information security architecture & risk …€¢ select controls from defined controls...
TRANSCRIPT
INFORMATION SECURITY –ARCHITECTURE & RISK MANAGEMENT
ADEYEMI DINA & SHITTU O. SHITTU
HIGHLIGHTS
• WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER
• IT’S ALL ABOUT BUSINESS RISKS
• SECURITY ARCHITECTURE FOR THE BUSINESS WORLD
• RISK MANAGEMENT IN SECURITY ARCHITECTURE
• SAFETY AND SECURITY? – QUIZ FOR THE END
• QUESTIONS
HIGHLIGHTS
• WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER
• IT’S ALL ABOUT BUSINESS RISKS
• SECURITY ARCHITECTURE FOR THE BUSINESS WORLD
• RISK MANAGEMENT IN SECURITY ARCHITECTURE
• A WORD FOR THE MOTIVATED
INFORMATION SECURITY - HIGH-LEVEL CONCEPTS• INFORMATION SECURITY (IS) IS DESIGNED TO PROTECT THE CONFIDENTIALITY, INTEGRITY AND AVAILABILITY OF
COMPUTER SYSTEM DATA FROM THOSE WITH MALICIOUS INTENTIONS
• INFORMATION SECURITY - THE PRACTICE OF PROTECTING INFORMATION FROM UNAUTHORIZED ACCESS, USE,
DISCLOSURE, DISRUPTION, MODIFICATION, PERUSAL, INSPECTION, RECORDING OR DESTRUCTION. IT IS A GENERAL
TERM USED REGARDLESS OF THE FORM THE DATA MAY TAKE (E.G. ELECTRONIC, PHYSICAL) - WIKIPEDIA
• INFORMATION SECURITY IS THE COLLECTION OF TECHNOLOGIES, STANDARDS, POLICIES AND MANAGEMENT
PRACTICES THAT ARE APPLIED TO INFORMATION TO KEEP IT SECURE. – OPEN UNIVERSITY
• INFORMATION SECURITY IS THE SET OF BUSINESS PROCESSES THAT PROTECTS INFORMATION ASSETS REGARDLESS
OF HOW THE INFORMATION IS FORMATTED OR WHETHER IT IS BEING PROCESSED, IS IN TRANSIT OR IS BEING STORED
• INFORMATION SECURITY IS THE COLLECTION OF TECHNOLOGIES, STANDARDS, POLICIES AND MANAGEMENT
PRACTICES THAT ARE APPLIED TO INFORMATION TO KEEP IT SECURE.
WHY DOES IT MATTER?
- ANY OF THESE LOOK FAMILIAR?
RECENT SECURITY ISSUESPeriod Threats / Attacks Vulnerabilities Impact
Jan – Mar 2014
Yahoo! email hack Not disclosed 273 million reportedly hacked, specific number of
affected accounts not disclosed
DDoS attack on Bitcoin Code integrity No specific breach published;
NTP DDoS Vulnerability uncovered
DDoS attack on UK Ministry of Justice Not disclosed No breach
Sophisticated attack on Neiman Marcus retail infrastructure Missed detections (or insufficient data exfiltration
detection capability)
Credit card information of 350,000 individuals stolen.
Apr – Jun 2014
Heartbleed vulnerability published
Chinese individuals hacked into US companies Not disclosed Not published
Public utility control system hacked in the US Brute-forced employees’ login passwords Not disclosed
Evernote subjected to DDoS attack Not disclosed Service disruption to 100 million Evernote users
P.F. Chang’s restaurants cardholder data infrastructure
compromised
Not disclosed Credit and debit card information from 33 restaurants
stolen and reportedly sold online
Organisers of Brazil 2014 World cup DDoS’ed Not disclosed Disruption to numerous brad
July – Sep 2014Bash / ShellShock vulnerability released; affecting
millions of devices worldwide
Oct – Dec 2014
Sony pictures hack Not fully disclosed Disruption of movie production, movie revenue and
employee/talent relations
OpenSSL vulnerability released, affecting millions of
software and hardware devices
Sony PlayStation and Microsoft Xbox attacked for days
over the Christmas holiday
Not disclosed Microsoft and Sony unable to serve millions of
customers worldwide
Jan
HIGHLIGHTS
• WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER
• IT’S ALL ABOUT BUSINESS RISKS
• SECURITY ARCHITECTURE FOR THE BUSINESS WORLD
• RISK MANAGEMENT IN SECURITY ARCHITECTURE
• A WORD FOR THE MOTIVATED
TO THE BUSINESS ; WHAT IS RISK?
