security management (risk analysis,legals)

Transcription

5MMSSI - Information Systems Security
2 - security management (risk analysis,legals)
Fabien Duchene1
Karim Hossen1
1 Laboratoire d’Informatique de Grenoble, VASCO team
Grenoble Institute of Technology - Grenoble INP Ensimag
[email protected]
2011-2012
Fabien Duchene, Karim Hossen (LIG)
5MMSSI-2-security management (risk analysis, legals)
1/53
2011-2012
1 / 53
Outline
1
Risk
Analyzing/assessing risk
Security risk methodologies and norms
Mitigating risk
Security management principles
2
Legals and ethics
Legals
Vulnerability disclosure
3
Certification
4
Conceive, Develop, and Integrate secured software
2/53
2011-2012
2 / 53
Objectives
CISO stakes and duties
perform a risk analysis on a case study
legal issues regarding information security
systems certification
security management principles
how to integrate security in the SDLC?
3/53
2011-2012
3 / 53
OSA metamodel
Relationships between business processes, IT security, risk...
4/53
2011-2012
4 / 53
Building a security policy
A cyclic process
Audit / assess
Assets identification
Security objectives/goals/properties
on those assets
Threats identification
Pen-testing
Risk assessment
Incident detection
Procedures: continuity, recovery (“PCA”,
“PRA”)
redaction
training
Security policy
redaction
implementation
... loop ...
5/53
2011-2012
5 / 53
Risk
Risk I
1
what is
what should we do about it?
6/53
2011-2012
6 / 53
Risk
Risk II
Why?
FACTS: no corporation will [(Microsoft) 2011]
implement security counter-measures only by pure pleasure
provide YOU an unlimited budget to implement security
counter-measures
knowing this:
where to start? how to prioritize? [It is About Risks, Not Weaknesses]
[OWASP Top 10 Application Security Risks - 2010]
on which to act?
how much to invest?
how to proceed?
Risk management
1
[Top 10 application security risk] Top 10 application security risk
7/53
2011-2012
7 / 53
Risk
Risk assessment
No single methodology
Some risk assessments methods oriented from a business management
perspective (eg: OCTAVE)
However common questions do arise:
Which ... ... do we want to protect?
... against which
If a threat has to happen what will be the ... (in other means, how
critical are the property(ies) we will to ensure on those asset(s)) ?
Which .. could be exploited by attackers?
Who are the potential ?
In order to handle the risk, which ... could we use?
8/53
2011-2012
8 / 53
Risk
A proposed risk assessment method (focusing on
information security threats) I
1. Identity assets, and their values (examples)
hardware: computers, laptops, servers
people: highly skilled ones
data: customers PII, source code for software editors...
9/53
2011-2012
9 / 53
Risk
information security threats) II
2. Identity threats .. and threat agents (examples)
[OWASP Risk Rating Methodology]
Human errors
physical intrusion inside building
developer, administrators
major disaster (eg: nuclear
plant, war, tornado, floods...)
intranet users
electronic intrusion
authenticated users
supplier QoS lower than
expected (eg: cloud)
anonymous internet users
partners
obsolescence
spying
5MMSSI-2-security management (risk analysis, legals) 10/53
2011-2012
10 / 53
Risk
information security threats) III
[Schneier 2011]
“the Rise of Big Data” , without consumer awareness, powerful
industry
“Ill Conceived Regulations”: Internet kill switches, anonymity
elimination
“proliferation of cyber-weapons”: by accident, wrong hands, hard
traceability, cost
2011-2012
11 / 53
Risk
information security threats) IV
3. How critical is that asset? what would be the impact / cost?
[OWASP Risk Rating Methodology]
Business impact
Technical impact
financial loss
confidentiality
business reputation
integrity
life loss
availability
non compliance
accountability
privacy violation
2011-2012
12 / 53
Risk
information security threats) V
4. Identity vulnerabilities that could be exploited. And how easy is it to
exploit them? ( = “likelihood”)
: wait for a system administrator (“sysadmin”) to go to his car, threat
him (eg. regarding his family) if he does not give the password
: we have redundant internet connectivity, however we use the very
same tubes (cable connectivity)
