IST 712: 8/23/10 1

IST 712Information Security

IST 712: 8/23/10 2

Objectives: August 23, 2010

• Preview IST 712, Info Security– Course focus, content, objectives, & conduct– Administrative requirements and issues

• Briefly introduce the information security area– Why is this is an important topic?– Who is affected and how?– Why is it not just a technical concern but a broader

management responsibility?

IST 712: 8/23/10 3

Objectives: August 23, 2010 (cont)

• Overview some key security concepts

– Relationship to organizational mission, objectives, goals

– Risk management principles

– Security management concepts

– Personnel or staffing security concerns

IST 712: 8/23/10 3

IST 712: 8/23/10 4

Administrative Notes

• Introductions• Course focus: Managerial introduction to

information security topics– Technical issues without highly technical coverage– IST 301/IST 701or equivalent provide sufficient basis

• For MAcc students: ACCT 311 is a plus

– For any “techies”: What the course is NOT!

• Expectations…instructor and students• Feedback & assistance

IST 712: 8/23/10 5

Course Content

• Conduct, methods, philosophy

• New text this semester…why and impact?

• Guest speakers

• Assignments

– Class meeting highlights

– Research “mini-project” (written/verbal)

– “Current events”

• Exams: Number, style, focus

IST 712: 8/23/10 6

A

B

Grading Expectations

• General philosophy– Graduate focus– So…meet standard = B– Consistently exceed = A– Will apply “modified” +/-

• Performance relative to group normally most significant– Do not focus on absolute scores– Letter grade for course only

• Appeals welcome…but don’t delay!

IST 712: 8/23/10 7

Grade Components

Component Weight

Exam 1 25%

Exam 2  25%

Exam 3 25%

Research project 10%

Meeting Highlights 7.5%

Class Participation 7.5%

Total 100%

IST 712: 8/23/10 8

WHY SHOULD YOU CARE?

You are…or will be… managers, auditors …the business end.

This is “techie” stuff, right?

IST 712: 8/23/10 9

One Possible Motivation

But on a more positive note….

IST 712: 8/23/10 10

Computer Security Institute Survey

• Annual “Computer Crime & Security Survey– Previously conducted by CSI & San Francisco FBI squad

– 2009 survey is 14th in the series, but now CSI only

– Recent surveys in Class Meeting Details

• Based on responses from security professionals

• Demographics vary yearly to a slight degree, but…– Survey represents a broad range of sectors, industries, &

organization sizes

• “Global State of Information Security” by PWC also

an excellent source

IST 712: 8/23/10 11

Selected Survey Demographics

Source: 2009 Computer Security Institute Computer Crime and Security Survey

Revenues

Employees

Sectors

IST 712: 8/23/10 12

• Average loss due to reported security incident decreased (from ~$289K to ~$234K)

• Financial fraud still expensive for those experiencing it~$450K, but #3 on the “most expensive” list

• Greater prevalence places others #1 & #2– Wireless exploits (~$770K)– Theft of PII/PHI though all means other than portable loss

(~$710K)

• Responding to actions taken after a security incident– 22% notified individuals whose personal information was

breached– 17% provided new security services to customers/users

2009 CSI Survey

Summary of Key Findings

Source: Computer Security Institute, 2009 Computer Crime and Security Survey

IST 712: 8/23/10 13

• 25% of respondents felt that >60% of losses were due to non-malicious actions by insiders

• Most respondents rated their organizations end-user security training as “inadequate”– But most felt investments in other areas of security were

adequate

• 71% do not outsource any security functions• Use of security technologies increased

– Largest jumps in use of anti-spyware products and encryption of stored data

2009 CSI Survey

Summary of Key Findings (continued)

Source: Computer Security Institute, 2009 Computer Crime and Security Survey

IST 712: 8/23/10 14

• “Technology wish list” topped by better tools for…– Log management, security incident and event management– Security information visualization, dashboards, etc.

