information security architecture & risk …€¢ select controls from defined controls...

INFORMATION SECURITY –ARCHITECTURE & RISK MANAGEMENT

ADEYEMI DINA & SHITTU O. SHITTU

HIGHLIGHTS

• WHAT IS INFORMATION SECURITY AND WHY DOES IT MATTER

• IT’S ALL ABOUT BUSINESS RISKS

• SECURITY ARCHITECTURE FOR THE BUSINESS WORLD

• RISK MANAGEMENT IN SECURITY ARCHITECTURE

• SAFETY AND SECURITY? – QUIZ FOR THE END

• QUESTIONS

HIGHLIGHTS





• A WORD FOR THE MOTIVATED

INFORMATION SECURITY - HIGH-LEVEL CONCEPTS• INFORMATION SECURITY (IS) IS DESIGNED TO PROTECT THE CONFIDENTIALITY, INTEGRITY AND AVAILABILITY OF

COMPUTER SYSTEM DATA FROM THOSE WITH MALICIOUS INTENTIONS

• INFORMATION SECURITY - THE PRACTICE OF PROTECTING INFORMATION FROM UNAUTHORIZED ACCESS, USE,

DISCLOSURE, DISRUPTION, MODIFICATION, PERUSAL, INSPECTION, RECORDING OR DESTRUCTION. IT IS A GENERAL

TERM USED REGARDLESS OF THE FORM THE DATA MAY TAKE (E.G. ELECTRONIC, PHYSICAL) - WIKIPEDIA

• INFORMATION SECURITY IS THE COLLECTION OF TECHNOLOGIES, STANDARDS, POLICIES AND MANAGEMENT

PRACTICES THAT ARE APPLIED TO INFORMATION TO KEEP IT SECURE. – OPEN UNIVERSITY

• INFORMATION SECURITY IS THE SET OF BUSINESS PROCESSES THAT PROTECTS INFORMATION ASSETS REGARDLESS

OF HOW THE INFORMATION IS FORMATTED OR WHETHER IT IS BEING PROCESSED, IS IN TRANSIT OR IS BEING STORED

• INFORMATION SECURITY IS THE COLLECTION OF TECHNOLOGIES, STANDARDS, POLICIES AND MANAGEMENT

PRACTICES THAT ARE APPLIED TO INFORMATION TO KEEP IT SECURE.

WHY DOES IT MATTER?

- ANY OF THESE LOOK FAMILIAR?

RECENT SECURITY ISSUESPeriod Threats / Attacks Vulnerabilities Impact

Jan – Mar 2014

Yahoo! email hack Not disclosed 273 million reportedly hacked, specific number of

affected accounts not disclosed

DDoS attack on Bitcoin Code integrity No specific breach published;

NTP DDoS Vulnerability uncovered

DDoS attack on UK Ministry of Justice Not disclosed No breach

Sophisticated attack on Neiman Marcus retail infrastructure Missed detections (or insufficient data exfiltration

detection capability)

Credit card information of 350,000 individuals stolen.

Apr – Jun 2014

Heartbleed vulnerability published

Chinese individuals hacked into US companies Not disclosed Not published

Public utility control system hacked in the US Brute-forced employees’ login passwords Not disclosed

Evernote subjected to DDoS attack Not disclosed Service disruption to 100 million Evernote users

P.F. Chang’s restaurants cardholder data infrastructure

compromised

Not disclosed Credit and debit card information from 33 restaurants

stolen and reportedly sold online

Organisers of Brazil 2014 World cup DDoS’ed Not disclosed Disruption to numerous brad

July – Sep 2014Bash / ShellShock vulnerability released; affecting

millions of devices worldwide

Oct – Dec 2014

Sony pictures hack Not fully disclosed Disruption of movie production, movie revenue and

employee/talent relations

OpenSSL vulnerability released, affecting millions of

software and hardware devices

Sony PlayStation and Microsoft Xbox attacked for days

over the Christmas holiday

Not disclosed Microsoft and Sony unable to serve millions of

customers worldwide

Jan

HIGHLIGHTS






TO THE BUSINESS ; WHAT IS RISK?