: [What Microsoft’s online outage says about its cloud strategy 2011]
(emails delayed for up to 9 hours, unavailability of web email, push
email... for up to 3 hours)
fake wireless access, what if attackers do come from the sky?
[Theodore Reed 2011]
2011-2012
13 / 53
Risk
information security threats) VI
likelihood
threat agent factors:
Skill level
Motive
Opportunity
Size
vulnerability factors:
ease of discovery
ease of exploit
awareness
intrusion detection
2011-2012
14 / 53
Risk
information security threats) VII
5. How to qualify the risk?
Standard risk model
“Risk = likelihood*impact”
quantitative: mathematical computation based on metrics,
repeatable process, automated.
qualitative: low budget or time frame, estimations. interviews of
representative employees samples.
2011-2012
15 / 53
Risk
information security threats) VIII
Quantitative risk assessment - calculus
For a given threat t:
a proposed IT risk model [Security Assessment of Information Systems
Standards, Methods and Tools - Ensimag - SCCI MSc]
Risk(t) = (P(t) ∗ (1 − Pcm (t))) ∗ C (t)
C (t): incident cost - “SLE” Single Loss Expectancy
P(t): of the threat to happen
Pcm (t): efficiency of counter-measures
2011-2012
16 / 53
Risk
information security threats) IX
6. Synthetic view of the risk R(t) associated to a given threat t
2011-2012
17 / 53
Risk
information security threats) X
7. Which strategy will we use for managing that risk?
A given risk was identified. We can either:
reduce it: ... for reducing the risks to an acceptable level
transfer it:
accept it: being aware of the potential consequences
8. The overall IT risk
A synthesis of all the previously estimated risks related to identified
threats.
2011-2012
18 / 53
Risk
Exercise - Annual Loss Expectancy (2min)
Your e-commerce website could be hacked. It is worth 100.000 EUR. The
damages of such an attack are estimated to 60% (juridic liability,
confidential data corruption, lost of exploitation days...). 2
What is the Single Loss Expectancy (SLE)? (how much money would
you loose if a disaster had to happen?)
According to the security defenses (counter-measures) you did set up,
you consider that such a problem could happen once every two years.
What is the Average Risk Occurence (ARO) in occurence/year?
What is the maximum amount (Annual Loss Expectancy (ALE)) you
should spend each year to protect that asset?
2
[(Microsoft) 2011] UVSQ - MSc SeCReTS (Cryptographie et Sécurité
Informatique) - UE SECR403 - Sécurité windows et sécurité web
2011-2012
19 / 53
Risk
Exercice 2 - Risk analysis (5min)
“Any resemblance to actual persons, living or dead, is purely coincidental.” ;)
A hacker group (10+ persons) want to steal sensitive information (customer emails and
password) from a famous video game company that runs several webservers. You are a security
auditor of that company and are willing to perform a very brief risk analysis. You are aware that
SQL injection is a common vulnerability within applications that performs operations on a
database, and during the audit you discovered that there is no Intrusion Detection System.
assets:
threat:
threat agents ... and factors:
impact / cost:
vulnerability ... and factors:
risk:
2011-2012
20 / 53
Risk
Some security risk methodologies I
France
MEHARI [MEHARI - “MEthode Harmonisée d’Analyse de RIsques”]
EBIOS [EBIOS - “Expression des besoins et identification des objectifs
de sécurité”]
OCTAVE [OCTAVE-S]
2011-2012
21 / 53
Risk
Some security risk norms I
ISO 2700x
27001: “specification document”: specifying an Information Security
Management System (ISMS)
27002: “code of practise” concrete counter-measures against specific
vulnerabilities
27003: “implementation guidance” for an ISMS
27004: “metrics, measurement”
27005: “risk analysis and management”
27006: “auditing and certifying an ISMS”
27007: “continuity and contigency plan”
2011-2012
22 / 53
Risk
Mitigating risk
PCA, PRA
Business Continuity Planning
“Plan de Continuité d’Activité” (PCA)
“identify exposure to threats hard and soft assets”
“permit ” [Just waiting for the next big bang: business continutity
planning in the UK finance sector.]
Disaster Recovery Planning
“... Recouvrement ...” (PRA) [Disaster Recovery Plan]
2011-2012
23 / 53
Risk
Mitigating risk
