Information security risk assessments Lecture #3 Security in - - PowerPoint PPT Presentation

1

Information security risk assessments

Lecture #3

Security in Organizations 2011 Eric Verheul

2

Literature

Main literature for this lecture: 1. The ISO 27005 standard 2. The NIST Special Publication 800-30: ‘Risk management Guide for Information Technology Systems’ (see the SIO website).

Variants on ISO 2700*

3

Outline

• Recap on ISO 27001
• ISO 27001 requirements on the risk assessments and

treatment (RAT) process

• The RAT process from ISO 27005
• The RAT process from NEN 7512 and NIST SP 800-30
• Risk assessments attention points and software tools
• Recap
• Case on electronic banking

4

Outline

• Recap on ISO 27001
• ISO 27001 requirements on the risk assessments and

treatment (RAT) process

• The RAT process from ISO 27005
• The RAT process from NEN 7512 and NIST SP 800-30
• Risk assessments attention points and software tools
• Recap
• Case on electronic banking

5

Recap

Recap on information security

• ISO 27001 describes a ‘security management system’, a

methodology to select and maintain security controls (from ISO 27002) based on risk assessments. This system is called Information Security Management System (ISMS)

• Fundamental to ISO 27001 is that it considers IS as a

continual improvement process and not as a product

• The ISMS scope is an important decision
• This process is known as the PDCA cycle, risk assessment

is the engine in this cycle

• ISO 27001 leaves room for various implementations, getting

a more secure organization instead of a ‘paper tiger’ is an attention point

• An organization’s ISO 27001 implementation can be formally

certified

• We have seen an implementation based on the ‘combined

approach’ based on assets clustered in information systems

6

Recap

Recap on information security

Baseline security

Billing Document management ERP CRM Email Treasury Telephone

…..

Critical systems

Conducting Business Impact Analyse (BIA) CIA Code Apply baselines Conducting Risk Assessment and Treament (RAT) Critical information systems Non-Critical information systems

7

Outline

• Recap on ISO 27001
• ISO 27001 requirements on the risk assessments and

treatment (RAT) process

• The RAT process from ISO 27005
• The RAT process from NEN 7512 and NIST SP 800-30
• Risk assessments attention points and software tools
• Recap
• Case on electronic banking

8

Alternative definition of IS

ISO 27001 requirements on the RAT process

• Adequately protecting the confidentiality, integrity and

availability of information against possible threat manifestations.

Threat #1 Threat #2 Threat #3 Threat #4 Threat #n Vulnerability #1 Vulnerability #2 Vulnerability #3 Vulnerability #4 Vulnerability #n

Risk Assessment

Risk paths

(scenarios/potential incidents)

9

Alternative definition of IS

ISO 27001 requirements on the RAT process

• Adequately protecting the confidentiality, integrity and

availability of information against possible threat manifestations.

Threat #1 Threat #2 Threat #3 Threat #4 Threat #n Vulnerability #1 Vulnerability #2 Vulnerability #3 Vulnerability #4 Vulnerability #n

Risk Assessment

Risk paths

(scenarios)

10

Alternative definition of IS

• Adequately protecting the confidentiality, integrity and

availability of information against possible threat manifestations.

Threat #1 Threat #2 Threat #3 Threat #4 Threat #n Vulnerability #1 Vulnerability #2 Vulnerability #3 Vulnerability #4 Vulnerability #n

Risk Assessment

Risk paths

(scenario’s)

ISO 27001 requirements on the RAT process

Example: Customer Helpdesk

12

Relevant ISO 27001 clauses

Clause 4.2.1 c): Define the risk assessment approach of the

• rganization.

1) Identify a risk assessment methodology that is suited to the ISMS, and the identified business information security, legal and regulatory requirements. 2) Develop criteria for accepting risks and identify the acceptable levels of risk. (Note: aka ‘risk appetite’) The risk assessment methodology selected shall ensure that risk assessments produce comparable and reproducible results.  There should be a documented methodology, risk appetite should be determined.

ISO 27001 requirements on the RAT process

13

Relevant ISO 27001 clauses

Clause 4.2.1d): Identify the risks. 1) Identify the assets within the scope of the ISMS, and the

• wners of these assets.

