proactive lifecycle security management owasp minneapolis st paul local chapter february 16 th, 2009
TRANSCRIPT
Proactive Lifecycle Security Proactive Lifecycle Security ManagementManagement
OWASP Minneapolis St Paul Local Chapter
February 16th, 2009
SurveySurvey Which of the following is the responsibility of IT?Which of the following is the responsibility of IT?
System ownerSystem owner Data ownerData owner System custodianSystem custodian All of the aboveAll of the above
True or False – The CIO/IT Director is responsible True or False – The CIO/IT Director is responsible for accepting information and system security for accepting information and system security risks on behalf of the organization?risks on behalf of the organization?
True or False – The individual in charge of True or False – The individual in charge of information security is responsible for:information security is responsible for: Defining security controlsDefining security controls Implementing security controlsImplementing security controls Managing security controlsManaging security controls All of the aboveAll of the above
Setting the StageSetting the Stage
In the last four years, approximately 250 million records containing In the last four years, approximately 250 million records containing personal identifiable information of United States residents stored in personal identifiable information of United States residents stored in government and corporate databases was either lost or stolen. Since government and corporate databases was either lost or stolen. Since little attention was given to database breaches prior to 2005, little attention was given to database breaches prior to 2005, it is safe it is safe to assume that every man, woman and child has had their personal to assume that every man, woman and child has had their personal information exposed at least once statistically. information exposed at least once statistically. Quote from InsideIDTheft.infoQuote from InsideIDTheft.info
Data theft and breaches from cybercrime may have cost businesses as Data theft and breaches from cybercrime may have cost businesses as much as much as $1 trillion globally$1 trillion globally in lost intellectual property and expenditures in lost intellectual property and expenditures for repairing the damage last year, according to a survey of more than for repairing the damage last year, according to a survey of more than 800 chief information officers in the U.S., United Kingdom, Germany, 800 chief information officers in the U.S., United Kingdom, Germany, Japan, China, India, Brazil, and Dubai. The respondents estimated that Japan, China, India, Brazil, and Dubai. The respondents estimated that they lost data worth a total of $4.6 billion and spent about $600 million they lost data worth a total of $4.6 billion and spent about $600 million cleaning up after breachescleaning up after breachesMcAfee Report - "Unsecured Economies: Protecting Vital Information"McAfee Report - "Unsecured Economies: Protecting Vital Information"
According to the “Open Security Foundation's DATALOSSdb” this pie chart represents events involving the loss, theft, or exposure of personally identifiable information (PII) for 2008.
No Lack of Publicity or VictimsNo Lack of Publicity or Victims
Customer loss following data Customer loss following data breachbreach
PGP Corporation and the Ponemon Institute annual report - U.S. Cost of a Data
Breach Study
Cost of Data BreachCost of Data Breach
PGP Corporation and the Ponemon Institute annual report - U.S. Cost of a Data Breach Study
Cost of a Security BugCost of a Security Bug
Courtesy of SecurityCompass – presented at 2008 Minnesota Government IT Symposium
Non-Technical Costs = breach reporting, regulatory violation (penalties), legal fees
What is the reputational cost: ??????
Phase Non-Technical Cost Technical Cost to Fix Total Cost
Production $166,272 for 1000 records
$8,500 $174,772
Test $1,500/vulnerability(prevent approx. 20 bugs)
$2,125 (man-power, computer, testing, configuration management)
$3,625
Code $600 $920 (dev, test) $1,520
Design $150/vulnerability (prevent approx. 100 bugs)
$142 (developer, architect time)
$292
Security Authorization Process Security Authorization Process SummarySummary
Security authorization (formerly called Security authorization (formerly called certification and accreditation) ensures that certification and accreditation) ensures that on a near real-time basis, the organization’s on a near real-time basis, the organization’s senior leaders senior leaders understand the security state of the information system and explicitly accept the resulting risk to organizational operations and assets, individuals, and other organizations.
