Managing Information Security Risks Across the Enterprise Audrey Dorofee Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense Operationally Critical Threat, Asset, and Vulnerability Evaluation, OCTAVE, and OCTAVE-S are service marks of Carnegie Mellon University. CERT Coordination Center is registered in the U.S. Patent and Trademark Office. © 2002 by Carnegie Mellon University
1
NSS* Program Strategies
© 2002 by Carnegie Mellon University
*Networked Systems Survivability
2
Survivable Enterprise Management Our mission is to assist organizations in attaining and maintaining an acceptable level of information asset protection by: • applying information security management practices and techniques • identifying, initiating, and validating effective survivability practices and protection strategies
Requires acknowledging and establishing information survivability as a legitimate, on-going business process © 2002 by Carnegie Mellon University
3
Agenda Beyond Technology Vulnerability Evaluations Overview of OCTAVE Summary
© 2002 by Carnegie Mellon University
4
Evaluation Practice in January 1999 Products and services varied widely. Evaluations • tended to have a technological focus • were often conducted without a site’s direct participation • were often precipitated by an event (reactive) Evaluation criteria were often inconsistent or undefined. Organizations typically did not follow through by implementing the results of the evaluation. © 2002 by Carnegie Mellon University
5
Need to Expand the Security Evaluation Focus Both organizational and I/T focused Proactive rather than reactive Based on organization’s unique risk factors Inclusive of security policy, practices, procedures Foundation for continuous security improvement © 2002 by Carnegie Mellon University
6
Organizational Gap
© 2002 by Carnegie Mellon University
7
Information Security Risks • Information security risk is another type of organizational risk that needs to be managed. • Managing information security risks requires a partnership among - all levels of staff - business units and the IT department - partners - contractors - service providers - end users © 2002 by Carnegie Mellon University
8
You Own Your Risk • • • • • •
Risk is unique to each organization. Risk is linked to business drivers. All levels of the organization need to be engaged. Internal expertise is required. External experts can be acquired as needed. Although you can insure for some things, your risks cannot be completely outsourced.
Internal Expertise
© 2002 by Carnegie Mellon University
External Expertise
9
Operationally Critical Threat, Asset, and Vulnerability Evaluation © 2002 by Carnegie Mellon University
10
Founding Philosophy You cannot mitigate all risks. Your budget is not limitless. Neither are your other resources. You cannot prevent all determined, skilled incursions. You need to determine the best use of your limited resources to ensure the survivability of your enterprise. • enterprise view • focus on critical few © 2002 by Carnegie Mellon University
11
OCTAVE Approach
© 2002 by Carnegie Mellon University
12
OCTAVE and Risk Management
© 2002 by Carnegie Mellon University
13
Important Aspects of OCTAVE- 1 Identifies information security risks that could prevent you from achieving your mission - ensuring business continuity. Looks at information security enterprise-wide. Creates a focused protection strategy • information asset-driven threat and risk identification • based on your organization’s - unique operational security risks - current security practices - current organizational and technological weaknesses © 2002 by Carnegie Mellon University
14
Important Aspects of OCTAVE - 2 Enables you to effectively communicate critical information security issues. Provides a foundation for future security improvements. Positions your organization for compliance with data security requirements or regulations.
© 2002 by Carnegie Mellon University
15
OCTAVE Approach
© 2002 by Carnegie Mellon University
16
OCTAVE Principles
© 2002 by Carnegie Mellon University
17
OCTAVE Process
Operationally Critical Threat, Asset, and Vulnerability Evaluation © 2002 by Carnegie Mellon University
18
Conducting OCTAVE
•An interdisciplinary team -- composed of: -business or mission-related staff -information technology staff © 2002 by Carnegie Mellon University
19
Scoping OCTAVE Focus the risk evaluation to look at a cross section of the key areas of the enterprise. Use the knowledge and expertise across a broad range of employees - senior managers - operational area managers - staff - information technology staff Scale the evaluation up or down by changing the scope. © 2002 by Carnegie Mellon University
20
OCTAVE Method Focused on large-scale organizations Is a systematic, context-sensitive method for evaluating risks • series of workshops • conducted by analysis team Defined by • method implementation guide (procedures, guidance, worksheets, information catalogs) • method training • Managing Information Security Risks (Addison-Wesley book) © 2002 by Carnegie Mellon University
21
OCTAVE-S Currently in pilot testing, this method defines a more structured method for evaluating risks in small organizations. • requires less security expertise, if any, in analysis team • analysis team has a full, or nearly full, understanding of the organization and what is important • uses “fill-in-the-blank” as opposed to “essay” style Will be defined by • detailed procedures for each process • worksheets and templates for each process • information catalogs © 2002 by Carnegie Mellon University
22
OCTAVE Process
Operationally Critical Threat, Asset, and Vulnerability Evaluation © 2002 by Carnegie Mellon University
23
Phase 1 Questions What are your organization’s critical information-related assets? What is important about each critical asset? Who or what threatens each critical asset? What is your organization currently doing to protect its critical assets? What weaknesses in policy and practice currently exist in your organization? © 2002 by Carnegie Mellon University
