Need of Enterprise-Wide Information Assurance Planning

COEN 250Fall 2007T. Schwarz, S.J.

First Perspective:Reactive / Intruder Based Long term attack trends:

Amount of time for new attacks to emerge is declining

Melissa (1999) took days to spread Love letter (2000), Code Red (2001), Nimda

(2001), hours Slammer (2003), Blaster (2003), minutes

First Perspective:Reactive / Intruder Based

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006

CERT Cataloged Vulnerabilities

First Perspective:Reactive / Intruder Based

First Perspective:Reactive / Intruder Based Long term attack trends:

Increase in the number of detected vulnerabilities

Increased sophistication of attackers

First Perspective:Reactive / Intruder Based Reactive Security

Patch systems after vulnerability arises Only feasible if

attacks would be rareample warning be givenpatches can be simply installed

Second Perspective:Holistic Security

Security is hard to measureAbsence of incidents can be

result of good security inability to see incidents

No accepted metrics for characterizing security

Second Perspective:Holistic Security

Security is expensiveAdded costsDiminished performance Inconvenience

Benefits of security are cost avoidance Question: Was Y2K just hype or did the

effort pay off?

Second Perspective:Holistic Security Security Incidents are not the main cause of

system unavailability “Who Needs Hackers?” NY Times 9/12/07

Complex systems break causing spectacular failures Customs computer failure LAX, August 2007 Skype restart login deluge on MS patch day August 16, 2007

IDC 2001Downtime Analysis Malicious Events 3% Environmental Issues 19% Operator and application errors 78%

Second Perspective:Holistic Security Organizations need

framework, model, yardstick, roadmap … to place and measure themselves (current state) compare with others (future state)

to decide their desired security state or condition improvement approaches and a path to reach their

desired state coherent, organized community of practitioners and

artifacts to help guide their work

Second Perspective:Holistic Security Current / pending legislation affecting organizatorial

infrastructure management and protection of information Family Educational Rights Privacy Amendment Federal Information Systems Management Act Health Insurance Portability and Accountability Act Gramm-Leach-Bliley Act (financial institutions) Sarbanes Oxley (publicly traded institutions) Child Online Privacy Protection Act Basel II Capital Accord (financial institutions) California’s Database Security Breach Notification Act

Second Perspective:Holistic Security Vulnerability Management

Reactive Tool driven Focused on Technology Localized decision making, unconnected to business drivers Vulnerabilities change daily

Risk Management A link to business drivers Focus on critical assets and threats to assets Risk identification and prioritization based on threats to assets,

vulnerabilities, and impacts Enterprise Security Management

Select, execute, improve activities to reliably achieve and sustain a desired security state

NOT focused on symptoms instead of root causes encompasses all organizational practices relevant to security

Time / Complexity

Vul

Man

Risk

Man

ESM

Sec

urity

Desired State

Second Perspective:Holistic Security www.cert.org/octave

Operationally Critical Threat, Asset, and Vulnerability Evaluation

focuses on organizational risks and strategy Federal Agencies

Information Security Governance

Federal Information Security Practices are governed by laws, regulations, and directives U.S. Congress Office of Management and Budget (OMB)

Standards and Implementation Guidelines through National Institute of Standards and Technology Government Accountability Office (GAO)

Information Security Governance

Federal Agency Governance Requirements Government Performance and Results Act (GPRA), 1993 Paperwork Reduction Act (PRA) of 1995 Federal Financial Management Improvement Act (FFMIA) of 1996 Federal Managers Financial Integrity Act (FMFIA) of 1982 Clinger-Cohen Act of 1996

Disciplined capital planning and investment control to acquire, use, maintain, and dispose of IT resources

Establishes role of Chief Information Officer (CIO) E-Government Act of 2002 Federal Information Security Management (FISMA) Act OMB Circular A-130, Management of Federal Information

Resources, Appendix III, Security of Federal Automated Information Resources

Homeland Security Presidential Directive 12 (HSPD-12)

Information Security Governance

Key Legislative, Regulatory, and Oversight Roles

Information Security Governance Components Agencies need to integrate INFOSEC

with overall agency structure and activitiesStrategic planningorganization design and developmentestablishment of roles and responsibilities integration with enterprise architecturedocumentation of security objectives in

policies and guidance

Information Security Governance Components

INFO SEC Strategic Planning GPRA (Government Performance and Results Act)

requires federal agencies to strategic plan for program activities prepare an annual performance plan covering each program

activity set forth in the budget of such agency INFO SEC strategy should be integrated and provide

Clear and comprehensive mission, vision, goals, and objectives and how they relate to agency mission;

High-level plan for achieving information security goals and objectives

short- and mid-term objectives and performance targets specific for each goal and objective used throughout the life of this plan to manage progress toward

successfully fulfilling the identified objectives; and Performance measures to continuously monitor accomplishment

of identified goals and objectives and their progress toward stated targets.

Information Security Governance Structures Centralized Decentralized

Security Activities within the Systems Design Life Cycle Initiation Phase

Needs DeterminationSecurity Categorization

NIST SP 800-60, FIPS 199

Initial description of basic security needs of the system

Threat environment determination

Security Activities within the Systems Design Life Cycle Development / Acquisition Phase

In-depth study of needDevelop / incorporate security requirements

into specificationsAnalyze functional requirements including

security functional requirementsConduct formal risk assessment

Security Activities within the Systems Design Life Cycle Development / Acquisition Phase

Determine costs of information security over life cycle of the system

Security Planning Document agreed-upon security controls Develop system security plan Develop necessary documentation Develop awareness and training requirements

Security Control Development Security Tests and Evaluation

Security Activities within the Systems Design Life Cycle Implementation Phase

Security Test and Evaluation Develop test data Test unit, subsystem, and entire system Ensure system undergoes technical evaluation

Inspection and AcceptanceSystem Integration / InstallationSecurity Certification

Security Activities within the Systems Design Life Cycle System Implementation

Security Accreditation Authorization granted by senior organization

official Based on verified effectiveness of security control

Security Activities within the Systems Design Life Cycle Operations / Maintenance Phase

Configuration Management and Control Adequate consideration of potential security

impacts due to changes to system or environmentDevelop Configuration Management Plan

Establish baselines Identify configuration Describe configuration control process Identify schedule for configuration audits

Security Activities within the Systems Design Life Cycle Continuous Monitoring

Monitor security controls Perform security audits or other assessments

automated tools internal control audits security checklists penetration testing

Monitor system and/or users review system logs review change management monitor external sources perform periodic reaccreditation

Security Activities within the Systems Design Life Cycle Disposal Phase

Information Preservation Determine archive, discard, or destroy information

Based on legal requirements / federal records requ. Beware of obsolete technology Ensure long-term storage of cryptographic keys for

encrypted data

Media Sanitization Hardware and Software Disposal