College of Computer Science & Engineering

Department of Information Systems

Managing Cyber Security Operations

Chapter 1
An Overview of Information Security
and Risk Management
 Objectives
• Define and explain information security
• Identify and explain the basic concepts
of risk management
• List and discuss the components of
contingency planning
• Describe the role of information
security policy in the development of
contingency plans

2
 Introduction
• Contingency planning
– Being ready for incidents and disasters
• Example: 1/10 of one percent of online users
– Allows for two and a half million potential attackers
• Example: World Trade Center (WTC) organizations
– Had contingency plans due to February 1993 attack
• Example: 2008 Gartner report
– 2/3 of organizations invoked plans in prior two years
• Information security includes contingency
planning
– Ensures confidentiality, integrity, availability
of data
3
 Information Security
• Committee on National Security Systems
(CNSS) information security definition
– Protection of information and its critical elements
• Includes systems and hardware storing, transmitting
information
– Part of the CNSS model (evolved from C.I.A.
triangle)
• Conceptual framework for understanding security
• Information security (InfoSec)
– Protection of confidentiality, integrity, and
availability of information
• In storage, during processing, and during transmission

4
 Key Information Security Concepts
• Threat: object, person, other entity posing
potential risk of loss to an asset
• Asset: organizational resource being protected
– Logical or physical
• Attack: attempt to cause damage to or
compromise information of supporting
systems
– Arises from a threat; intentional or unintentional
• Threat-agent: responsible for a threat instance
– Specific and identifiable; exploits asset
vulnerabilities

5
Key Information Security Concepts (cont.)

• Vulnerability:
– Flaw or weakness in system security procedures,
design, implementation, internal controls
• Results in security breach or security policy violation
– Well-known or latent (not visible)
– Exercised accidently or intentionally
• Exploit: caused by threat-agent
– Can exploit system or information through illegal use
– Can create an exploit to target a specific vulnerability
• Control/safeguard/countermeasure: prevent attack

6
Key Information Security Concepts (cont.)

7
Key Information Security Concepts (cont.)

• Trespass (intrusion):
– Broad category of electronic and human activities
• Can breach information confidentiality
• Leads to unauthorized real or virtual actions
• Results in unauthorized access to premises or system
• Software attacks:
– Malicious code, malicious software, malware
– Designed to damage, destroy, deny service to the
target systems
– Example: hackers

8
Key Information Security Concepts (cont.)

– Common malicious code instances

• Viruses and worms, Trojan horses, logic
bombs, bots, rootkits, back doors, denial-of-
service (DoS) attack, distributed DoS (DDoS)
attack
– Viruses:
• Segments of code that perform malicious
actions
• Macro virus: embedded automatically in
macrocode
• Boot virus: infects key operating systems files

9
Key Information Security Concepts (cont.)

– Worms:
• Replicate themselves constantly
• No other program needed
• Can replicate until available resources filled
– Back doors and trap doors:
• Installed by virus or worm payload
• Provides at will special privilege system access
– Polymorphism:
• Threat changes apparent shape over time
• Elude antivirus software detection

10
Key Information Security Concepts (cont.)

– Propagation vectors:
• Manner by which malicious code spreads can
vary
• May use social engineering: Trojan horse looks
desirable, but is not
• May leverage open network connection, file
shares or software vulnerability
– Malware hoaxes:
• Well-meaning people send random e-mails
warning of fictitious dangerous malware
• Wastes a lot of time and energy

11
Key Information Security Concepts (cont.)

• Human error or failure:

– Introduces acts performed by an authorized
user
• No malicious intent or purpose
– Human error
• Small mistakes produce extensive damage with
catastrophic results
– Human failure
• Intentional refusal or unintentional inability to
comply with policies, guidelines, and procedures,
with a potential loss of information

12
Key Information Security Concepts (cont.)

• Theft:
– Illegal taking of another’s property
• Property: physical, electronic, intellectual
• Includes:
– Trade secrets, copyrights, trademarks, patents
– Exfiltration, or unauthorized removal of information
– Software piracy
• Includes acts of espionage and breach of confidentiality
– Methods
• Competitive intelligence or industrial espionage
– Theft or loss of mobile devices
• Phones, tablets, and computers
• Stored information more important than devices