Risk analysis conclusion
relatively simple methodology ..
a key factor:
dynamic:
data: in a dynamic environment ; both do evolve
.. so do vulnerabilities!
2011-2012
24 / 53
Risk
Attack on users: social engineering I
“Social engineering is essentially ”
3
Some social-engineering techniques
profiling (eg: thanks to social networks,
publicly visible information) Symantec 2011
Money, Ideology , Coercion , Ego , Personal
relation [Identification et exploitation des
failles humaines par les “pr édateurs
informationnels” : un risque sous-estimé par les
entreprises ?]
2011-2012
25 / 53
Risk
Attack on users: social engineering II
Security clearance
ability to . investigation (family, friends, habits)
required for accessing some confidential informations that the person
“needs to know”
eg (France): “Confidentiel Défense” (lasts 10 y), “Secret Défense”
(investigation: 6-9 months, lasts 7 years), “Très Secret Défense”
information disclosure: professional fault, penal offense
2011-2012
26 / 53
Risk
Attack on users: social engineering III
3
[Goodchild 2010] Social Engineering: The Basics
2011-2012
27 / 53
Risk
User education I
High profile: eg. Chief Executive Officer “feeds you” but:
overpass the security directives (eg: screen lock, smart card..)
have access to the most sensitive/valuable information
Chief Information Officer:
IT teams:
architects: conceived the systems. Know their weaknesses
administrators: have “root” access to a lot of systems
support: daily deal with end-users
End-Users: daily use the IT infrastructure
4
a CISO task:
4
[Kerouanton 2011] Be a smart CISO (HIP2k11)
2011-2012
28 / 53
Risk
Least privilege (POLA “Authority”)
“Every program and every privileged user of the system should operate
using the least amount of privilege necessary to complete the job.” 5
Examples:
you want to share a file with another student on ensibm.imag.fr, for
him to be able to read it (+r). do not allow him to write on the file
(+rw) or even execute it, if you do not want to.
do not run your basic user programs (eg: web browser) with
administrator privileges. In case of an exploitation, it will be run
under that very same identity (eg: root, administrator).
5
[Protection and the Control of Information Sharing in Multics] Protection
and the Control of Information Sharing in Multics
2011-2012
29 / 53
Risk
Multi-culture
example: for applicative web firewall, use two levels:
vendor1 (eg: Juniper)
vendor2 (eg: NetASQ)
2011-2012
30 / 53
Risk
Defiance by default
Problem
increasing complexity of IT systems. Thus a minimal trust is
sometimes required. In many protocols, only one entity among two
has proven its identity.
eg: within Public Key Infrastructure, we do trust the Root CA
in Kerberos, we trust the KDC
2011-2012
31 / 53
Risk
In-depth defense
2011-2012
32 / 53
Risk
Nice management
Competencies
IT staff has to be able to use the software solutions: training,
certifications
solution experts have to be identified (eg: outsourcing, consulting)
Patch management
change management: reports, risk analysis
a recovery plan and business continuity plan
have to be ready
major software companies have planified patch
issue dates: Microsoft (Adobe follows the
same scheme) ; Apple lacks clear predictable
patching days
unified patching systems: Secunia CSI
2011-2012
[Corporate Security Inspector]
33 / 53
Legals and ethics
Legals
Legals in USA (extracts)
“And we’re all subject, in the US, to the Patriot Act, and it is possible
that that information could be made available to the authorities”, Eric
Schmidt, CEO Google (2009)
2001, George W Bush
2011, Obama signed a 4 year extension
(email, phone, medical, financial...)
2011-2012
34 / 53
Legals and ethics
Legals
Legals in France (extracts) I
Internet access
: each provider has to ensure (authentication and log mgmt)
authenticated (nomadisme2, wifi-campus, eduroam)
HADOPI: 2009, “motivated by content copyrights”, identification by
IP address, guilty assumption
LOPPSI 2
ISP to block IP addresses by simple request of the Ministry of Interior
person identification by its DNA
police databases: allows intersecting several ones
allow law enforcement to hack into computer by suspicion of hosting
pedophile images
2011-2012
35 / 53
Legals and ethics