• Most use financial metrics for security investments– Reported use of ROI increased to 67.8%...a large jump– Reported use of NPV and IRR as metrics declined

• 7.7% categorized their organizations as “health industry”, but…

• 57.1% stated a requirement to comply with HIPAA– HIPAA cited more often than any other statute or regulation

• Most felt that regulatory compliance efforts had aided their security posture generally

2009 CSI Survey

Summary of Key Findings (concluded)

Source: Computer Security Institute, 2009 Computer Crime and Security Survey

Types of Attacks/Misuse

IST 712: 8/23/10 15

Source: 2009 Computer Security Institute Computer Crime and Security Survey

Types of Attacks

IST 712: 8/23/10 16

Note the…

• Types of attacks

• Evolution of attack categories

• Number of respondents to this survey question

Source: 2009 Computer Security Institute Computer Crime and Security Survey

Average Dollar Losses Reported

IST 712: 8/23/10 17

Source: 2009 Computer Security Institute Computer Crime and Security Survey

Impact of “Insider" Actions

IST 712: 8/23/10 18

Source: 2009 Computer Security Institute Computer Crime and Security Survey

Response to Incidents

IST 712: 8/23/10 19

Source: 2008 Computer Security Institute Computer Crime and Security Survey

Reasons for Not Reporting

IST 712: 8/23/10 20

Source: 2008 Computer Security Institute Computer Crime and Security Survey

Security Assessment Methods

IST 712: 8/23/10 21

Source: Computer Security Institute, 2008 Computer Crime and Security Survey

IST 712: 8/23/10 22

Management Concerns

• Impact to business operations– Can my business continue efficiently, effectively

without IS?• Can it continue at all?

– Can I recover from IS failures?• Regulatory compliance

– Stated: Privacy Act, HIPAA, Graham-Leach-Bliley, Sarbanes-Oxley, etc

– Implied: Will lack of security result in legal liability?• Unauthorized usage

– Can intruders or insiders cause fraud?

IST 712: 8/23/10 23

Management Concerns

• Inadvertent mistakes– Will lack of controls preclude the detection of mistakes?– What impact will mistakes have on business?

• Disclosure or loss of information assets…“data leakage”– Can competitors gain access to proprietary information?– Can someone destroy research products?

• Relationships– Will customers trust me if I’m penetrated?– Will I be embarrassed due to a defaced website?– Will partners be reluctant to do business with me?

Where are we headed?The CISSP “Domains”

• Certified Information Systems Security Professional (CISSP) is a commonly sought credential

• Certification focuses on ten domains of knowledge

– Access controls– Application security– Business continuity &

disaster recovery planning

– Cryptography– Information security &

risk management

– Legal, regulations, compliance, & investigations

– Operations security– Physical &

environmental security– Security architecture &

design– Telecommunications &

network security

IST 712: 8/23/10 24

Baseline Concepts

• Mission, objectives, goals• Risk management

– Assessment– Action options

• Security Management– Controls– “CIA”– Defense in depth– Single points of failure– Fail open, closed, soft– Privacy

IST 712: 8/23/10 25

Organizational Direction Source

IST 712: 8/23/10 26

Mission

Objectives

Goals

Vision

Process(es)

Role of the Security Function

• Understand mission, objectives, goals, processes

– Perhaps influence their development to an extent

• Help attain goals and objectives by reducing risk

– Identify key assets and activities

– Develop and help implement/embed appropriate controls

– Inform and educate users

• Requires management support

– Security cannot be the task of the security staff alone

– Requires resource support and the “tone at the top”

IST 712: 8/23/10 27

Risk Management

• Understanding the level of risk acceptable of risk associated with an activity…risk to or risk caused by

• Two basic activities

– Risk assessment

– Risk treatment

• Determining through effective assessment actual risk that exists

• If that is excessive, developing/implementing strategies to lessen risk to an acceptable level

IST 712: 8/23/10 28

Qualitative Risk Assessment

• Identify scope of assets and activities

– Assets that may be at risk

– Activities that may be at risk or generate risk in their undertaking

• Identify for each

– Vulnerabilities

– Threats

– Threat probability

– Impact of occurrence

– Possible countermeasures

IST 712: 8/23/10 29

Quantitative Risk Assessment

• Extension of qualitative assessment

• Metrics are:– Asset value

– Exposure factor (EF)

• Proportion of an asset likely to be lost to a threat, threat impact

– Single Loss Expectancy (SLE)

• SLE = Asset cost ($) x EF (%)

