Wednesday, February 19, 2014

Week 8. Risk Associated with the four vulnerabilities.

The Mesusa Corporation has three information assets to evaluate for risk management as listed below. Create a ranked list of risk associated with the four vulnerabilities. You can begin with the columns from the Ranked Vulnerability Risk worksheet (Asset, Impact, Vulnerability, Likelihood), determine the risk rating, and then include percentage of current control and the uncertainty rate to come up with a final risk -rating estimate. Use the formula as described in this chapter.

Switch L47 connects a network to the Internet. It has two vulnerabilities; (1) susceptibility to hardware failure, with the likelihood of 0.2, and (2) susceptibility to an SNMP buffer overflow attack, with a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. There is a 75% certainty of the assumptions and data.
Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has Web server software that is vulnerable to attack via invalid Unicode values. The likelihood of such and attack is estimated at 0.2. The server has been assigned an impact value of 100, and a control has been implemented that reduces the impact of vulnerability by 75%. There is an 80% certainty of the assumptions and data.
Operators use the MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset, which has an impact rating of 5. There is a 90% certainty of the assumptions and data.
 
 
Likelihood
Likelihood is the overall rating—a numerical value on a defined scale (.1 – 1.0)—of the probability that a specific vulnerability will be exploited. 
Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset, i.e. 1-100, low-med-high,
Assessing Potential Loss
To be effective, the values must be assigned by asking:
·         Which threats present a danger to this organization’s assets in the given environment?
·         Which threats represent the most danger to the organization’s information?
·         How much would it cost to recover from a successful attack?
·         Which threats would require the greatest expenditure to prevent?
·         Which of the aforementioned questions is the most important to the protection of information from threats within this organization?

Percentage of Risk Mitigated by Current Controls
If a vulnerability is fully managed by an existing control, it can be set aside.
If it is partially controlled, estimate what percentage of the vulnerability has been controlled.

Uncertainty
It is not possible to know everything about every vulnerability.
The degree to which a current control can reduce risk is also subject to estimation error. A factor that accounts for uncertainty must always be added to the equations; it consists of an estimate made by the manager using good judgment and experience.

Risk Determination
For the purpose of relative risk assessment, = (risk equals likelihood of vulnerability occurrence) x (value (or impact)) – (percentage risk already controlled) + (an element of uncertainty). 
 
Ranked Vulnerability Risk worksheet.
Asset
 
Asset Impact
 
Vulnerability
 
Vulnerability

Likelihood
 
Risk-Rating

Factor
 
Switch

L47
 
90
 
Susceptibility to Hardware failure
(90x0.2)-0%+25%

(90x0.2)-((90x0.2)x0.0)+(90x0.2)x0.25)
 
0.2
 
22.5
 
90
 
Susceptibility to an SNMP buffer overflow attack

(90x0.1)-0%+25%

(90x0.1)-((90x0.1)x0.0)+(90x0.1)x0.25)
 
0.1
 
11.25
 
Server

WebSrv6
 
100
 
Web site and performs e-commerce transactions. Web server software that is vulnerable to attack via invalid Unicode-values. 

  (100x0.2)-75%+20%

(100x0.2)-((100x0.2)x0.75)+((100x0.2)x0.2)
 
0.1
 
4.5
 
Operators MGMT45
 
5
 
Control console to monitor operations in the server room.

It has no passwords and is susceptible to unlogged misuse by the operators.
(5x0.1)-0%+10%

(5x0.1)-((5x0.1)x0)+((5x0.1)x0.1)
 