““An information system is authorized for operation at a specific point in time An information system is authorized for operation at a specific point in time based on the risk associated with the current security state of the system.”based on the risk associated with the current security state of the system.”
Who is this process targeted at?Who is this process targeted at?
Business ownersBusiness owners Data ownersData owners Personnel responsible for:Personnel responsible for:
Development, acquisition and Development, acquisition and integrationintegration
System securitySystem security Auditors/assessorsAuditors/assessors Security implementation and operationsSecurity implementation and operations
Security Authorization HistorySecurity Authorization History
Roots go back to 1983 Federal Roots go back to 1983 Federal Information Processing Information Processing Standard (FIPS) 102Standard (FIPS) 102
Known by many different names; Known by many different names;
Certification & Accreditation (C&A)Certification & Accreditation (C&A) National Information AssuranceNational Information Assurance Certification & Accreditation Process Certification & Accreditation Process
(NIACAP) (NIACAP) Defense Information Technology Defense Information Technology
Security Certification and Security Certification and Accreditation Process (DITSCAP)Accreditation Process (DITSCAP)
DOD Information Assurance DOD Information Assurance Certification and Accreditation Certification and Accreditation Process (DIACAP)Process (DIACAP)
Director of Central Intelligence Director of Central Intelligence Directive (DCID) 6/3Directive (DCID) 6/3
Key DefinitionsKey DefinitionsInformation System – Information System – A discrete set of information resources organized for the collection, A discrete set of information resources organized for the collection,
processing, maintenance, use, sharing, dissemination, or disposition of informationprocessing, maintenance, use, sharing, dissemination, or disposition of information
Security AuthorizationSecurity Authorization – The testing and/or evaluation of management, operational, and – The testing and/or evaluation of management, operational, and technical security controls in an information system to determine the extent to which the technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting security requirements for the systemoutcome with respect to meeting security requirements for the system
Security Control AssessmentSecurity Control Assessment – The testing and/or evaluation of the management, – The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the systemdesired outcome with respect to meeting the security requirements for the system
Security Authorization BoundarySecurity Authorization Boundary – All components of an information system to be authorized – All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which for operation by an authorizing official and excludes separately authorized systems, to which the information system is connectedthe information system is connected
Plan of Action and MilestonesPlan of Action and Milestones – A document that identifies tasks needing to be accomplished, resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
Security PlanSecurity Plan - Formal document that provides an overview of the security requirements for the - Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those information system and describes the security controls in place or planned for meeting those requirementsrequirements
List not all inclusive – See NIST SP 800-37, Appendix B for more detailed list
Key Process PlayersKey Process PlayersAuthorizing Official – Authorizing Official – A senior official or executive with the authority to A senior official or executive with the authority to
formally assume responsibility for operating an information system at an formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations, assets, individuals, acceptable level of risk to organizational operations, assets, individuals, and other organizationsand other organizations
Information (data) Owner – Information (data) Owner – Official with statutory or operational authority Official with statutory or operational authority for specified information and responsibility for establishing the controls for for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposalits generation, collection, processing, dissemination, and disposal
Information System Owner – Information System Owner – Official responsible for the overall Official responsible for the overall procurement, development, integration, modification, operation and procurement, development, integration, modification, operation and maintenance of an information systemmaintenance of an information system
Information System Security OfficerInformation System Security Officer – Individual assigned responsibility – Individual assigned responsibility for maintaining the appropriate operational security posture for an for maintaining the appropriate operational security posture for an information system or programinformation system or program
Security Control AssessorSecurity Control Assessor – The individual, group or organization – The individual, group or organization responsible for conducting a security control assessmentresponsible for conducting a security control assessment
!!! !!! Discussion Point: Conflicts of interest Discussion Point: Conflicts of interest !!!!!!
