilled hacker, with resources
• Social engineering among other techniques
Human Attack Threat (more)• Origin and access: external or internal• Resource level: low to high• Malicious intent: all levels
• More deliberate target selection• Various damage levels possible• Combination of automated and organizational
defense system
Threat Level Scale• Use sophistication level of attacker as the
primary scale
• Use defense maturity level as the secondary scale
Defense Maturity Levels• Awareness of the problem• Reactive mitigation• Partial coverage
– High risk areas
– Available areas (“easy to reach”)
• Robust coverage– Thorough and tested
– Automated where feasible
– Training
Threat Levels as TableAutomated Human, Low
SophisticationHuman, High Sophistication
No Awareness 1
Reactive 2 5 8
Partial 3 6 9
Robust 4 7 10Def
ense
Mat
uri
ty
The Scale1. No Awareness2. Automated, Low Defense (reactive)3. Automated, Medium Defense (partial)4. Automated, High Defense (robust)5. Low Sophistication Human, Low6. Low Sophistication Human, Medium7. Low Sophistication Human, High8. High Sophistication Human, Low9. High Sophistication Human, Medium10. High Sophistication Human, High
Uses• Where are we now? What risks?
• Focus assessment and testing per level
• Map technologies to levels– List of all technologies on the market– For technologies in our environment, at what level
are we using it?– Technologies to acquire?
Mapping Technologies to Scale, Sample
1 2 3 4 5 6 7 8 9 10
Anti-Virus
No Awareness of need
React post- infection
High risk areas
Robust with updates
Honeypot
No Awareness of need
Reliably detects Auto-Attack
Reliably detects Low Soph
Reliably detects High Soph
ESIM (IDS Correlation)
No Awareness of need
Some input
Partial system of sensors
Set sensitivity low
Full system of sensors
Set sensitivity high
Value• Communication
– Internal coordination (see “first question”)– Executive
• Simplified to the three general types
• Avoid “cut and dried” impression
• Assessment: current, future, gap
• Framework for comparison of relative benefit of technologies
Plans• Agreement on target level and time frame; correlate
with other strategy components• Remove noise of lower levels, to increase sensitivity
to higher level activities• On-going
– Update with new technologies; evaluate
– Evaluate/confirm current level through testing
The Three Models1. Strategy
Framework
2. Threat Levels
3. Access
•Purpose
•Structure and Rules
•Uses
•Value
•Plans
Access Model
• Representation of user locations, network access paths, resources, and defenses
• Within strategy framework: Access
• Network view– Does not represent host-based access controls– Each host has authentication controls
Structure and Rules
User Paths to Services
Internet ResNet Dial-In Partner Org
Wireless Fac/Staff/Admin
Control 1 Packet Filter Registration Kerberos LDAP
Control 2 Firewall Firewall Firewall
Services, Level 1
Public Services (web, e-mail, WebCT)
Control 3 VPN VPN VPN VPN
Services, Level 2
Proprietary Services (ERP, LAN file/print, Dept-specific Server)
Control Point Per High-Protection Service
Controls 4 DW VPNMed Rec
VPNACL Rules ACLRules
Services, Level 3
Data Warehouse
Medical Records
Network Device Adm
Phone Switch
Uses• IT-Internal coordination/communication
• Simple representation of all paths
• Identify gaps
• Guidance for configuration/design of technologies (firewall, VPN)
Value• Understanding current state of network
controls
• Focus on purpose of technology, rather than function
• Available for diagnostics
Outline
• Background, Context
• Challenges and Questions
• Answers without Conceptual Model
• Answers with Conceptual Model
• The Three Models
• Q&A
Conceptual Modeling for Information Security
Austin Winkleman
Information Security Officer
Saint Louis University, St Louis, MO