Wirtschaftsinformatik (Fach) / IT Risk Management (Lektion)

In dieser Lektion befinden sich 118 Karteikarten

IT Risk Management Uni Koblenz

Diese Lektion wurde von Irec42 erstellt.

Lektion lernen

zurück  |  weiter 2 / 3

  • Clark Wilson - basic idea -is about integrity -merge different policies for military and commercial -mandatory commervial controls typically involve who gets to do that type of transaction rather than who sees what
  • Organization Security Model: Tactical - Shorter horizon than strategic - Lists initiatives and support mechanisms necessary to reach the strategic planning goals
  • Organization Security Model: Operational - Specific plans, goals and deadlines
  • Clark Wilson - Model Users -Modelled as active agents Two types of objects -constrained data items -unconstrained data items Two types of transactions on CDIS model -transformation procedures -integrity verification procedures
  • Why use Frameworks? - clarity of strategic direction - assurance to external parties - avoid gaps in security activity
  • Security Frameworks: Common Elements - Senior/Board level representation - Security policy - Staff awareness - Access Controls (Technical/Physical) - Risk based Analysis
  • Comparison of Models (Clark Wilson vs. Biba) -in the Biba model UDI to CDI conversion is performed by trsutest subject --this is problematic for data entry functions -in the clark wilson models TPs specified for particular users and functions --Biba does not offer this level of granularity
  • Security Frameworks: Common Requirements - Incident response - Security configuration baseline - Monitoring and reporting - Disaster recovery - Managing third-party relationships - Information classification - Staff vetting - Change control - Continuour improvement
  • Security Programme Life-cycle ------------> Plan and organize ------------->            Monitor and evlauate                                                        Implement <------------ Operate and maintain <------------
  • Lattice Model (Universally Bounded Lattice) TopSec (Nato, SIOP) |                                           |                                           | TopSec (Nato)                   Sec (Nato, SUIP)                          TopSec (SIOP)  |                   <                                          >                           | |              <                            TopSec ()                 >                  | |         <                                    |                                  >          | Sec (Nato)                                       |                                    Sec (SIOP)                         >                      |                            <                 Sec () | UnCL ()
  • Covert Channels - Basic idea -a path of communication that was not designed to be used fpr communication -an information flow that is not controlled by a security mechanism -can occur by allowing low-level subjets to see names, results of comparisions, etc. of high-level objects
  • Cover Channel - Example Sender >>>> Storage are (e.g. disk, memory) >>>> Receiver
  • Covert Channels - Summary Accept but analyse the capacity -how many bits/second can be leaked analyse cost/benefit tradeoff -risk exists -limits known non-inference model -addresses covert channels by including state change into the information flow model
  • Trusted Computer System Evaluation Criteria Classification (TCSEC) 1. Verified protection - Verified Design 2. mandatory protection -Security Domains -Structured Protection -Labelled Security 3. discretionary protection -controlled access protection -discretionary security protection 4. minimal protection
  • Common Criteria (CC) International standard idea: -provides framework for users to specify security funtional and assurance -CC provides assurance for computer security
  • Onion Model of Controls           ___________       /    _________ -\----- Physical Controls      /   /    _____ --\--\------Technical Controls     /   /   /    __--\ --\--\------Administrative COntrols    /   /   /   /  --\--\-- \--\----Assets    \   \   \   \___/   /   /   /     \   \   \______/   /   /      \   \_________/   /        \____________/ 
  • Onion Model of Controls: Administrative Controls - Risk Management - Screening of Staff - Policies - Procedures including change control - Guidelines - Standards - Securidy Education
  • Onion Model of Controls: Technical Controls - Configure infrastructure - Access Control mechanisms - Password and resource management - Security devices - Identification and authentication methods
  • Penetration Testing - Definition Unauthorised intrusion into the domain of organisations or other users Penetration Testing is method of evaluationg the security of computer systems or networks by simulating or emulating an attack from malicious sources