0.1 
0.45

From your results, determine in what order the three assets be evaluated for additional controls. Include your worksheet and interpretation of the results.
------------------------------------------------------------------------------------------------------
I have two opinion for this case.
Opinion 1: The system is in control and give maintenance for the impact risk, but other devices such as the Switch L47 is not in control and the MGMT45 will increase that risk.
If vulnerability is fully managed by an existing control, it can be set aside.
If it is partially controlled, estimate what percentage of the vulnerability has been controlled.
The risk identification process should designate, what function the reports serve, who is responsible for preparing them, and who reviews them.
Below is the table of the worksheets that should have been prepared by an information asset risk management team to this point.
Opinion2: The Switch 47 has the highest risk, but other side of WebSrv6 has impact value is 100 and require the no-stop operation.
I would evaluate the WebSrv6 for the additional controls first, depend on the company situation, but the company Web site is hosted by this server and performs valuable e-commerce transactions which can be compromised if the Server is not protected. If an attack on this Server occurs much of the company’s private data could be compromised which could harm the organization in many way. Protecting the server could also keep the organization safe from other threats and attacks. 
Deliverable
 
Purpose
 
Information asset classification worksheet
 
 
1. WebSrv6  for E-commerce BIZ case
1.The Switch L47 has a high risk at the Hardware and Mid(high)-Software
 
 
2. Switch L47
2. WebSrv6 : risk rate is low, but the impact value is 100 which requires a non-stop operation.
 
 
3. Operations MGMT45 controls the console to monitor the operation

Low risk-rating factor, but the user has to use the password to login into the system.
 
Assembles information about information assets and their impact on or value to the organization.
 
1.    They need the system & software controls by the schedule of maintenance.

* Check the system device & replace it with a high quality component or system.
 
2.    They have to use the backup server through the cloud system or use the cluster operation server system for backup.
 
3.    They have to setup the policy for the monitoring system operator. 
Weighted criteria analysis worksheet
 
Assigns a ranked value or impact weight to each information asset
 
Ranked vulnerability risk worksheet
 
Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair
 
 
Reference.
Michael E. Whitman & Herbert J. Mattord, “Management of information security” 3e (2010), Boston, Course Technology, CengageLearning.
Posted by at 1 comment:

Week 11 Information Security Positions.

Week 11. Information Security Positions.

When hiring information security professionals at all levels, organizations frequently look for individuals able to:
·         Understand how organizations are structured and operated
·         Recognize that information security is a management task that cannot be handled with technology alone
·         Work well with people in general, including users, and communicate effectively using both strong written and verbal communication skills
·         Acknowledge the role of policy in guiding security efforts
·         Understand the essential role of information security education and training, which helps make users part of the solution, rather than part of the problem
·         Perceive the threats facing an organization, understand how these threats can become transformed into attacks, and safeguard the organization from information security attacks
·         Understand how technical controls (including firewalls, IDSs, and antivirus software) can be applied to solve specific information security problems.
·         Demonstrate familiarity with the mainstream information technologies, including Disk Operation System (DOS) and/or the Windows command-line, Windows XP/Vista/2003 and 2008 Server, Linus, and UNIX
·         Understand IT and InfoSec terminology and concepts.

Information Security Community:

·      InfoSec department manager
·      Access control system administrator
·      Internal InfoSec consultant
·      InfoSec engineer
·      InfoSec documentation specialist
·      InfoSys contingency planner
·      Local InfoSec coordinator
IT Community:

·         Chief information officer
·         InfoSys analyst/business analyst
·         Systems programmer
·         Business applications programmer
·         Computer operations manager
·         Computer operator
·         InfoSys quality assurance analyst
·         Help desk associate
·         Archives manager/records manager
·         Telecommunications manager
·         Systems administrator/network administrator
·         Web site administrator/commerce site administrator
·         Database administrator
·         Data administration manager

General Business Community:
·         Physical security department manager
·         Physical asset protection specialist
·         Building and facilities guard
·         Office maintenance worker
·         Internal audit department manager
·         EDP auditor
·         Internal intellectual property attorney
·         Human resources department manager
·         Human resources consultant
·         Receptionist
·         Outsourcing contract administrator
·         In-house trainer
·         Insurance and risk management department manager
·         Insurance and risk management analyst
·         Business contingency planner
·         Public relations manager
·         Chief financial officer
·         Purchasing agent
·         Chief executive officer


Reference.