2) Identify the threats to those assets. 3) Identify the vulnerabilities that might be exploited by the threats. 4) Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.  The methodology should involve assets, threats, vulnerabilities and impacts.

ISO 27001 requirements on the RAT process

14

Relevant ISO 27001 clauses

Clause 4.2.1 e): Analyse and evaluate the risks. 1) Assess the business impacts upon the organization that might result from security failures, 2) Assess the realistic likelihood of security failures occurring in the light of prevailing threats and vulnerabilities, and impacts associated with these assets, and the controls currently implemented. 3) Estimate the levels of risks. 4) Determine whether the risks are acceptable or require treatment using the criteria for accepting risks established in 4.2.1c)  Prioritize risks and determine which need treatment.

ISO 27001 requirements on the RAT process

Example: Risk Assessment

 Without baselines

Low High High I M P A C T PROBABILITY

High Risk Medium Risk Medium Risk Low Riskk

• Fire destroys telephones

and computers Insufficient staffing causes long waits for customers Entry errors cause problems for customers (who then complain)

• Employee commits fraud

Example: Risk Assessment

 With baselines

Low High High I M P A C T PROBABILITY

High Risk Medium Risk Medium Risk Low Riskk

• Fire destroys telephones

and computers and we have too little insurance covering that As we have insufficient staff enable this causes long waits for customers Entry errors cause problems for customers (who then complain)

• We have insufficient

access controls on the helpdesk system enabling

• employees to commit

fraud

17

Relevant ISO 27001 clauses

Clause 4.2.1 f): Identify and evaluate options for the treatment

• f risks.
• Options: Applying controls, accepting risks, avoiding risks,

transferring risks to other parties Clause 4.2.1g): Select control objectives and controls for the treatment of risks. Clause 4.2.1h): Obtain management approval of the proposed residual risks.  Either accept, avoid, transfer risks or select controls.

ISO 27001 requirements on the RAT process

Example: Risk Response

Control Transfer Control Accept High Risk Medium Risk Medium Risk Low Risk

Low High High I M P A C T PROBABILITY

Customer has a long wait hire enough people freebees for long waits Fraud

• ignore

Entry errors input validation

• Fire destroys telephones and

computers

• insure phones +

computers

19

Outline

• Recap on ISO 27001
• ISO 27001 requirements on the risk assessments and

treatment (RAT) process

• The RAT process from ISO 27005
• The RAT process from NEN 7512 and NIST SP 800-30
• Risk assessments attention points and software tools
• Recap
• Case on electronic banking

20

Main steps

The RAT process from ISO 27005

• 1. Context establishment
• 2. Risk assessment
• 3. Risk estimation/evaluation
• 4. Risk treatment
• 5. Risk acceptance
• 6. Documentation/communication
• 7. Risk monitoring

Source: ISO 27005

21

Main steps

• 1. Context establishment
• Determine legal requirements
• Determine scope and

boundaries, e.g.:  Business process lifecycle  Information system lifecycle

• Determine dependencies with
• ther ‘systems’.

The RAT process from ISO 27005

22

Allocating responsibilities

Helpdesk Manager #1 Business Process #1 Information System #1 Invoicing dep. Manager #2 Business Process #2 Information System #2 Department #3 Manager #3 Business Process #2 Information System #3

Interconnected information systems

Network

Internet

RA Scope

info info Impose requirements

The RAT process from ISO 27005

23

Main steps

• 1. Context establishment
• 2. Risk assessment
• Identify assets (= familiarize

with system)

• Identify threats
• Relate actual security incidents
• Identify vulnerabilities
• Relate existing controls

(baselines in our setting)

• Determine consequences

(potential incidents) Threats may be of natural or human origin.