  • Onion Model of Controls: Physical Controls - Controlling peoples access to facilities - Locking down computer systems - Environmental controlls - Removing unnecessary devices
  • Penetration Testing - Types physical access -to premises, buildings, restricted areas, ... -to devices, equipment, systems, ... digital access -to systems, applications, web-sites, databases, networks, ... observation -data traffic, messages, behavious pattern, ...
  • Risk Categories - Equipment failure - Software failure - Human failure - Physical damage - Data loss - Data leak / misuse - Attacks
  • Attack sources politically motivated attackers criminals organized crime organizations that sell their services to companies and nations national fovernment agencies
  • Penetration Tester vs. Hacker Methods & Tools             Pen Tester                                       Hacker Approval                        Hired by Senior Management            No approval Background                   Educated and skilled,                        self-trained and skilled,                                     acquired security insights legally       acquired security insights legally Social Engineering            Used to raise awareness                  Divulging sensitive information
  • Abstract Risk Model                  Assets                    /\                  /    \                /        \              / General \            /     Risk      \          /___________ \    Threats           Vulnerabilities
  • Penetration Testing vs. Vulnerability Assessment Vulnerability Assessment -General scope and includes a large assessment -scheduled -> predictable to staff -can be unreliable --high rate of false positives -aims to provide debate among System Admins -Result: produces a report with mitigation guidelines & action items Penetration Testing -Focused in scope poossibly includes targeted attempts on specific vectors -Only known to contractor -> unpredictable to staff -More accurate and reliable -Aims to provide a proof of concept against vulnerabilities -Result: either there was a take over of the system or not
  • Threat Analysis Role: - Ensuring that risks are properly understood (where from/scale) - Providing basis for risk assessment and management (qualification / quantification) Factors: - Agent causing threat to the system - Exploitable vulnerability whithin system - impact of successful attack - mitigating factors (coutermeasures)
  • Threat Agents - Natural threats and accidents - Intentional threats:     -Factors: Motivation, Capability, Opportunity, Catalyst, Inhibitors, Amplifiers, System
  • Importance of Penetration Tests -Active pen-testing goes beyond security planning --what are the vulnerability automatic scanners might be missing? --are your users and system administrators acutally following their own policies? -test systems with an outside view --just what is in that building no one ever goes in? --where are system weaknesses? -helps identify weakness that may be leveraged by insider threat or accidental exposure --If Pen-Tester can break into it, so could someone else -Raises security awareness --e.g. IBM Clean Desk Policy -Provides Senior management a realistic view of their security posture -great tool to advocate for more funcding to mitigate flaws discovered
  • Penetration Testing Steps 1. Introduction and Objectives 2. Information gathering 3. Vulnerability analysis 4. Simulation (Penetrate the system to provide the proof) 5. Risk assessment 6. recommendations for reduction or recovery 7. providing report
  • penetration methods external port scanning network scanning email tracing web site testing & profiling social engineering dumpster diving further physical checks
  • Sequence of Threat Relationship Therat Agent         Catalyst              |                |             \/               \/                 Capability <--                      |            |                     \/            |                Motivation __|                      |                     \/                  Access                       |                |             \/               \/      Inhibitors        Amplifiers              |                |             \/               \/                   Threat
  • Penetration Testing Tools NMAP - Network Mapper -open-source network scanner used to discover hosts and services on a computer network vulnerability scanners -nessus --proprietary vulnerability scanner --enumerates vulnerabilities per device -join the rupper --offline, free password cracker -medusa or hydra --online password cracking
  • Annual Loss Expectancy ALE = Annual Rate of Occurance (ALO) * Single Loss Expectancy (SLE)
  • Digital Forensics - Definition preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence
  • Digital Forensics - Purpose Computer forensics uses technology to search for digital evidence of a crime attempts to retrice information even if it has been altered or erased so it can be used in the pursuit of an attacker or a criminal incident response computer forensics
  • Risk Assessment Risk = threat * vulnerabilities * impact (asset value) 1. Identify Assets 2. Vulnerability Assessment 3. Threat Assessment 4. (actual) Risk Assessment 5. Define countermeasuers
  • Risk Analysis Process 1. Identify assets and their value 2. Define threats and vulnerabilities 3. Combine information assigning risk & risk level 4. Define countermeasures 5. Mitigate risk to accaptable level
  • Forensics Steps Acquisition -physically or remotely obtaining possession of the computer, all network mappings form the system, and external physical storage devices Identification -identifying what data could be recovered and electronically retrieving it by running various Computer Forensics tools and software suites Evaluation -Evaluating the information / data recovered to determine of and how it could be used again the suspect for employment termination or prosecution in court Presentation -presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws
  • Risk Analysis Steps 1. Identify assets and their value 2. Estimate potential loss per threat 3. Perform threat analysis, calculate ARO 4. Derive the ALE per threat 5. Reduce, Transfer, avoid or accept the risk
  • Types of Digital Forensic network investigation cloud system investigation software investigation stenographic investigation --digital imagery --digital sound --digital video --encrypted or embedded content --watermarking
  • Qualitative Analysis Based on a number of methods and mechanisms to help to express, visualize, structure and order risks using e.g.: - Scenarios of risk possibilities - Rank the seriousness of the threat - Validity of countermeasures Relies on judgement, best practices, intuition and experience
  • Digital Forensic Process 1. Explore data and files on systems in a planned and organized manner 2. Establish evidence custodian 3. Designate supected equipment as "off-limits" to normal acitivity 4. collect service loges 5. capture external TCP and UDP port scans of the host 6. contact security personnel management, criminal and legal investigators, as well as affected sites or persons
  • Quantitative Analysis Attempt to assign menaingful numbers against risks, risk indicators and measures toprotect and mitigate, e.g.: - safeguard costs, effectiveness - Asset value - Business impact - Threat frequenciey, exploit probabilities, etc.
  • Security Engineering vs. Security Technology Security Engineering -engineering and building systems to remain dependable in the face of malicious and accidental challenges (e.g. through threat agents, mis-configuration, errors or natural disasters) Security Technologies -Technologies and methodologies that protect systems from malicious and accidental challenges
  • Asset (E)Valuation - Organizational Assets: hardware, software, data, applications, human, capital, etc. - Asset valuation questions - which information asset...     ...is most critical to organization's success?     ...generates the most revenue?     ...would be most expensive to replace or protect?     ...would be embarassing or cause liability if revealed?
  • Security vs. Dependability Dependability = reliability + security Reliability -ensures that a system or method is performing as specified -ensures that a system or method is available within a given timeframe - -> Reliablity: "Bob will be able to read this file." Security -ensures that the CIA (confidentiality, integrity, availability) is maintained - -> Security: "The Chinese Government won't be able to read this file."
  • Incident Damage Classification - Negligible: So significant damage or cost - Minor: A non-negligible event with no significatn material or financial impact on the business - Major: Impacts one or more department and may impact outside clients - Crisis: Has a major material or financial impact on the business Minor, Major and Crisis incidents should be tracked.
  • Security Design Lifecycle (SDL) - Phases Pre-SDL Requirements -SDL Practice 1: Training Requirements Phase One: Requirements -SDL Practice 2: Security Requirements -SDL Practice 3: Qulity Gates / Bug Bars -SDL Practice 4: Security and Privacy Risk Assessment Phase Two: Design -SDL Practice 5: Design Requirements -SDL Practice 6: Attack Surface Reduction -SDL Practice 7: Threat Modelling
  • Authentication Methods Something I know -Password, PIN Something I have -Keys, badges, smart cards, PUF Something I am -Biometricy (fingerprint, retina) Something I do -Biometrics (voice pattern, handwriting, typing rhythm)

zurück  |  weiter 2 / 3