Whitman, M. & Mattord, H. (2010).  “Management of Information Security.”
Boston, MA, Course Technology, Cengage Learning. 
Posted by at No comments:

Wednesday, February 12, 2014

Week10  Firewalls.

We need information about why we have to install the firewall for our system.
The below text book information given to us a lot of idea for the subject.

Selecting the Right Firewall.
When evaluating a firewall for you networks, ask the following questions:
·         What type of firewall technology offers the right balance between protection and cost for the needs of the organization?
·         What features are included in the base price?
What features are available at extra cost?
Are all cost factors known?
·         How easy is it to set up and configure the firewall?
How accessible are the staff technicians who can competently configure the firewall?
·         Can the candidate firewall adapt to the growing network in the target organizations?

Managing Firewalls.
The constraints of their programming and rule sets in the following ways:
·         Firewalls are not creative and cannot make sense of human actions outside the range of their programmed responses.
·         Firewalls deal strictly with defined patterns of measured observation. These patterns are known to possible attackers and can be used to their benefit in an attack.
·         Firewalls are computers themselves and are thus prone to programming errors, flaws in rule sets, and inherent vulnerabilities.
·         Firewalls are designed to function within limits of hardware capacity and thus can only respond to patterns of events that happen in an expected and reasonably simultaneous sequence.
·         Firewalls are designed, implemented, configured and operated by people and are subject to the expected series of mistakes from human error.

There are also a number of management challenges to administering firewalls:
1.    Training. Most managers think of a firewall as just another device, more or less similar to the computers already humming in the rack.
2.    Uniqueness. You have mastered your firewall and now every new configuration requirement is just a matter of a few clicks in the Telnet windows; however, each brand of firewall is different, and the new e-commerce project just brought you a new firewall running on a different OS.
3.    Responsibility. Since you are the firewall guy, suddenly everyone assumes that anything to do with computer security is your responsibility.
4.    Administration. Being a firewall administrator for a medium or large organization should be a full-time job by itself; however, that’s hardly ever the case.
  

Reference.

Whitman, M. & Mattord, H. (2010).  “Management of Information Security.”
Boston, MA, Course Technology, Cengage Learning. 
Posted by at No comments:

Monday, February 3, 2014

Week9 Post for Information Security Management.

What I found the good book for reference that is the below review message.
I’m interesting the subject and description that make focus on me.

From the Inside Flap

The 2008 credit crisis, terrorism, Katrina, computer hackers, and air travel disasters all have something in common-the methods used to assess and manage these risks are fundamentally flawed. If risks cannot be properly evaluated, risk management itself becomes the biggest risk. The Failure of Risk Management shows you how to identify and fix these hidden problems in risk management.
Ineffective risk management methods, often touted as "best practices," are passed from company to company like a bad virus with a long incubation period: there are no early indicators of ill effects until it's too late and catastrophe strikes. Exploring why risk management fails—the failure to measure and validate methods as a whole or in part; the use of components known not to work; and not using components that are known to work—The Failure of Risk Management shows you how to measure the performance of risk management in a meaningful way, identify where risk management is broken, and fix it.
Respected expert and bestselling author Douglas Hubbard-creator of the critically praised Applied Information Economics (AIE)—uses real-world examples to reveal the serious problems in our current approaches to risk analysis. Hubbard skillfully illustrates how to use a calibrated risk analyses approach, and the many benefits that go along with it, along with checklists and practice examples to get you started.
One of the first resources to apply risk management across all industries, The Failure of Risk Management provides you with the tools you need to hit the ground running with radically better risk management solutions.
Here, you'll discover:
·         The diversity of approaches to assess and mitigate risks
·         Why many influential methods-both qualitative and quantitative don't work
·         Why we shouldn't always trust assessments based on "experience" alone
·         The fallacies that stop you from adopting better risk management methods
·         How those who develop models of risks justify (in error) excluding the biggest risks
·         Adding empirical science to risk management

Reference.
The Failure of Risk Management: Why it’s Broken and how to fix it.
https://www.societyinforisk.org/reading-list
Posted by at No comments:

Thursday, January 30, 2014

Week 8 Risk Assessment for identification and TVA (Threats-Vulnerabilities-Assets) Work Sheet.