– Annualized Rate of Occurrence (ARO)

• Probability of loss in a year

– Annual Loss Expectancy (ALE)

• ALE = SLE x ARO … the probable cost or dollar impact

IST 712: 8/23/10 30

Countermeasures

• Goal – Reduce ALE, the probable annual cost

• Considerations…cost-benefit– Cost of the countermeasure– Effectiveness: Reduce the degree of impact (EF)– Effectiveness: Reduce probability of occurrence (ARO)

• Geography can impact too– Asset replacement value can vary with location– Exposure factor can vary with location– ARO can also vary with location

IST 712: 8/23/10 31

Assessment Methodologies

• Small, non-complex organizations may simply apply managerial intuition

• Some formal approaches can be helpful:– OCTAVE (Operationally Critical Threat, Asset, and

Vulnerability Evaluation)• KU has used this one!

– FRAP (Facilitated Risk Analysis Process)– Spanning Tree Analysis– NIST 800-30 (Risk Management Guide for Information

Technology Systems)• Linked to Blackboard for this meeting

• Each aims to develop comprehensive risk profile

IST 712: 8/23/10 32

Risk Treatments or Responses

• Risk acceptance– Live with it

• Risk avoidance– Prevent in some fashion

• Risk reduction– Mitigating actions: Countermeasures, activity changes, etc.

• Risk Transfer– Move the risk to another…insurance

• Residual risk– Risk that remains AFTER any treatments

• Secondary risk– Risk CREATED by implementing a treatment or control

IST 712: 8/23/10 33

Fundamental Security Concepts

• Control types

• “CIA” Triad

• Defense in depth

• Single point of failure

• Fail open – Fail closed

• Privacy

IST 712: 8/23/10 34

Concepts: Security Controls

• Major control categories– Detective

– Deterrent

– Preventive

– Corrective

– Administrative

– Compensating

• We’ll address these throughout the course in a

variety of ways.

IST 712: 8/23/10 35

IST 712: 1/20/09 36

Concepts: “CIA”

Confidentiality

Availability Integrity

No intentional or unintentional disclosure of information.

No unauthorized modifications to systems/data. Data is internally and externally consistent.

Access to data/computing systems is reliable and timely. aaaaaaaaaaaaaaaaaaaaa

IST 712: 8/23/10 36

Concepts: Defense in Depth

• Another “mainstay” we’ll address regularly• Goals…

– Heterogeneity: Varied protections…mutually supportive– “Entire protection”: Each defense (layer) protects fully

against the targeted threat

• Intent is that…– No single vulnerability can open the entire system to

attack– No single malfunction will render the system exploitable– If one component or element of the system “fails open”,

redundancies will protect its security

IST 712: 8/23/10 37

Concept: Component Failures

• Single point of failure– Characteristic of a system where failure of a single

component can cause a failure of the entire system– Typically a system weakness or flaw

• Failure Modes– “Fail Closed” (aka “Fail Safe”)

• Failure of the control blocks all access/activity– “Fail Open”

• Failure of a control drops “filtering” and allows open access/activity

– “Fail Soft”• Locks out some but not all activity. Prioritizes on critical

actions.

IST 712: 8/23/10 38

Concept: Privacy

• Freedom from unauthorized intrusion– Related to, subset of Confidentiality in the CIA triad

• Focuses on use of and access to personally identifiable information (PII)

• Numerous types of PII exist • Often protected by statute (or international

convention/rule)• In business, virtually always involve ethical

responsibility to protect and often strong market incentives to do so

IST 712: 8/23/10 39

Security Management Topics

• Executive support & oversight– The “tone at the top”

• Governance• Policy• Guidelines, standards, procedures• Service Level Agreements (SLAs)• Security in outsourcing• Data governance, classification, protection• Certification and accreditation• Internal audit

IST 712: 8/23/10 40

Executive Support

• Upper management must drive development of policies and programs…by words and actions

• Top leaders provide:– Impetus to invest time and effort– Prioritization of organizational activities– Decisions on risk treatment options to pursue– Allocation of assets and resources

• Top management and that at lower levels should help develop a security conscious culture in the organization

IST 712: 8/23/10 41

Security Governance

• Plain terms: How decisions are actually reached

• Steering committee?