The RAT process from ISO 27005

24

‘Natural’ threat examples

Source: BSI IT-Grundschutz-Catalogues

The RAT process from ISO 27005

25

‘Human’ threat examples (not limitative)

Source: NIST SP 800-30

The RAT process from ISO 27005

26

Vulnerability examples

Source: ISO 27005

The RAT process from ISO 27005

27

Vulnerability examples

Alternatively, one can directly relate vulnerabilities to the 11 ISO 27002 chapters. H ISO 27002 Example topics 5 Security Policy 6 Organization of Information Security 7 Asset Management 8 Human resources security 9 Physical and Environmental Security 10 Communications and Operations Management 11 Access Control 12 Information Systems Acquisition, Development and Maintenance 13 Information Security Incident Management 14 Business Continuity Management 15 Compliance

The RAT process from ISO 27005

28

Vulnerability examples

Alternatively, one can directly relate vulnerabilities to the 11 ISO 27002 chapters. H ISO 27002 Example topics 5 Security Policy No policy on privacy 6 Organization of Information Security Lack of responsibilities / roles 7 Asset Management No register of laptops, no guidelines for USB sticks. 8 Human resources security No background checks 9 Physical and Environmental Security Computer room under a leaking

• roof. Computer room next to a

chemical plant. 10 Communications and Operations Management No documented procedures for backup. 11 Access Control Account of ex-employees still active 12 Information Systems Acquisition, Development and Maintenance No possibility to enforce password length, no logging. 13 Information Security Incident Management No contacts for reporting incidents. 14 Business Continuity Management Telephone switch not in BCM plan. 15 Compliance Not complying with contracts.

The RAT process from ISO 27005

29

Main steps

• 1. Context establishment
• 2. Risk assessment
• 3. Risk estimation/evaluation
• Prioritize risks (potential incidents)
• Determine the ‘real’ risks
• Estimation could be qualitative
• r quantitative (e.g. based on

historic data).

• In practice one uses qualitative

estimations.

The RAT process from ISO 27005

30

Estimation of risk paths

Orange = risk appetite border

The RAT process from ISO 27005

31

Main steps

• 1. Context establishment
• 2. Risk assessment
• 3. Risk estimation/evaluation
• 4. Risk treatment
• Risks can treated with controls
• Risks can be accepted
• Risks can be avoided
• Risks can be transferred

The RAT process from ISO 27005

Typically combinations are used in practice, e.g., first accept a risks but gradually implement controls mitigating it.

32

Entrance of ISO 27001

Source: ISO 27005

The RAT process from ISO 27005

33

Main steps

• 1. Context establishment
• 2. Risk assessment
• 3. Risk estimation/evaluation
• 4. Risk treatment
• 5. Risk acceptance
• After risk treatment a risk

revaluation should be performed.

• Risk acceptance criteria should

be formalized.

• Risk treatment (residual risks)

must be accepted by management.

The RAT process from ISO 27005

34

Main steps

• 1. Context establishment
• 2. Risk assessment
• 3. Risk estimation/evaluation
• 4. Risk treatment
• 5. Risk acceptance
• 6. Documentation/communication
• 7. Risk monitoring

The risk process should be documented, and periodically reassessed.

The RAT process from ISO 27005

35

Outline

• Recap on ISO 27001
• ISO 27001 requirements on the risk assessments and

treatment (RAT) process

• The RAT process from ISO 27005
• The RAT process from NEN 7512 and NIST SP 800-30
• Risk assessments attention points and software tools
• Recap
• Case on electronic banking

36

NEN 7512

• Supplemental standard to NEN 7510 (the ‘ISO 27002’ for the

Dutch health sector).

• NEN 7512 RAT process is more or less compatible with ISO

27005; however it does not describe risk acceptance criteria (‘risk appetite’): can’t you just accept ‘low’ risks’?.

• NEN 7512 scope is information security of electronic

information exchanges in the health sector, e.g., between:

• health organizations, and
• between health organizations and patients (EPD)
• NEN 7512 has only integrity and confidentiality in scope but

not availability.

• The objective of NEN 7512 is to establish a common

information security basis for (contractual) agreements.