Information
Asset
VulnerabilityThreat
• THE EFFECT OF UNCERTAINTY ON OBJECTIVES (ISO 31000)
• EFFECT IS A POSITIVE OR NEGATIVE DEVIATIONS FROM WHAT IS EXPECTED
• UNCERTAINTY EXISTS WHENEVER THE KNOWLEDGE OR UNDERSTANDING OF AN EVENT, CONSEQUENCE OR
LIKELIHOOD IS INADEQUATE OR INCOMPLETE
POSITIVE PERSPECTIVE
Information
Asset
StrengthOpportunity
• THE EFFECT OF UNCERTAINTY ON OBJECTIVES (ISO 31000)
• EFFECT IS A POSITIVE OR NEGATIVE DEVIATIONS FROM WHAT IS EXPECTED
• UNCERTAINTY EXISTS WHENEVER THE KNOWLEDGE OR UNDERSTANDING OF AN EVENT, CONSEQUENCE OR
LIKELIHOOD IS INADEQUATE OR INCOMPLETE
HIGHLIGHTS
• WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER
• IT’S ALL ABOUT BUSINESS RISKS
• SECURITY ARCHITECTURE FOR THE BUSINESS WORLD
• RISK MANAGEMENT IN SECURITY ARCHITECTURE
• A WORD FOR THE MOTIVATED
SECURITY ARCHITECTURE - HIGH-LEVEL CONCEPTS• SECURITY ARCHITECTURE - ARTIFACTS THAT DESCRIBE HOW THE SECURITY
CONTROLS/COUNTERMEASURES/SAFEGUARDS ARE POSITIONED AND HOW THEY RELATE TO THE OVERALL SYSTEMS
ARCHITECTURE FOR THE PURPOSE TO MAINTAINING THE SYSTEM'S QUALITY ATTRIBUTES OF CONFIDENTIALITY,
INTEGRITY AND AVAILABILITY. – WIKIPEDIA
• THE DESIGN ARTIFACTS THAT DESCRIBE HOW THE SECURITY CONTROLS (= SECURITY COUNTERMEASURES) ARE
POSITIONED, AND HOW THEY RELATE TO THE OVERALL IT ARCHITECTURE. THESE CONTROLS SERVE THE PURPOSE TO
MAINTAIN THE SYSTEM’S QUALITY ATTRIBUTES, AMONG THEM CONFIDENTIALITY, INTEGRITY, AVAILABILITY,
ACCOUNTABILITY AND ASSURANCE. – OPENSECURITYARCHITECTURE.ORG
• SECURITY ARCHITECTURE IS A UNIFIED SECURITY DESIGN THAT ADDRESSES THE NECESSITIES AND POTENTIAL RISKS
INVOLVED IN A CERTAIN SCENARIO OR ENVIRONMENT. IT ALSO SPECIFIES WHEN AND WHERE TO APPLY SECURITY
CONTROLS. THE DESIGN PROCESS IS GENERALLY REPRODUCIBLE. – TECHOPEDIA
• ENTERPRISE INFORMATION SECURITY ARCHITECTURE (EISA) IS THE PRACTICE OF APPLYING A COMPREHENSIVE AND
RIGOROUS METHOD FOR DESCRIBING A CURRENT AND/OR FUTURE STRUCTURE AND BEHAVIOUR FOR AN
ORGANIZATION'S SECURITY PROCESSES, INFORMATION SECURITY SYSTEMS, PERSONNEL AND ORGANIZATIONAL SUB-
UNITS, SO THAT THEY ALIGN WITH THE ORGANIZATION'S CORE GOALS AND STRATEGIC DIRECTION. - WIKIPEDIA
IT IS ABOUT …• POSITIONING • DISTINCTIONDISTINCTION AND AUTHENTICITY • … AND THE THINGS WE CARE ABOUT
NIRVANA ARCHITECTURE – “NO ARCHITECTS NEEDED”
Common business security problem. Business security aspiration
Security Architecture
bridges the gap
THE MIND OF A SECURITY ARCHITECT
Principles
Risk-based and policy-driven
Policy-based access to services
Ease of use / low friction
Data access control
Service minimisation
Limit what your system say
Audit Logging and Monitoring
Principles (continued)
Secure by design
Defense-in-depth
Segregation of trust domains
Secure down to the weakest link
Protection against insider and outsider attacks
Trust levels
Least Privilege
Separation of duties
AN ARCHITECTURE DEVELOPMENT METHODOLOGY
Characterise system by defining data, classification, criticality, components and
interfaces
Identify threats, vulnerabilities and pairs that
result in risk to the system and data. Identify high priority
risks for management and control. Leverage Threat Modelling techniques.