24
OCTAVE Catalog of Practices -1 Strategic Practice Areas
Security Awareness and Training
Security Security Collaborative Contingency Security Security Strategy Management Policies and Planning/ Regulations Management Disaster Recovery
© 2002 by Carnegie Mellon University
25
OCTAVE Catalog of Practices -2 Operational Practice Areas Information Technology Security
Physical Security Physical Security Plans and Procedures Physical Access Control Monitoring and Auditing Physical Security
Staff Security
System and Network Management Incident Management System Administration Tools General Staff Monitoring and Auditing IT Security Practices Authentication and Authorization Vulnerability Management Encryption Security Architecture and Design
© 2002 by Carnegie Mellon University
26
Critical Assets The most important assets to the organization • information • systems • services and applications • people There will be a large adverse impact to the organization if • the asset is disclosed to unauthorized people. • the asset is modified without authorization. • the asset is lost or destroyed. • access to the asset is interrupted. © 2002 by Carnegie Mellon University
27
Threat Profile A threat profile contains a range of threat scenarios for a critical asset using the following sources of threats: • human actors using network access • human actors using physical access • system problems • other problems The threat profile is visually represented using asset-based threat trees, one for each of the four sources of threats.
© 2002 by Carnegie Mellon University
28
Threat Properties Asset Actor Motive (optional) Access (optional) Outcome
© 2002 by Carnegie Mellon University
29
Human Actors - Network Access accidental
disclosure modification loss/destruction interruption
deliberate
disclosure modification loss/destruction interruption
inside
asset
network accidental outside deliberate
asset
access
actor
© 2002 by Carnegie Mellon University
motive
disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
outcome
Note: heavy red line indicates a perceived threat 30
Human Actors - Physical Access accidental
disclosure modification loss/destruction interruption
deliberate
disclosure modification loss/destruction interruption
inside
physical asset accidental outside deliberate
asset
access
actor
© 2002 by Carnegie Mellon University
motive
disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
outcome 31
System Problems software defects
disclosure modification loss/destruction interruption
malicious code
disclosure modification loss/destruction interruption
asset system crashes
LAN instability
asset © 2002 by Carnegie Mellon University
actor
disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
outcome 32
Other Problems natural disasters
disclosure modification loss/destruction interruption
ISP unavailable
disclosure modification loss/destruction interruption
asset telecommunications problems or unavailability power supply problems
asset © 2002 by Carnegie Mellon University
actor
disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
outcome 33
OCTAVE Process
Operationally Critical Threat, Asset, and Vulnerability Evaluation © 2002 by Carnegie Mellon University
34
Phase 2 Questions How do people access each critical asset? What infrastructure components are related to each critical asset? What are the key components of the computing infrastructure? What technological weaknesses expose your critical assets to threats? Which technological weaknesses need to be addressed immediately? © 2002 by Carnegie Mellon University
35
Vulnerability Evaluation Strategy Phase 2 Strategy
Conduct a vulnerability evaluation that is focused on where critical assets live
Make a long-term recommendation to eventually build, or contract for, a vulnerability management capability
Identify key components and review previous evaluation results or contract for a vulnerability evaluation of those components © 2002 by Carnegie Mellon University
36
Vulnerability Evaluations and Tools Vulnerability evaluation tools identify • known weaknesses in technology • misconfigurations of ‘well known’ administrative functions, such as - file permissions on certain files - accounts with null passwords • what an attacker can determine about your systems and networks
© 2002 by Carnegie Mellon University
37
Vulnerability Tools and Practices Operational Practice Areas Information Technology Security
Physical Security Physical Security Plans and Procedures Physical Access Control Monitoring and Auditing Physical Security
Staff Security
System and Network Management Incident Management Monitoring and Auditing IT Security General Staff Practices Authentication and Authorization Encryption Vulnerability Management System Administration Tools Security Architecture and Design
© 2002 by Carnegie Mellon University
38
Threats Driven by Vulnerabilities -1 accidental
disclosure modification loss/destruction interruption
deliberate
disclosure modification loss/destruction interruption
inside
asset
network accidental outside deliberate
asset
access
actor
© 2002 by Carnegie Mellon University
motive
disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
outcome 39
Threats Driven by Vulnerabilities -2 software defects
disclosure modification loss/destruction interruption
malicious code
disclosure modification loss/destruction interruption
asset system crashes
LAN instability
asset © 2002 by Carnegie Mellon University
actor
disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
outcome 40
OCTAVE Process
Operationally Critical Threat, Asset, and Vulnerability Evaluation © 2002 by Carnegie Mellon University
41
Phase 3 Questions What is the potential impact on your organization due to each threat? (What are your risks?) Which are the highest-priority risks to your organization? What policies and practices does your organization need to address? What can your organization do to recognize, resist, and recover from its highest-priority risks?