The RAT process from NEN 7512 and NIST SP 800-30

37

NEN 7512

• NEN 7512 identifies four risk classes ‘low risk’, ‘medium risk’,

‘high risk’, ‘very high risk’

• In essence it only identifies five types of controls:
• Registration of systems (self proclaimed, verifiable in an

authoritive register)

• Registration of persons (self proclaimed, verifiable in an

authoritive register, face2face)

• Encryption (none; SSL; secure messaging)
• Authentication (password/PIN; biometrics; tokens)
• Signing (simple signature, advanced signature, qualified

signature)

The RAT process from NEN 7512 and NIST SP 800-30

38

NEN 7512 Risk assessment

The RAT process from NEN 7512 and NIST SP 800-30

39

NEN 7512 Risk assessment

The RAT process from NEN 7512 and NIST SP 800-30

Low Risk Medium Risk High Risk Very high Risk Person registration Self proclaimed Register verification face2face face2face System registration Self proclaimed Register verification Register verification Register verification Authentication Password Password+ Token Biometrics Token+ Biometrics+ Token+ Biometrics+ Signature Electronic Advanced Advanced Qualified (using ‘smartcard’) Encryption none SSL / TLS Secure messaging Secure messaging

40

NIST SP 800-30

• Non-mandatory guidelines on risk management for US

federal organizations which process sensitive information.

• Based on the same ideas as ISO 27001/27005.
• However, seems to consider risk reduction in the RAT

process (Ch. 3, 800-30) and the other treatments (acceptance, avoidance and transfer) in the Mitigation process (Ch. 4, 800-30) following the RAT process.

ISO 27001 requirements on the RAT process

41

Outline

• Recap on ISO 27001
• ISO 27001 requirements on the risk assessments and

treatment (RAT) process

• The RAT process from ISO 27005
• The RAT process from NEN 7512 and NIST SP 800-30
• Risk assessments attention points and software tools
• Recap
• Case on electronic banking

42

Risk assessment attention points

• Typically a risk assessment is performed in a workshop (of a

morning/afternoon).

• Make sure the risk assessment methodology contains sufficient clues

(e.g. threat and vulnerabilities lists) to initiate discussions.

• threat and vulnerabilities examples can be found in ISO 27005, NIST SP

800-30 and the BSI IT-Grundschutz-Catalogues

• A risk assessment is not a process of mechanically (un)checking threats

and vulnerabilities. The methodology is just a vehicle to initiate discussions.

• Make sure the right knowledgably people are at the workshop: i.e. people

that know the technical characteristics and people that know the business characteristics of the object

• Consider ‘brown paper/ Post-IT’ setup to be sure everybody can state

their ideas and nobody is ‘intimidated’ by management presence

• Don’t be too ambitious: only strive to get the threats/vulnerabilities locked

inside the heads of the participants by asking stimulating questions.

• Take into account security incidents that occurred in the past, previous

risk assessment and security audits. The proof of the pudding is in the eating…

Risk assessments attention points and software tools

43

Risk assessment software tools

• A risk assessment software tool facilitates that the process is

reproducible and simplifies documentation of the process.

• A risk assessment software tool introduces the risk that a)

you loose too much time learning the tool and b) that the risk assessment is a mechanical exercise.

• On http://www.enisa.europa.eu/rmra/rm_home.html
• you can find an inventory of risk management methods and

software tools.

• One of the free tools of which the source is available is

EBIOS.

Risk assessments attention points and software tools

44

Outline

• Recap on ISO 27001
• ISO 27001 requirements on risk assessments
• The risk assessment process from ISO 27005
• Risk assessments attention points
• Risk assessment software tools
• Recap
• Case on electronic banking
• (Peter van Rossum)

45

Recap

• We have described the risk assessment process described in

ISO 27005 and related this with the requirements of ISO 27001.

• Most important is to get a meaningful discussion on

(prioritized) risks based on threats, vulnerabilities and treatment of risks.

• Make sure the relevant information is available (object

knowledge, relevant threats and vulnerabilities).

• Make sure the right persons are involved in the risk

assessment (both technical and business people).

• Make sure risk treatment is accepted by management.
• Don’t be too ambitious; aim for risks that are implicitly known

already or can be deduced from available info.

46

Outline

• Recap on ISO 27001
• ISO 27001 requirements on the risk assessments and

treatment (RAT) process

• The RAT process from ISO 27005
• The RAT process from NEN 7512 and NIST SP 800-30
• Risk assessments attention points and software tools
• Recap
• Case on electronic banking

Case: Electronic Banking

 A company uses an Enterprise Resource Planning (ERP) application to

handle invoices, stock, orders, etc.