Select appropriate controls to treat high priority risks. Determine architecture and design principles
and patterns – leverage available security building
blocks in the proposed security architecture foundations/model. Assess design and implementation
of controls and security architecture for residual risks (Design review /
Vuln Scan / Pen Test)
Present implemented solution to risk owner for acceptance
of residual risks. Gain authorisation for production /
go-live
Ensure continuous security monitoring through integration with Security Logging and Monitoring and contract management
Characterise classification,
Assess design and implementation of controls and security architecture
(Design review / Scan / Pen Test)
Focus of secure business technology outcomes;
- not just security tools
SYSTEM CHARACTERISATION
• UNDERSTAND THE BUSINESS PROCESS, APPLICATION SYSTEM AND COMPONENTS
• WHAT TYPE/CLASSIFICATION OF DATA IS INVOLVED
• WHAT ARE THE SYSTEM BOUNDARIES
• WHAT ARE THE INTERFACES TO/FROM THE SYSTEM AND WITHIN THE
COMPONENTS OF THE SYSTEM
• WHO HAS RISK DECISION ON THE CRITICALITY OF THE SYSTEM
• WHO HAS RISK DECISION OF THE IMPACT OF SECURITY RISK ON DATA LOSS,
UNAUTHORISED DISCLOSURE AND UNAUTHORISED MODIFICATION
• WHAT IS THE BUSINESS IMPACT OF ANY OF THESE SECURITY CONCERNS?
• WHAT ARE THE KNOWN WEAKNESSES, BUGS AND TECHNICAL SECURITY
VULNERABILITIES (IF IT IS AN EXISTING SYSTEM)
• CURRENT BUSINESS RISK POSTURE OF THE SYSTEM
RISK ASSESSMENT – ONE OF RISK MANAGEMENT
• ESTIMATE POTENTIAL DAMAGE TO THE SYSTEM IN THE EVENT OF
THREAT MATERIALISING – BUSINESS IMPACT ASSESSMENT
• IDENTIFY THREAT AND ESTIMATE LIKELIHOOD OF MATERIALISING
– THREAT MODELLING
• IDENTIFY VULNERABILITIES, WEAKNESSES AND ISSUES WITH
THE SYSTEM (OR POTENTIAL ONES) AND LIKELIHOOD OF THEM
BEING EXPLOITED – ISSUES IDENTIFICATION / SECURITY
ASSESSMENT
• USE THREAT-VULNERABILITY PAIRING TO DETERMINE MOST
LIKELY RISK EVENT THAT COULD MATERIALISE – RISK SCORING
• PRIORITISE THE RISK ACCORDING TO THEIR LEVELS – RISK
PRIORITISATION
• QUANTIFY RISKS AND REVIEW WITH STAKEHOLDERS – RISK
QUANTIFICATION / COST BUDGETING
SELECTION OF CONTROLS PLUS ARCHITECTURE & DESIGN