Information

Asset

VulnerabilityThreat

• THE EFFECT OF UNCERTAINTY ON OBJECTIVES (ISO 31000)

• EFFECT IS A POSITIVE OR NEGATIVE DEVIATIONS FROM WHAT IS EXPECTED

• UNCERTAINTY EXISTS WHENEVER THE KNOWLEDGE OR UNDERSTANDING OF AN EVENT, CONSEQUENCE OR

LIKELIHOOD IS INADEQUATE OR INCOMPLETE

POSITIVE PERSPECTIVE

Information

Asset

StrengthOpportunity

• THE EFFECT OF UNCERTAINTY ON OBJECTIVES (ISO 31000)

• EFFECT IS A POSITIVE OR NEGATIVE DEVIATIONS FROM WHAT IS EXPECTED

• UNCERTAINTY EXISTS WHENEVER THE KNOWLEDGE OR UNDERSTANDING OF AN EVENT, CONSEQUENCE OR

LIKELIHOOD IS INADEQUATE OR INCOMPLETE

HIGHLIGHTS






SECURITY ARCHITECTURE - HIGH-LEVEL CONCEPTS• SECURITY ARCHITECTURE - ARTIFACTS THAT DESCRIBE HOW THE SECURITY

CONTROLS/COUNTERMEASURES/SAFEGUARDS ARE POSITIONED AND HOW THEY RELATE TO THE OVERALL SYSTEMS

ARCHITECTURE FOR THE PURPOSE TO MAINTAINING THE SYSTEM'S QUALITY ATTRIBUTES OF CONFIDENTIALITY,

INTEGRITY AND AVAILABILITY. – WIKIPEDIA

• THE DESIGN ARTIFACTS THAT DESCRIBE HOW THE SECURITY CONTROLS (= SECURITY COUNTERMEASURES) ARE

POSITIONED, AND HOW THEY RELATE TO THE OVERALL IT ARCHITECTURE. THESE CONTROLS SERVE THE PURPOSE TO

MAINTAIN THE SYSTEM’S QUALITY ATTRIBUTES, AMONG THEM CONFIDENTIALITY, INTEGRITY, AVAILABILITY,

ACCOUNTABILITY AND ASSURANCE. – OPENSECURITYARCHITECTURE.ORG

• SECURITY ARCHITECTURE IS A UNIFIED SECURITY DESIGN THAT ADDRESSES THE NECESSITIES AND POTENTIAL RISKS

INVOLVED IN A CERTAIN SCENARIO OR ENVIRONMENT. IT ALSO SPECIFIES WHEN AND WHERE TO APPLY SECURITY

CONTROLS. THE DESIGN PROCESS IS GENERALLY REPRODUCIBLE. – TECHOPEDIA

• ENTERPRISE INFORMATION SECURITY ARCHITECTURE (EISA) IS THE PRACTICE OF APPLYING A COMPREHENSIVE AND

RIGOROUS METHOD FOR DESCRIBING A CURRENT AND/OR FUTURE STRUCTURE AND BEHAVIOUR FOR AN

ORGANIZATION'S SECURITY PROCESSES, INFORMATION SECURITY SYSTEMS, PERSONNEL AND ORGANIZATIONAL SUB-

UNITS, SO THAT THEY ALIGN WITH THE ORGANIZATION'S CORE GOALS AND STRATEGIC DIRECTION. - WIKIPEDIA

IT IS ABOUT …• POSITIONING • DISTINCTIONDISTINCTION AND AUTHENTICITY • … AND THE THINGS WE CARE ABOUT

NIRVANA ARCHITECTURE – “NO ARCHITECTS NEEDED”

Common business security problem. Business security aspiration

Security Architecture

bridges the gap

THE MIND OF A SECURITY ARCHITECT

Principles

Risk-based and policy-driven

Policy-based access to services

Ease of use / low friction

Data access control

Service minimisation

Limit what your system say

Audit Logging and Monitoring

Principles (continued)

Secure by design

Defense-in-depth

Segregation of trust domains

Secure down to the weakest link

Protection against insider and outsider attacks

Trust levels

Least Privilege

Separation of duties

AN ARCHITECTURE DEVELOPMENT METHODOLOGY

Characterise system by defining data, classification, criticality, components and

interfaces

Identify threats, vulnerabilities and pairs that

result in risk to the system and data. Identify high priority

risks for management and control. Leverage Threat Modelling techniques.

Select appropriate controls to treat high priority risks. Determine architecture and design principles

and patterns – leverage available security building

blocks in the proposed security architecture foundations/model. Assess design and implementation

of controls and security architecture for residual risks (Design review /

Vuln Scan / Pen Test)

Present implemented solution to risk owner for acceptance

of residual risks. Gain authorisation for production /

go-live

Ensure continuous security monitoring through integration with Security Logging and Monitoring and contract management

Characterise classification,

Assess design and implementation of controls and security architecture

(Design review / Scan / Pen Test)

Focus of secure business technology outcomes;

- not just security tools

SYSTEM CHARACTERISATION

• UNDERSTAND THE BUSINESS PROCESS, APPLICATION SYSTEM AND COMPONENTS

• WHAT TYPE/CLASSIFICATION OF DATA IS INVOLVED

• WHAT ARE THE SYSTEM BOUNDARIES

• WHAT ARE THE INTERFACES TO/FROM THE SYSTEM AND WITHIN THE

COMPONENTS OF THE SYSTEM

• WHO HAS RISK DECISION ON THE CRITICALITY OF THE SYSTEM

• WHO HAS RISK DECISION OF THE IMPACT OF SECURITY RISK ON DATA LOSS,

UNAUTHORISED DISCLOSURE AND UNAUTHORISED MODIFICATION

• WHAT IS THE BUSINESS IMPACT OF ANY OF THESE SECURITY CONCERNS?