13
Key Information Security Concepts (cont.)

• Sabotage or vandalism
– Destroys asset or damages an organization’s image
• Assault on an organization’s Web site
• Cyberterrorism (more sinister hacking)
• Technical software failures or errors
– Software with unknown hidden faults
• Code sold before security-related bugs detected
• Trap doors
– Helpful Web sites
• Bugtraq and National Vulnerability Database (NVD)
– Bugtraq is an electronic mailing list dedicated to issues about
computer security
– National Vulnerability Database is a U.S. government repository of
vulnerability management data, security measurement, and
compliance

14
Key Information Security Concepts (cont.)

• Technical hardware failures or errors

– Equipment distributed with known or
unknown flaw
– System performs outside expected
parameters
– Errors can be terminal or intermittent
• Forces of nature
– Known as force majeure, or acts of God
– Pose most dangerous threats imaginable
• Occur with very little warning

15
Key Information Security Concepts (cont.)

• Deviations in quality of service by service

providers
– Product or service not delivered as expected
• Support systems interrupted by storms, employee
illnesses, unforeseen events

• Technological obsolescence
– Obsolete or outdated infrastructure
• Leads to unreliable and untrustworthy systems
• Risk loss of data integrity from attacks

16
Key Information Security Concepts (cont.)

• Information extortion
– Attacker or trusted insider steals
information from a computer system
• Demands compensation for its return or for an
agreement to not disclose the information
– Common in credit card number theft

17
 Overview of Risk Management
• Risk management process
– Identifying and controlling information asset risks
– Security managers play the largest roles
– Includes contingency planning
– Know yourself and know the enemy
• Risk identification process
– Examining, documenting, and assessing the security
posture of an organization’s IT and the risks it faces
• Risk control process
– Applying controls to reduce the risks

18
Overview of Risk Management (cont.)

19
Overview of Risk Management (cont.)
• Know yourself
– Identify, examine, and understand the
information and systems currently in place
– Asset: information and systems that use,
store, and transmit information
– Question to ask when protecting assets
• What are they?
• How do they add value to the organization?
• To which vulnerabilities are they susceptible?
– Have periodic review, revision, and
maintenance of control mechanisms

20
Overview of Risk Management (cont.)
• Know the enemy
– Identify, examine, and understand threats
– Determine threat aspects affecting the
organization and the security of the assets
• List threats prioritized by importance
– Conduct periodic management reviews
• Verify completeness and accuracy of asset inventory
• Review and verify identified threats and vulnerabilities
• Review current controls and mitigation strategies
• Review cost effectiveness and deployment issues
• Verify ongoing effectiveness of every control

21
 Risk Identification
• Identify, classify, and prioritize
information assets
• Threat identification process begins
afterwards
– Asset examined to identify vulnerabilities
– Controls identified
– Controls assessed
• Regarding capability to limit possible losses
should attack occur

22
 Asset Identification and Value
Assessment
• Iterative process of identifying assets and
assessing their value
• Information asset classification
– Classify with respect to security needs
– Components must be specific for the creation of
various priority levels
– Components ranked according to criteria
established by the categorization
– Use comprehensive and mutually exclusive
categories
– Establish clear and comprehensive category sets
23
 Asset Identification and Value
Assessment (cont.)
• Information asset valuation
– Is this asset the most critical to the
organizations’ success?
– Does it generate the most revenue?
– Does it generate the most profit?
– Would it be the most expensive to replace?
– Will it be the most expensive to protect?
– If revealed, would it cause the most
embarrassment or greatest damage?
– Does the law or other regulation require us to
protect this asset?

24
 Asset Identification and Value
Assessment (cont.)
• Answers determine weighting criteria
– Used for asset valuation and impact evaluation
• Must decide criteria best suited to establish
the information asset value
• Perform weighted factor analysis
– Calculates relative importance of each asset
– Assign score from 0.1 to 1.0 for each critical
factor
– Assign each critical factor a weight from 1 to 100
• Identify, document and add company-specific
criteria

25
Asset Identification and Value
Assessment (cont.)

26
Data Classification and Management
(cont.)
• Data classification schemes
– Procedures requiring organizational data to
be classified into mutually exclusive
categories
– Based on need to protect data category
confidentiality
• Military specialized classification ratings
– “Public” to “For Official Use Only” to
“Confidential“ to “Secret” to “Top Secret”