© 2002 by Carnegie Mellon University
42
Impact on the Organization When something negative occurs, it can have an impact on your company. Impact is described using either qualitative or quantitative values for several areas of potential impact. Values for each area are defined by a set of evaluation criteria. Once you define a good set of impact evaluation criteria, they tend to remain stable from one evaluation to the next. © 2002 by Carnegie Mellon University
43
Impact Criteria A basic set of impact areas includes: • reputation/customer confidence • life/health of customers • fines/legal penalties • financial • productivity • other Examples: • To a hospital, a medium life/health impact is a patient death; a high impact is permanently disabling a patient • $1 million is a low impact to some, a high to others © 2002 by Carnegie Mellon University
44
Risk Risk comprises • an event (a threat scenario) • consequence (impact on the organization) • uncertainty (whether the threat scenario will occur) Risks are evaluated to held determine: • relative priority • which risks to actually mitigate Impact evaluation is required in OCTAVE; qualitative probability is being tested in OCTAVE-S. © 2002 by Carnegie Mellon University
45
Evaluating Risks accidental
disclosure modification loss/destruction interruption
High Low
deliberate
disclosure modification loss/destruction interruption
Medium High High Low
accidental
disclosure modification loss/destruction interruption
deliberate
disclosure modification loss/destruction interruption
inside
asset
network
outside
Vulnerability assessment results
asset
access
actor
© 2002 by Carnegie Mellon University
motive
outcome
Medium High High Low
impact 46
Outputs of OCTAVE Protection Strategy
Defines organizational direction
Mitigation Plan
Plans designed to reduce risk
Action List
Near-term action items
© 2002 by Carnegie Mellon University
47
Putting It All Together
© 2002 by Carnegie Mellon University
48
From Assets to Mitigation Plans Mitigation Plan Risks Critical Asset
Mitigation Approach
Risk A
Accept
Risk B
Mitigate
Risk C
Mitigate
Risk D
Defer
© 2002 by Carnegie Mellon University
Practices to Improve
Training and Security Architecture related tasks Monitoring IT Security related tasks
49
© 2002 by Carnegie Mellon University
50
After OCTAVE Steps required to implement the results of this evaluation and improve the organization’s security posture. • getting management sponsorship for security improvement • monitoring implementation of the results of the current evaluation • expanding the current evaluation, if needed • scheduling the next information security risk evaluation
© 2002 by Carnegie Mellon University
51
Summary
© 2002 by Carnegie Mellon University
52
Findings - 1 OCTAVE produces usable results at each phase. • identifying critical assets can change the focus of many other activities and alter resource allocations • surveys alone produce institutional learning • vulnerability assessments become more useful Other interesting results • one IT department found effective justification for increased budgets • one company used it to start long-term improvements in their third-party relations and contracting © 2002 by Carnegie Mellon University
53
Findings - 2 Workshops produce a strong side effect of team building and increased security awareness. • IT staff realize what users are really doing • users have a better appreciation for security measures • managers have a better sense of what’s really going on in the organization Some immediate actions that occurred • reallocation of information across servers • removal of private information from web sites • immediate purchase of insurance • building access restrictions • review of arrangements with building managers © 2002 by Carnegie Mellon University
54
Keys for Success with the OCTAVE Approach Getting senior management sponsorship Selecting the right analysis team Setting the scope of the evaluation Selecting participants (for OCTAVE Method)
© 2002 by Carnegie Mellon University
55
Some OCTAVE Users -1 The Security Working Integrated Project Team (Security WIPT), Office of the Assistant Secretary of Defense/Health Affairs (OASD/HA), endorses OCTAVE as the preferred information security risk assessment to prepare for complying with the Administrative Simplification subsection of the Health Insurance Portability and Accountability Act of 1996. • analysis teams have been trained in all international regions of the Department of Defense healthcare domain • additional teams are scheduled to be trained in 2003
© 2002 by Carnegie Mellon University
56
Some OCTAVE Users -2 FirstGov (now the Office of Citizen Services and Communication) Small companies in Western Pennsylvania County government Variety of national and international companies and consulting organizations are now using all or part of OCTAVE
© 2002 by Carnegie Mellon University
57
Questions?
© 2002 by Carnegie Mellon University
58
OCTAVE Approach
© 2002 by Carnegie Mellon University
59
For Additional Information OCTAVE Internet
[email protected]
WWW
http://www.cert.org/octave
Software Engineering Institute Telephone
412 / 268-5800
Internet
[email protected]
U.S. mail
Customer Relations Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890
© 2002 by Carnegie Mellon University
Fax
412 / 268-5758
60