Week 8. Risk Assessment.


Risk identification begins with the process of self-examination. At this stage, managers identify the organizations's information assets, classify and categorize them into useful groups, and prioritize them by their overall importance.
This can be a daunting task, but it must be done to identify weaknesses and the threats they present.
The below list are Risk identification process. 


-         Plan and Organize Process
-         Create system component categories
-         Develop Inventory of Assets-Identify Threats
-         Specify Vulnerable Assets
-         Assign Value or Impact Rating to Assets
-         Assess Likelihood for Vulnerabilities
-         Calculate Relative Risk Factor for Assets
-         Preliminary Review of Possible Controls
-         Document Findings.

1


If someone need audit for the security risk assessment, they have to check the below list and make sure all items list has the asset items ID, impact ratio value, vulnerability, and risk rate for the mitigation. 
That information has to include people, procedures, data, software, hardware and networking elements for classifying and categorizing assets to the organization’s risk management program.
The classification worksheet is useful to refer to the information collected to help assess a value for an asset.
Also, she needs the weighted factor analysis worksheet for the list the assets in order of importance.
Another source of worksheet is TVA (Threats-Vulnerabilities-Assets) that preparation for the addition of vulnerability and control information during risk assessment.







Reference.
Risk Assessment, http://www.ready.gov/risk-assessment

http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf


Posted by at No comments:

Saturday, January 25, 2014

Week 7 Security Architecture Models

Week 7 Blog.
Security Architecture Models.
 Security architecture models illustrate information security implementations and can help organizations to quickly make improvements through adaptation.
Some models are implemented into computer hardware and software, some are implemented as policies and practices, and some are implemented in both.
some models focus on the confidentiality of information, while others focus on the integrity of the information as it is being processed.
Bell-LaPadula Confidentiality Model.
BLP confidentiality model is a state machine model that helps ensure the confidentiality of an information system by means of MACs, data classification, and security clearances. A system that serves as a reference monitor compares the level of classification of the data with the clearance of the entity requesting access; it allows access only if the clearance is equal to or higher than the classification.
Biba integrity Model.
The Biba integrity model is similar to BLP. It is based on the premise that higher levels of integrity are more worthy of trust than lower ones. The intent is to provide access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations.
Clark-Wilson Integrity Model.
The Clark-Wilson integrity model, which is built upon principles of change control rather than integrity levels, was designed for the commercial environment. The change control principles upon which it operates are: No changes by unauthorized subjects, No unauthorized changes by authorized subject, and the maintenance of internal and external consistency.
Graham-Denning Access Control Model.
The Graham-Denning access control model has three parts: a set of objects, a set of subjects, and a set of rights. The subjects are composed of two things: a process and a domain. The domain is the set of constraints controlling how subjects may access objects. The set of rights governs how subjects may manipulate the passive objects.

Harrison-Ruzzo-Ullman Model.
The Harrison-Ruzzo-Ullman (HRU) model defines a method to allow changes to access rights and the addition and removal of subjects and objects, a process that the Bell-LaPadula model does not.

Brewer-Nash Model (Chinese Wall)
The Brewer-Nash model-commonly known as Chinese Wall-is designed to prevent a conflict of interest between two parties. Imagines that a low firm represents two individuals who are involved in a car accidents. One sues the others, and the firm has to represent both. To prevent a conflict of interest, the individual attorneys should not be able to access the private information of these two litigants.

Reference.


Michael E. Whitman & Herbert J. Mattord, “Management of information security” 3e (2010), Boston, Course Technology, CengageLearning.


Posted by at No comments:
Subscribe to: Posts (Atom)