27
 Data Classification and
Management (cont.)
• Alternative information classification scheme
– Public: for general public dissemination
– For official use: Not particularly sensitive but not
for public release
– Sensitive: important to the business and could
cause embarrassment or loss of market share if
revealed
– Classified: requires utmost security; disclosure
could severely impact the organization
• Personnel information security clearances
– On a need-to-know basis

28
 Threat Identification
• Conduct a threat assessment
– Which threats present a danger to the
organization’s assets in the given
environment?
– Which threats represent the most danger to
the organization’s information?
– Which threats would cost the most to recover
from if there was an attack?
– Which threats require the greatest
expenditure to prevent?

29
 Vulnerability Identification
• Review each asset and each threat it faces
– Create list of vulnerabilities
• Examine how each threat could be
perpetrated
• List organization’s assets and its
vulnerabilities
• Notes
– Threat may yield multiple vulnerabilities
– People with diverse backgrounds should
participate

30
 Risk Assessment
• Process of assigning a risk rating or
score to each information asset
• Goal
– Determine relative risk of each vulnerability
using various factors
• Likelihood
– Probability that a specific vulnerability will be
successfully attacked
– Many asset/vulnerability combinations have
external references for likelihood values
31
 Valuation of Information Assets
• Assign weighted scores for the value to the
organization of each information asset
• Re-ask questions described in the “Threat
Identification” section
– Which of these questions is most important to the
protection of the organization’s information?
• Examine how current controls can reduce risk
faced by specific vulnerabilities
• Impossible to know everything about each
vulnerability

32
 Risk Determination
• Risk =
(likelihood of vulnerability x value) –
percent of risk currently controlled +
uncertainty of assumptions

• Residual risk
– Remaining risk after control applied

33
 Identify Possible Controls
• Controls, safeguards, and countermeasures
– Represent security mechanisms, policies, and
procedures that reduce risk
• Three types of security policies
– Enterprise information security policy
– Issue-specific policies
– Systems-specific policies
• Programs
– Activities performed within the organization to
improve security

34
 Risk Control Strategies
1. Defense approach (preferred approach)
– Attempts to prevent vulnerability exploitation
– Risk defense methods
• Defense through application of policy
• Defense through training and education programs
• Defense through technology application
– Usually requires technical solutions
– Eliminate asset exposure
• Attempt to reduce risk to an acceptable level
– Implement security controls and safeguards
• Deflect attacks to minimize the successful probability

35
Risk Control Strategies (cont.)
2. Transference
– Attempts to shift risk to other assets,
processes, organizations
• Rethink how services offered
• Revise deployment models
• Outsource to other organizations
• Purchase insurance
• Implement service contracts with providers

36
 Risk Control Strategies (cont.)
3. Mitigation
– Attempts to reduce impact caused by the
vulnerability exploitation
• Through planning and preparation
– Includes contingency planning
• Business impact analysis
• Incident response plan
• Disaster recovery plan
• Business continuity plan
– Requires quick attack detection and response
– Relies on existence and quality of the other plans

37
Risk Control Strategies (cont.)
4. Acceptance
– Do nothing to protect an information asset
• Accept the outcome of its potential exploitation
– Only valid when the organization has:
• Determined the level of risk
• Assessed the probability of attack
• Estimated potential damage that could occur
• Performed a thorough cost-benefit analysis
• Evaluated controls
• Decided asset did not justify the cost of
protection

38
Risk Control Strategies (cont.)
5. Termination
– Difference from acceptance
• Remove asset from the environment representing
risk
– Two main reasons
• Cost of protecting an asset outweighs its value
• Too difficult or expensive to protect asset
compared to value or advantage asset offers
– Termination must be a conscious business
decision
• Not simple asset abandonment

39
 Contingency Planning and
Its Components
• Contingency plan
– Used to anticipate, react to, and recover from
events threatening events
– Restores organization to normal modes of
business operations
• Four subordinate functions
– Business impact assessment (BIA)
– Incident response planning (IRP)
– Disaster recovery planning (DRP)
– Business continuity planning (BCP)
40
 Business Impact Analysis
• Business impact analysis (BIA)
– Investigation and assessment of the
impact of attacks
– Adds detail to prioritized threat and
vulnerability list created in the risk
management process
– Provides detailed scenarios of potential
impact of each type of attack