• FOLLOW ORGANISATION DEFINED SECURITY GUIDELINES AND
POLICIES (ACCESS CONTROL, PASSWORD MANAGEMENT,
REGULATORY COMPLIANCE, BUSINESS VALUES ETC)
• SELECT CONTROLS FROM DEFINED CONTROLS CATALOGUE, OR
FROM INDUSTRY STANDARDS SUCH AS NIST 800-53 AND ISO
27001/2)
• LEVERAGE SECURITY ARCHITECTURE BUILDING BLOCKS (FROM
BEST PRACTICE FRAMEWORKS SUCH AS SABSA)
• REUSE EXISTING SECURITY SERVICES, RATHER THAN BUILD NEW
ONES (REUSE BEFORE BUY BEFORE BUILD)
• BE CREATIVE (USING THE “MIND OF A SECURITY ARCHITECT”)
IMPLEMENTATION ASSESSMENT, AUTHORISATION AND CONTINUOUS MONITORING
Design reviews, build/code reviews, source code analysis, vulnerability
assessment, security testing (application / penetration testing) plus
remediations to acceptable risk levels
Risk acceptance criteria e.g. accepts vulnerabilities with Common
Vulnerability Scoring System (CVSS) of less than 4.0 to maintain PCI
DSS compliance; address all DoS vulnerabilities on critical systems that
require high-availability; approval to go live with the system
Feeds of security events and logs to security information and
event management (SIEM) tools, horizon scanning of threat
intelligence and monitoring of exploits against accepted risk
posture which may require revision of system characterisation.
… and the
cycle begins
… again
WHEN IS SECURITY ARCHITECTURE COMPLETE?
• WHEN SECURITY ARCHITECTS & SECURITY RISK SPECIALIST (AND OTHER ARCHITECTS) ARE NO
LONGER NEEDED
• START LOOKING FOR ANOTHER JOB
Bridging the gap
HIGHLIGHTS
• WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER
• IT’S ALL ABOUT BUSINESS RISKS
• SECURITY ARCHITECTURE FOR THE BUSINESS WORLD
• RISK MANAGEMENT IN SECURITY ARCHITECTURE
• A WORD FOR THE MOTIVATED
RISK MANAGEMENT - HIGH-LEVEL CONCEPTS
• RISK MANAGEMENT – IS THE PROCESS OF IDENTIFYING THE CRITICALITY OF AN ASSET, IDENTIFYING RISK, IDENTIFYING CONTROLS
THAT ARE APPLICABLE BEARING IN MIND THE CRITICALITY OF THE ASSET, PROBABILITY OF OCCURRENCE, IMPACT AND COST OF
APPLYING CONTROLS. RISK IS ASSESSED AS BOTH A PROBABILITY OF OCCURRENCE AND A MAGNITUDE OF EFFECT OR THE PRODUCT
OF THE TWO. STRATEGY IS TO ACCEPT , AVOID, REDUCE OR TRANSFER RISK.