Legals
Legals in France (extracts) II
Reverse engineering
(fr: rétro-ingénierie, rétro-conception) allowed for interoperability only.
Express right required.
employee private place
(following “Nikon” case)
“search warrant” (mandat de perquisition) required to open an
employee armoire
listen electronic communication (eg: email) requires
legal basis (eg: investigation)
employees contentment and CNIL statement
2011-2012
36 / 53
Legals and ethics
Legals
Legals in France (extracts) III
PII
data transiting outside the UE have to be encrypted
and to be stored within UE (eg: Microsoft cloud services)
2011-2012
37 / 53
Legals and ethics
Vulnerability disclosure I
Scenario: You found a new vulnerability present on the latest major OS
(eg: Windows 7, Android 2.3.4), and got a working “0-day exploit”
(offensive security)
What are your options?
Full-vendor: report it
Microsoft: 0 euro (2011)
Google: depends (2011) [Stable Channel Update]
Hybrid: to a vendor-neutral organization 200E [Zero Day Initiative]
Underground market: $1M
On your website: and make a mess within the world! 0E + potential
criminal penalties!
Keep it to yourself: only close people will know you found it before
the others. Fame is for the other guys! 0E
2011-2012
38 / 53
Legals and ethics
Vulnerability disclosure II
Keep in mind
New trend “coordinated vulnerability disclosure” (Microsoft, July
2010) [Coordinated Vulnerability Disclosure]
goal:
Ethics
Consequences?
Why do you work in Information Security? (beliefs, moral...)
In each country..
a CERT
USA: http://www.cert.org
France: http://www.certa.ssi.gouv.fr ANSSI
2011-2012
39 / 53
Certification
Certification
important: scope of the certification (maybe only a subsystem)
Some certifications norms
TCSEC
Common criteria
2011-2012
40 / 53
Certification
TCSEC
USA, Department of Defense standard, 1983, updated 1985, replaced
by Common Criteria now
applies to complete systems (HW+SW)
concepts: trusted computing base, security reference monitor
describes implementations mechanisms: reuse, audit, compartment
4 security levels
D: insecure or not evaluated
C: able to ensure a Discretionary Access Control
B: ... Mandatory Access Control
A: proved, documented and shown to be efficient security
2011-2012
41 / 53
Certification
Common criteria I
ISO 15408 ; 2005
Initially Europe, now recognized per Germany, Australia,
New-Zealand, Canada, USA, France, England
France: CESTI do evaluate products (eg. LEXSI, Sogeti-ESEC)
certified products:
http://www.commoncriteriaportal.org/products/
2011-2012
42 / 53
Certification
Common criteria II
7 Evaluation Assurance Level (EAL)
EAL1 .. EAL4: common systems, best practises. Most important
commercial products are EAL4 certified “conceived, tested and
verified regarding a certain methodology” (eg: Windows 7)
EAL5: conceived in a semi-formal way, and tested
EAL6: conception verified in a semi-formal way and test
EAL7: conception verified and tested in a formal way
2011-2012
43 / 53
When and how to integrate security?
Different approaches, models for software development lifecycle
V model
Waterfall model
Agile development
integrating security into those models
Microsoft Security DLC
In too many projects...
security is integrated during the validation and or testing steps
it is too late!
the earlier in the process the better!
2011-2012
44 / 53
V model
overly simplified
the one you saw during the “projet GL” (Software Engineering
project)
[V-model]
2011-2012
45 / 53
Agile development
2001, [AgileManifesto]
[Agile software
development
methodology]
eg: eXtreme
Programming (2
developers, 1 reviewing,
1 coding)
2011-2012
46 / 53
Microsoft Security Development LifeCycle “SDLC”
Created by Microsoft
adapted for “traditional software developement” (waterfall, v-model)
and Agile one
6
6
[Security Development Lifecycle] Security Development Lifecycle
2011-2012
47 / 53
OWASP
Especially for web applications:
OWASP secure coding practises [Secure Coding Practises]
2011-2012
48 / 53
Appendix
For Further Reading
CERT, Carnegie Mellon Software Engineering Institute. OCTAVE-S.
https://www.cert.org/octave/osig.html.
Elliot D.; Swartz, E.; Herbane B. (1999). Just waiting for the next big
bang: business continutity planning in the UK finance sector. Journal of