• WHAT ARE THE KNOWN WEAKNESSES, BUGS AND TECHNICAL SECURITY

VULNERABILITIES (IF IT IS AN EXISTING SYSTEM)

• CURRENT BUSINESS RISK POSTURE OF THE SYSTEM

RISK ASSESSMENT – ONE OF RISK MANAGEMENT

• ESTIMATE POTENTIAL DAMAGE TO THE SYSTEM IN THE EVENT OF

THREAT MATERIALISING – BUSINESS IMPACT ASSESSMENT

• IDENTIFY THREAT AND ESTIMATE LIKELIHOOD OF MATERIALISING

– THREAT MODELLING

• IDENTIFY VULNERABILITIES, WEAKNESSES AND ISSUES WITH

THE SYSTEM (OR POTENTIAL ONES) AND LIKELIHOOD OF THEM

BEING EXPLOITED – ISSUES IDENTIFICATION / SECURITY

ASSESSMENT

• USE THREAT-VULNERABILITY PAIRING TO DETERMINE MOST

LIKELY RISK EVENT THAT COULD MATERIALISE – RISK SCORING

• PRIORITISE THE RISK ACCORDING TO THEIR LEVELS – RISK

PRIORITISATION

• QUANTIFY RISKS AND REVIEW WITH STAKEHOLDERS – RISK

QUANTIFICATION / COST BUDGETING

SELECTION OF CONTROLS PLUS ARCHITECTURE & DESIGN

• FOLLOW ORGANISATION DEFINED SECURITY GUIDELINES AND

POLICIES (ACCESS CONTROL, PASSWORD MANAGEMENT,

REGULATORY COMPLIANCE, BUSINESS VALUES ETC)

• SELECT CONTROLS FROM DEFINED CONTROLS CATALOGUE, OR

FROM INDUSTRY STANDARDS SUCH AS NIST 800-53 AND ISO

27001/2)

• LEVERAGE SECURITY ARCHITECTURE BUILDING BLOCKS (FROM

BEST PRACTICE FRAMEWORKS SUCH AS SABSA)

• REUSE EXISTING SECURITY SERVICES, RATHER THAN BUILD NEW

ONES (REUSE BEFORE BUY BEFORE BUILD)

• BE CREATIVE (USING THE “MIND OF A SECURITY ARCHITECT”)

IMPLEMENTATION ASSESSMENT, AUTHORISATION AND CONTINUOUS MONITORING

Design reviews, build/code reviews, source code analysis, vulnerability

assessment, security testing (application / penetration testing) plus

remediations to acceptable risk levels

Risk acceptance criteria e.g. accepts vulnerabilities with Common

Vulnerability Scoring System (CVSS) of less than 4.0 to maintain PCI

DSS compliance; address all DoS vulnerabilities on critical systems that

require high-availability; approval to go live with the system

Feeds of security events and logs to security information and

event management (SIEM) tools, horizon scanning of threat

intelligence and monitoring of exploits against accepted risk

posture which may require revision of system characterisation.

… and the

cycle begins

… again

WHEN IS SECURITY ARCHITECTURE COMPLETE?

• WHEN SECURITY ARCHITECTS & SECURITY RISK SPECIALIST (AND OTHER ARCHITECTS) ARE NO

LONGER NEEDED

• START LOOKING FOR ANOTHER JOB

Bridging the gap

HIGHLIGHTS






RISK MANAGEMENT - HIGH-LEVEL CONCEPTS

• RISK MANAGEMENT – IS THE PROCESS OF IDENTIFYING THE CRITICALITY OF AN ASSET, IDENTIFYING RISK, IDENTIFYING CONTROLS

THAT ARE APPLICABLE BEARING IN MIND THE CRITICALITY OF THE ASSET, PROBABILITY OF OCCURRENCE, IMPACT AND COST OF

APPLYING CONTROLS. RISK IS ASSESSED AS BOTH A PROBABILITY OF OCCURRENCE AND A MAGNITUDE OF EFFECT OR THE PRODUCT

OF THE TWO. STRATEGY IS TO ACCEPT , AVOID, REDUCE OR TRANSFER RISK.