• SECURITY RISK MANAGEMENT - A PROCESS FOR IDENTIFYING, PRIORITIZING AND MANAGING INFORMATION SECURITY RISK TO AN
ACCEPTABLE LEVEL WITHIN AN ORGANIZATION
• RISK MANAGEMENT IS A COMPREHENSIVE PROCESS THAT REQUIRES ORGANIZATIONS TO: (I) FRAME RISK (I.E., ESTABLISH THE
CONTEXT FOR RISK-BASED DECISIONS); (II) ASSESS RISK; (III) RESPOND TO RISK ONCE DETERMINED; AND (IV) MONITOR RISK ON AN
ONGOING BASIS USING EFFECTIVE ORGANIZATIONAL COMMUNICATIONS AND A FEEDBACK LOOP FOR CONTINUOUS IMPROVEMENT
IN THE RISK-RELATED ACTIVITIES OF ORGANIZATIONS. – NIST (800-39)
• RISK MANAGEMENT IS AN ACTIVITY DIRECTED TOWARDS ASSESSMENT, MITIGATION, AND MONITORING OF RISKS TO AN
ORGANIZATION. INFORMATION SECURITY RISK MANAGEMENT IS A MAJOR SUBSET OF THE ENTERPRISE RISK MANAGEMENT
PROCESS, WHICH INCLUDES BOTH THE ASSESSMENT OF INFORMATION SECURITY RISKS TO THE INSTITUTION AS WELL AS THE
DETERMINATION OF APPROPRIATE MANAGEMENT ACTIONS AND ESTABLISHED PRIORITIES FOR MANAGING AND IMPLEMENTING
CONTROLS TO PROTECT AGAINST THOSE RISKS. - CONFLUENCE
RISK MANAGEMENT – AN OVERVIEW
ESSENTIAL RISK MANAGEMENT – RISK PRIORITISATION
End of riskEnd of risk
prioritization
DetailedDetailed
level risk level risk
prioritization
Conduct detailedConduct detailed-Conduct detailedConduct detailed
level risk level risk
prioritization
Review with Review with
stakeholders
SummarySummary
level risk level risk
prioritization
Conduct summaryConduct summary-Conduct summaryConduct summary
level risk level risk
prioritization
Start risk Start risk
prioritization
CONDUCTING SUMMARY-LEVEL RISK PRIORITIZATION
• THE SUMMARY-LEVEL PRIORITIZATION INCLUDES THE FOLLOWING:1. DETERMINE IMPACT LEVEL
2. ESTIMATE SUMMARY-LEVEL PROBABILITY
3. COMPLETE THE SUMMARY-LEVEL RISK LIST
4. REVIEW WITH STAKEHOLDERS
1
HighHigh. Likely. Likely———one or more impacts expected within one yearHighHigh. Likely. Likely
Medium
. Likely one or more impacts expected within one yearone or more impacts expected within one year. Likely. Likely
MediumMedium. Probable
one or more impacts expected within one year
. Probable. Probable—
one or more impacts expected within one yearone or more impacts expected within one yearone or more impacts expected within one year
————impact expected within two to three yearsMedium
Low
MediumMedium. Probable. Probable. ProbableMedium
LowLow. Not probable
. Probable
. Not probable. Not probable—
impact expected within two to three yearsimpact expected within two to three yearsimpact expected within two to three years
—————impact not expected to occur within three years
2 4
3
Implementing ControlsImplementing Controls3
Conducting Decision Conducting Decision Support
2
Measuring Program Measuring Program Effectiveness
4 Assessing Risk1
IMPLEMENTING CONTROLS
• Seek a holistic approach•
Seek a holistic approachOrganize by DefenseSeek a holistic approachOrganize by DefenseOrganize by Defense-Seek a holistic approachOrganize by DefenseOrganize by Defense--inSeek a holistic approachSeek a holistic approach
inininin-Seek a holistic approachSeek a holistic approach
inininin--Depth
A GENERIC ASSET RISK ASSESSMENT APPROACH
Identification & Classification Business Impact Assessment Risk Assessment Remediation
Identify Data Assets
Perform Business Impact
Assessment (of data assets, IT
applications)
Information Risk Assessment
Define Remediation ActivitiesIdentify Business Processes Application Risk Assessment
Identify IT Applications Record Risks (using bow ties)
PHASE 1 PHASE 2 PHASE 3 PHASE 4
IT SECURITY ARCHITECTURE RELATIONAL ENTITY
HIGHLIGHTS
• WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER
• IT’S ALL ABOUT BUSINESS RISKS
• SECURITY ARCHITECTURE FOR THE BUSINESS WORLD
• RISK MANAGEMENT IN SECURITY ARCHITECTURE
• SAFETY VS SECURITY
SAFETY VS SECURITY?
• SAFETY ENFOLDS, ITS INTERNAL, SAFETY IS A
FEELING
• SECURITY SURROUNDS AND COULD BE
EXTERNAL
• I.E. AN OVERACHIEVING UMBRELLA
PROTECTING OUR SAFETY
• SECURITY AS A SAFEGUARD
• PERCEPTION IS REALITY
• 100% SECURITY IS NIRVANA
QUESTIONS