• Processes for resource allocation and priority

setting

• Requirements for status reporting

• Strategic decision making

• Concept: Central vs. federated governance

IST 712: 8/23/10 42

Policies & Requirements

• Policy stipulates what is to be done– Specifies activities or actions that are required, forbidden,

or constrained/limited in some fashion– Typically defines WHAT should be accomplished (but not

HOW)

• Requirements are specific characteristics demanded of a system or process– Should be concrete, specific in definition

IST 712: 8/23/10 43

Guidelines, Standards, Procedures

• Guidelines add the HOW in fleshing out the WHAT provided in policies– Can be suggestions on approach or binding direction

depending on organization’s preferences

• Standards provide direction on acceptable systems and processes– Might include standards for technical architectures,

example configurations, etc.

• Procedures– Specific in detailed steps how a task should be performed,

roles & responsibilities, and so forth

IST 712: 8/23/10 44

Consistency of Purpose

• A hierarchy should be evident

• Policy is “king”, the foundation

• Policy provides the basis for requirements

• Requirements, in turn, lead to development of

guidelines and standards

• Procedures accomplish requirements while

implementing guidelines and enforcing standards – Processes, protocols, SOPs, etc are synonymous

IST 712: 8/23/10 45

Other Important Issues

• Outsourcing– Becoming more common– Security of confidential information, control of business

processes, accountability (both partners) are important considerations

– Can be even more complex if the outsourcing is off shore

• Service Level Agreements– Security incident response– Security related alerts and advisories– Security investigation– Policy & procedure review

IST 712: 8/23/10 46

Data Governance

• Is data governed? If so, how…by what processes?• Is data “classified” in some fashion by importance,

sensitivity, etc?– With what system, classification?– Who decides?– Standard markings?– Access control?– Handling procedures?

• Mailing, storing, emailing, transmitting, destroying, etc.– Declassification process?

IST 712: 8/23/10 47

Certification & Accreditation

• Two-step process to formally evaluate a system

• Certification assesses a system against a given set

of standards or specifications

• Accreditation formally approves the use of the

system for a period of time (perhaps with

conditions)

IST 712: 8/23/10 48

Internal Audit

• Security controls are one element

• Formal evaluation of security policies, controls,

processes, etc to determine effectiveness– Specially trained internal staff

– Objectivity is paramount

– Formal methodologies

– In some cases, a statutory requirement (e.g., SOX)

IST 712: 8/23/10 49

Personnel/Staffing Considerations

• Hiring practices/procedures– Qualification assessment– Background verification– Non-disclosure agreement?– Intellectual property agreement?– Employment agreements– Formal job descriptions

• Termination (regardless of reason!)– Revocation of logical/physical access rights– Passwords, if any, known to terminated employee– Recovery of assets– Notification to third parties– Other?

IST 712: 8/23/10 50

IST 712: 8/23/10 51

Closing Thoughts

Consider information security…• As an art

– No set rules or magic playbook exist– Complex interaction of people, technology, policies,

situations

• As a science– Large portions of threats and defenses are technology-

based– Technology can, if developed, help protect

• As a social science– Behaviors of people…users, managers, attackers crucial

IST 712: 8/23/10 52

Security Is a Process,Not an Achievement or Event

IST 712: 8/23/10 53

Objectives: August 23, 2010

• Preview IST 712, Info Security– Course focus, content, objectives, & conduct– Administrative requirements and issues

• Briefly introduce the information security area– Why is this is an important topic?– Who is affected and how?– Why is it not just a technical concern but a broader

management responsibility?

IST 712: 8/23/10 53

IST 712: 8/23/10 54

Objectives: August 23, 2010 (cont)

• Overview some key security concepts

– Relationship to organizational mission, objectives, goals

– Risk management principles

– Security management concepts

– Personnel or staffing security concerns

IST 712: 8/23/10 54

55

Upcoming: August 30, 2010

• Introduce elementary cryptography – Basic definitions & concepts

– Symmetric/asymmetric encryption approaches

– Public Key Infrastructure (PKI)

– Digital signatures

– Digital certificates

– Secure Socket Layer/Transport Layer Security (SSL/TLS)

IST 712: 8/23/10 55