• SECURITY RISK MANAGEMENT - A PROCESS FOR IDENTIFYING, PRIORITIZING AND MANAGING INFORMATION SECURITY RISK TO AN

ACCEPTABLE LEVEL WITHIN AN ORGANIZATION

• RISK MANAGEMENT IS A COMPREHENSIVE PROCESS THAT REQUIRES ORGANIZATIONS TO: (I) FRAME RISK (I.E., ESTABLISH THE

CONTEXT FOR RISK-BASED DECISIONS); (II) ASSESS RISK; (III) RESPOND TO RISK ONCE DETERMINED; AND (IV) MONITOR RISK ON AN

ONGOING BASIS USING EFFECTIVE ORGANIZATIONAL COMMUNICATIONS AND A FEEDBACK LOOP FOR CONTINUOUS IMPROVEMENT

IN THE RISK-RELATED ACTIVITIES OF ORGANIZATIONS. – NIST (800-39)

• RISK MANAGEMENT IS AN ACTIVITY DIRECTED TOWARDS ASSESSMENT, MITIGATION, AND MONITORING OF RISKS TO AN

ORGANIZATION. INFORMATION SECURITY RISK MANAGEMENT IS A MAJOR SUBSET OF THE ENTERPRISE RISK MANAGEMENT

PROCESS, WHICH INCLUDES BOTH THE ASSESSMENT OF INFORMATION SECURITY RISKS TO THE INSTITUTION AS WELL AS THE

DETERMINATION OF APPROPRIATE MANAGEMENT ACTIONS AND ESTABLISHED PRIORITIES FOR MANAGING AND IMPLEMENTING

CONTROLS TO PROTECT AGAINST THOSE RISKS. - CONFLUENCE

RISK MANAGEMENT – AN OVERVIEW

ESSENTIAL RISK MANAGEMENT – RISK PRIORITISATION

End of riskEnd of risk

prioritization

DetailedDetailed

level risk level risk

prioritization

Conduct detailedConduct detailed-Conduct detailedConduct detailed


prioritization

Review with Review with

stakeholders

SummarySummary


prioritization

Conduct summaryConduct summary-Conduct summaryConduct summary


prioritization

Start risk Start risk

prioritization

CONDUCTING SUMMARY-LEVEL RISK PRIORITIZATION

• THE SUMMARY-LEVEL PRIORITIZATION INCLUDES THE FOLLOWING:1. DETERMINE IMPACT LEVEL

2. ESTIMATE SUMMARY-LEVEL PROBABILITY

3. COMPLETE THE SUMMARY-LEVEL RISK LIST

4. REVIEW WITH STAKEHOLDERS

1

HighHigh. Likely. Likely———one or more impacts expected within one yearHighHigh. Likely. Likely

Medium

. Likely one or more impacts expected within one yearone or more impacts expected within one year. Likely. Likely

MediumMedium. Probable

one or more impacts expected within one year

. Probable. Probable—

one or more impacts expected within one yearone or more impacts expected within one yearone or more impacts expected within one year

————impact expected within two to three yearsMedium

Low

MediumMedium. Probable. Probable. ProbableMedium

LowLow. Not probable

. Probable

. Not probable. Not probable—

impact expected within two to three yearsimpact expected within two to three yearsimpact expected within two to three years

—————impact not expected to occur within three years

2 4

3

Implementing ControlsImplementing Controls3

Conducting Decision Conducting Decision Support

2

Measuring Program Measuring Program Effectiveness

4 Assessing Risk1

IMPLEMENTING CONTROLS

• Seek a holistic approach•

Seek a holistic approachOrganize by DefenseSeek a holistic approachOrganize by DefenseOrganize by Defense-Seek a holistic approachOrganize by DefenseOrganize by Defense--inSeek a holistic approachSeek a holistic approach

inininin-Seek a holistic approachSeek a holistic approach

inininin--Depth

A GENERIC ASSET RISK ASSESSMENT APPROACH

Identification & Classification Business Impact Assessment Risk Assessment Remediation

Identify Data Assets

Perform Business Impact

Assessment (of data assets, IT

applications)

Information Risk Assessment

Define Remediation ActivitiesIdentify Business Processes Application Risk Assessment

Identify IT Applications Record Risks (using bow ties)

PHASE 1 PHASE 2 PHASE 3 PHASE 4

IT SECURITY ARCHITECTURE RELATIONAL ENTITY

HIGHLIGHTS





• SAFETY VS SECURITY

SAFETY VS SECURITY?

• SAFETY ENFOLDS, ITS INTERNAL, SAFETY IS A

FEELING

• SECURITY SURROUNDS AND COULD BE

EXTERNAL

• I.E. AN OVERACHIEVING UMBRELLA

PROTECTING OUR SAFETY

• SECURITY AS A SAFEGUARD

• PERCEPTION IS REALITY

• 100% SECURITY IS NIRVANA

QUESTIONS

information security architecture & risk …€¢ select controls from defined controls...

Documents