Applied Management Studies, Vol. 8, No, pp. 43-60. Here: p. 48.
Français”, CLUSIF “Club de la Sécurité des Systèmes d’Information.
MEHARI - “MEthode Harmonisée d’Analyse de RIsques”.
https://www.clusif.asso.fr/fr/production/mehari/.
Goodchild, Joan (2010). Social Engineering: The Basics.
http://www.csoonline.com/article/51406
3/social-engineering-the-basics.
Google. Stable Channel Update.
http://googlechromereleases.blogspot.com/2011/0
9/stable-channel-update_16.html.
2011-2012
49 / 53
Appendix
For Further Reading
(IMAG), Florent Autreau. Security Assessment of Information Systems
Standards, Methods and Tools - Ensimag - SCCI MSc. https:
//intranet.ensimag.fr/KIOSK/Matieres/SCCISecurityAudit/.
Iwochewitsch, Michel. Identification et exploitation des failles humaines
par les “pr édateurs informationnels” : un risque sous-estimé par les
entreprises ? SSTIC08. http://actes.sstic.org/SSTIC0
8/Identification_Exploitation_Failles_Humaines/SSTIC0
8-article-Iwochewitsch-Identification_Exploitation_Failles_
Humaines.pdf.
Kerouanton, Bruno (2011). Be a smart CISO (HIP2k11). http:
//www.hackinparis.com/slides/hip2k11/03-BeASmartCiso.pdf.
Microsoft. Coordinated Vulnerability Disclosure. https:
//blogs.technet.com/b/msrc/archive/2011/04/19/coordinated-v
ulnerability-disclosure-from-philosophy-to-practice.aspx.
— Security Development Lifecycle.
http://www.microsoft.com/security/sdl/default.aspx.
2011-2012
50 / 53
Appendix
For Further Reading
(Microsoft), Pascal Sauliere (2011). UVSQ - MSc SeCReTS
(Cryptographie et Sécurité Informatique) - UE SECR403 - Sécurité
windows et sécurité web. http://www.master-secrets.uvsq.fr/.
MIT, Jerome H. Saltzer. Protection and the Control of Information
Sharing in Multics. CACM 1974, volume 17, issue 7, page 389.
OWASP. It is About Risks, Not Weaknesses. https:
//www.owasp.org/index.php/Top_10_2010-Notes_About_Risk.
— OWASP Risk Rating Methodology. https:
//www.owasp.org/index.php/OWASP_Risk_Rating_Methodology.
— OWASP Top 10 Application Security Risks - 2010.
https://www.owasp.org/index.php/Top_10_2010-Main.
— Secure Coding Practises. https:
//www.owasp.org/index.php/OWASP_Secure_Coding_Practices__Quick_Reference_Guide.
— Top 10 application security risk.
https://www.owasp.org/index.php/Top_10_2010-Main.
2011-2012
51 / 53
Appendix
For Further Reading
Schneier, Bruce (2011). Three Emerging Cyber Threats.
https://www.schneier.com/blog/archives/2011/0
9/three_emerging.html.
Secunia. Corporate Security Inspector.
https://secunia.com/vulnerability_scanning/.
Symantec (2011). Norton Cybercrime report 2011.
http://www.symantec.com/about/news/resources/press_kits/det
ail.jsp?pkid=threat_report_16.
Systèmes d’Information”, ANSSI “Agence Nationale de la Sécurité des.
EBIOS - “Expression des besoins et identification des objectifs de
sécurité”. http://www.ssi.gouv.fr/en/the-anssi/publications-10
9/methods-to-achieve-iss/ebios-2010-expression-of-needs-an
d-identification-of-security-objectives.html.
Theodore Reed Joseph Geis, Sven Dietrich (2011). SkyNET: a 3G-enabled
mobile attack drone and stealth botmaster. https:
//db.usenix.org/events/woot11/tech/final_files/Reed.pdf.
2011-2012
52 / 53
Appendix
For Further Reading
TippingPoint. Zero Day Initiative.
http://www.zerodayinitiative.com/.
What Microsoft’s online outage says about its cloud strategy (2011).
http://www.zdnet.com/blog/bott/what-microsofts-online-outag
e-says-about-its-cloud-strategy/3308.
Wikipedia. Agile software development methodology.
https://secure.wikimedia.org/wikipedia/en/wiki/
Agile_software_development.
— Disaster Recovery Plan.
https://secure.wikimedia.org/wikipedia/en/wiki/
Disaster_recovery_plan.
— V-model.
https://secure.wikimedia.org/wikipedia/en/wiki/V-Model_
%28software_development%29.
2011-2012
53 / 53

security management (risk analysis,legals)

Transcription

Documents pareils

The “Ghost Melody” as Acousmatic Voice. Music and Effect from

Press release: The winners of Anima 2015 The curtain came down

A Theory of the Graceful Complexification of Concepts

11 CONTRIBUTION OF MULTICRITERIA ANALYSIS AND GIS FOR

and the Annex

Black Shadow Smart jammer Full bandwidth coverage 20

LESSON PLAN

most useful apps for special needs students