17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
Defense In Depth Using NIST 800-30
1. A Simple Strategy to Combat Many Security Issues
Kevin M. Moker, CISSP-ISSMP, CISM, ACP
Manager, Information Security Risk Management
Services
2. What is Risk Management
What is Defense In Depth
Questions & Answer Session
3. What is Risk?
Risk is the potential loss from a threat-source
attacking a vulnerability.
Example:
Joe Cracker (threat-source) knows that an online
banking company has not patched (vulnerability) their
backend databases. Joe Cracker exploits (loss) the
system and steals money.
5. Risk Integration into the SDLC
Risk Assessment
Identifying risk
Risk Mitigation
Figuring out how to control the risk
Controls Evaluation
Control recommendations – what should be
used to control the risk
6. Systems Development Life-Cycle (SDLC)
Normal phases of SDLC
Initiation
Build or Acquire
Implementation
Operation and Maintenance
Disposal or End-of-Life
7. Phase 1 – Initiation
Phase Characteristics
The need for an IT system is expressed and the
purpose and scope of the IT system is
documented
Support from Risk Management Activities
Identified risks are used to support the
development of the system requirements,
including security requirements, and a security
concept of operations (strategy)
8. Phase 2 – Build or Acquire
Phase Characteristics
The IT system is designed, purchased,
programmed, developed, or otherwise
constructed
Support from Risk Management Activities
The risks identified during this phase can be used
to support the security analyses of the IT system
that may lead to architecture and design tradeoffs
during system development
9. Phase 3 – Implementation
Phase Characteristics
The system security features should be
configured, enabled, tested, and verified
Support from Risk Management Activities
The risk management process supports the assessment of
the system implementation against its requirements and
within its modeled operational environment. Decisions
regarding risks identified must be made prior to system
operation
10. Phase 4 – Operation & Maintenance
Phase Characteristics
The system performs its functions. Typically the system is
being modified on an ongoing basis through the addition of
hardware and software and by changes to organizational
processes, policies, and procedures
Support from Risk Management Activities
Risk management activities are performed for periodic
system reauthorization or whenever major changes are
made to an IT system in its operational, production
environment (e.g., new system interfaces)
11. Phase 5 – Disposal or End-of-Life
Phase Characteristics
This phase may involve the disposition of information,
hardware, and software. Activities may include moving,
archiving, discarding, or destroying information and
sanitizing the hardware and software
Support from Risk Management Activities
Risk management activities are performed for system
components that will be disposed of or replaced to ensure that
the hardware and software are properly disposed of, that
residual data is appropriately handled, and that system
migration is conducted in a secure and systematic manner
12. Risk is a function of the likelihood of a
given threat-source’s exercising a
particular potential vulnerability, and the
resulting impact of that adverse event on
the organization
14. System Characterization
Inputs
What type of hardware will be used?
What software will be used?
What other software will this software “talk” to or interface with?
What type of data/information will be housed in the software?
Who will use this software/hardware?
What’s the mission of this software/hardware?
Outputs
Scope: What the software will include and not include
Function: What business process the software will support
Data Criticality: The importance of the information
Data Sensitivity: The sensitivity of the information
15. Threat Identification
Inputs
Is there a history of system attacks?
Is there an incident database to leverage?
Is there any data from media sources or government sources?
Are there known threat areas from known popular software sources? (e.g.,
Microsoft)
Outputs
General threat statements
E.g., Windows 7 has 120 known threats. Media sources indicate that 4 of the known threats
have zero-day exploits. Furthermore, internal incident management databases have
revealed malicious code outbreak.
16. Vulnerability Identification
Inputs
Are there any vulnerabilities discovered from past risk assessments?
Are there any audit reports that reveal potential vulnerabilities?
What are the security requirements for the proposed software? (e.g.,
access control, encryption)
Did the security test results result in any potential vulnerabilities?
Outputs
List of Potential Vulnerabilities (e.g., Weak access control system, 56 bit DES
encryption used.
17. Control Analysis
Inputs
What are the current controls for the software compared to the internal
policy controls?
What are the planned controls for those controls not adequately
documented in current policy?
Outputs
List of current controls
List of planned controls
18. Likelihood Determination
Inputs
What would be the motivation for a malicious person to attack this
software?
What is the capacity of the malicious actor? E.g., time, money, support
How easy is it to exploit the vulnerability? E.g, ease of exploiting the
vulnerability
Outputs
Likelihood rating
High Risk
Moderate Risk
Low Risk
19. Impact Anlaysis
Inputs
Is there a business continuity plan that discusses the mission impact
analysis?
Is there an asset criticality documented in the business continuity plan?
What is the data criticality?
What is the data sensitivity?
Outputs
Impact Rating
High Impact
Moderate Impact
Low Impact
20. Risk Determination
Inputs
What is the likelihood of the threat exploitation?
If the threat did exploit the vulnerability, what would be the impact?
Are the current controls adequate (tested by audit or self-assessment)?
Outputs
List of risks and associated risk levels
23. Let’s look at a practical approach of how to
implement this “stuff”
24. Let’s explore the defense-in-depth strategy
to understand where risk should be
addressed.
25.
26. Information Security/Assurance is a tricky
game. It is by no-means perfect and you
can NEVER reduce risk to zero. This
Defense-In-Depth strategy will help an
organization reduce risk a an acceptable
level if management is committed to the
strategy.
27. Crucial for any Information Security
Program
Necessary in most of today’s markets
Being compliant does not mean
secure
Being secure does not mean
compliant
28. Information Security Policies
Staff Responsibility Definitions (RACI)
Security Standards and Guidelines
Security Training
Awareness Communications
Policy Enforcement
Security Monitoring Tools (Physical &
Logical)
30. Data Center Hardening
Physical Access Control Management
Critical Building Hardening (non-data
center)
Internal Physical Security Officers
Hostile Environment Prevention
Program
External Media Protection Program
Paper-based Protection Program
35. This is not a perfect process. Information
Security mixes science and art. Risk
management and defense in depth is part
science and part art. The goal is to try to
reduce the impacts and likelihood of certain
threats. Things WILL happen, but this
program will make the best effort to minimize
threats and impacts.
36. What did you get from this presentation?
Do you think that this information is
useful?
Do you think you could apply this to your
life and not just systems?