 Their Bank provides the company with an Electronic Banking application

(EBA).

 Three people are involved:

 Mr. C. (Controller)  Mr. T (Technical IT person)  Mr. D (Director)

Case: Electronic Banking



Technical Setup:

 Personal authenticator devices (‘reader + bank card’)

 Challenge response authorization  Mr. T and Mr. D posses bank card

 EBA is installed on a single, networked desktop (Mr. T)  The EBA connects to the bank through internet  The setup uses Clieops (http://www.equens.com/Images/CLIEOP%20EN.pdf ).

A clieop specifies amounts and banking account numbers to be transferred. It also has a checksum based on the total number of account numbers involved; if this checksum is incorrect the EBA will not accept the Clieop

Network disk

Bank

ClieOp ClieOp

ERP EBA

Case: Electronic Banking

 Mr. C:

 Mr. C creates a printout from ERP consisting of a list of {amount,

account number, invoice description} plus the total amount

 Mr. C gets the original invoices, checks that the invoices are genuine

and validates that the invoices are consistent with existing contractual agreements

 Mr. C checks that the invoices on the ERP printout match with the

invoices

 Mr. C marks the invoices with ‘paid’ and his signature  Mr. C manually signs the ERP printout on success.  Mr. C extracts digital version of the payments from ERP, i.e. a Clieop,

and places that on a public network disk

 Mr. C signals mr. T with an email  Mr. C gives the signed ERP printout + invoices to mr. D

Case: Electronic Banking

 Mr. T:

 After being signaled by Mr. C, Mr. T reads the Clieop of the payments

from the network into EBA. There can be a few days between the signal from Mr. C and Mr. T’s EBA operation

 Mr. T uses EBA to produce a printed summary consisting of the total

amount of all payment amounts to be made

 The EBA also produces a challenge for Mr. D  Mr. T sends the printed EBA summary and the challenge to Mr. D

Case: Electronic Banking

 Mr. D:

 Mr. D has received the signed ERP printout + invoices from Mr. C  Mr. D has received the printed EBA summary and the challenge from

• Mr. T

 Mr. D makes the same invoice checks as Mr. C but does not check that

the invoices are consistent with existing contractual agreements

 Additionally, he verifies Mr. C’s signature and checks that the total

amount on the ERP printout matches the total amount on the EBA summary.

 Mr. D enters the challenge on his authenticator device and writes the

response on the EBA summary and hands this over to Mr. T

Case: Electronic Banking

 Mr. T:

 Mr. T enters Mr. A’s response in EBA. EB now also presents a

challenge to Mr. T

 Mr. T enters this challenge on his authenticator device and types the

response into EB. This finalizes the payment

Case: Electronic Banking

• Mr. C

clieop

Network disk

clieop

• Mr. T

ERP output:

• Amount, account#, invoice description
• Amount, account#, invoice description
• Amount, account#, invoice description
• …

Total amount

+ invoices

• Mr. D

EBA summary:

… Total amount Challenge

• Mr. T

Bank

Checks invoices Checks mr. C signature Checks total amounts Gives response on success Final approval using bank card

Case: Electronic Banking

Assignment Based on the case description in the lecture slides, describe

• ne vulnerability that could be exploited and one possible

resulting scenario:

 Threat #1: Mr. C. commits fraud  Threat #2: Mr. T. commits fraud  Threat #3: Mr. D. commits fraud  Threat #4: another employee commits fraud

For each of the four scenarios describe one preventive control. You can work in pairs, i.e. with two people. Send the assignment to eric.verheul AT cs.ru.nl before October 3. You will get a binary mark (pass/not pass).

Case: Electronic Banking

Assignment format (fill in the question marks) Be brief, the total table should not exceed 2 pages in Word.

Threat One vulnerability that could be exploited Scenario (‘what happens’) One preventive control

• Mr. C. commits

fraud ? ? ?

• Mr. T. commits

fraud ? ? ?

• Mr. D. commits

fraud ? ? ? Another employee commits fraud ? ? ?