41
 Incident Response Plan
• Incident
– Any clearly identified attack on assets
• Incident response plan (IRP)
– Deals with the identification, classification,
response, and recovery from an incident
– Assesses the likelihood of imminent
damage
– Informs key decision makers
– Enables the organization to take
coordinated action

42
 Disaster Recovery Plan
• Preparation for and recovery from natural or
man-made disaster
• Includes:
– Preparations for the recovery process
– Strategies to limit losses during the disaster
– Detailed steps to follow after immediate danger
• Focus
– Preparation before the incident
– Actions taken after the incident

43
 BCP and BRP
• Business continuity plan (BCP)
– Expresses how to ensure critical business
functions continue at an alternate location
• After catastrophic incident or disaster
– Used when DRP cannot restore primary site
operations
– Most strategic and long-term plan
• Business resumption plan (BRP)
– Emerging new concept in contingency planning
– Merges the DRP and BCP into a single process

44
 Contingency Planning Timeline
• Steps in contingency planning
– IR plan focuses on immediate response
• May move to DRP and BCP if disastrous
– DR plan focuses on restoring systems at
original site
– BC runs concurrently with DRP
• When major or long-term damage occurs
– IRP, DRP, and BCP distinction
• When each comes into play during the incident

45
46
 Role of Information Security Policy in
Developing Contingency Plans
• Policy needs to enforce information protection
requirements
– Before, during, and after incident
• Quality security programs
– Begin and end with policy
• Information security
– A management problem
• Difficulties in shaping policy
– Must never conflict with laws
– Must stand up in court if challenged
– Must be properly administered

47
 Key Policy Definitions
• Policy
– Plan or course of action
• Conveys instructions from senior management to those
who make decisions, take action, perform duties
– Organizational law
• Dictates acceptable and unacceptable behavior
• Defines penalties for violations
• Standard
– Detailed statement of what must be done to comply
• De facto standard (informal standard)
• De jure standard (formal standard)

48
49
 Key Policy Definitions (cont.)
• Mission
– Written statement of an organization’s purpose
• Vision
– Written statement about organization’s goals
• Strategic planning
– Process of moving organization toward its vision
• Information security policy
– Provides rules for protecting information assets
• Enterprise information security policy (EISP)
• Issue-specific security policy (ISSP)
• Systems-specific security policy (SysSP)

50
 Enterprise Information
Security Policy
• Enterprise information security policy
(EISP)
– Based on and directly supports the mission,
vision, and direction of the organization
– Executive-level
– Sets strategic direction, scope, and tone for
all security efforts
• Contains requirements to be met
• Defines purpose, scope, constraints, and
applicability
• Assigns responsibilities
– Addresses legal compliance

51
Issue-Specific Security Policy
• Issue-specific security policy (ISSP)
– Addresses specific areas of technology
• Three common approaches to creating
ISSPs
– Independent ISSP documents, each tailored to
a specific issue
– A single comprehensive ISSP document
covering all issues
– Modular ISSP document that unifies policy
creation and administration while maintaining
each specific issue’s requirements

52
 Systems-Specific Policy
• Systems-specific security policies
(SysSPs)
– Standards and procedures used when
configuring or maintaining systems
– Access control lists (ACLs)
• Govern rights and privileges of particular users
to particular systems
– Configuration rules
• Specific configuration codes entered into
security systems

53
Systems-Specific Policy (cont.)
• ACL policies
– Translated into configuration sets
• Controls access to systems
– Regulate the who, what, when, and where of
access
– ACL rules
• Known as capability tables, user profiles, user policies
• Specify what a user can and cannot do with resources
• Rule policies
– More specific than ACLs
– May or may not deal with users directly

54
 Policy Management
• Policies
– Constantly changing and growing
– Must be properly disseminated
– Security policies must have the following
• Individual responsible for creation, revision,
distribution, and storage
• Schedule of reviews
• Mechanism for recommendations for revisions
• Policy/revision date; possibly “sunset” expiration
date
• Policy management software (optional)

55