Other Process RolesOther Process Roles
Common Control ProviderCommon Control Provider
Information System Security Information System Security EngineerEngineer
Chief/Corporate Security OfficerChief/Corporate Security Officer
Risk Executive FunctionRisk Executive Function
Regulatory & Industry Requirements
Payment Card Industry (PCI)Requirement # 6 – Develop and maintain secure systems and applicationsRequirement # 6.6 – Application security assessment
Health Insurance Portability and Accountability Act (HIPAA)
§164.308 Administrative Safeguards (a)(1)(ii)(A) Risk Analysis
Gramm-Leach-Bliley Act (GLBA) Manage & Control Risk requirement
Federal Financial Institutions Examination Council (FFIEC)
Information Security Booklet-Information Security Risk Assessment-Systems Development, Acquisition, and Maintenance
Sarbanes-Oxley (SOX)Section 404, Management RequirementsPCAOB Auditing Standard No. 2
Federal Information Security Management Act (FISMA)
§ 3544. Federal agency responsibilities
IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies & Entities
CA -1 Certification, Accreditation, and Security Assessment Policiesand Procedures
Federal Energy Regulatory Commission(FERC) – 18 CFR Part 40, Mandatory Reliability Standards for Critical Infrastructure Protection
CIP-007-1 – Cyber Security – Systems SecurityManagement
Government Accounting Office (GAO)Federal Information System Controls Audit Manual (FISCAM)
Chapter 4 - Evaluating and Testing Business Process Application Controls
Standards
ISO 27001 – Information Technology – Security Techniques – Information Security Management Systems - Requirements
Control Objectives and Controls – InternalOrganization
• A.6.1.4 – Authorization process for information processing facilities
• A.10.4 – System Acceptance
Information Security Forum (ISF) – The Standard of Good Practice for Information Security
SD - Systems Development
Control Objectives for Information and related Technology (COBIT)
AI2 – Acquire and Maintain Application Software
AI4 – Enable Operation and UseAI6 – Manage ChangesAI7 – Install and Accredit Solutions and Changes
Additional BenefitsAdditional Benefits
““Direct” business participationDirect” business participation Pre-production security authorization = Pre-production security authorization = $avings Risk acceptance at the appropriate level of Risk acceptance at the appropriate level of
managementmanagement Risks are documented and mitigatedRisks are documented and mitigated Business explicitly accept residual risk and Business explicitly accept residual risk and
recommended security controlsrecommended security controls StandardizationStandardization
Assessment, documentation and acceptance of security Assessment, documentation and acceptance of security risksrisks
Architecture and configuration documentationArchitecture and configuration documentation Documentation (i.e. BCP/DR, policies, asset inventory, Documentation (i.e. BCP/DR, policies, asset inventory,
etc.)etc.) Unbiased security controls assessmentUnbiased security controls assessment
Relationship to System Relationship to System LifecycleLifecycle
Dark gray = Acquisition Lifecycle PhasesDark gray = Acquisition Lifecycle PhasesLight gray = Development Lifecycle PhasesLight gray = Development Lifecycle Phases
Risk Management FrameworkRisk Management Framework
Security Authorization is part of a dynamic risk management process
Security Authorization ProcessSecurity Authorization Process
RMF = Risk Management Function
Preparation PhasePreparation PhaseCategorize Information System
• Task 1: Describe the information system Define system boundary Document system in security plan
• Task 2: Register system in organization asset inventory• Task 3: Determine security category and document in security plan
Organizational/business criticality Relationship/impact to other systems Classification of data processed by system
Security Control Selection• Task: Select security controls and document in security plan
System specific (implemented), common (inherited) and/or hybrid controls
Controls used to manage system risk (i.e. management controls) Automated system safeguards and countermeasures (i.e. technical
controls) Policy, standards, and procedural measures (i.e. operational controls)
Security Plan Approval• Task: Review and approve the security plan
Authorization BoundaryAuthorization Boundary• Purpose = Reduce cost and complexity, and facilitate more Purpose = Reduce cost and complexity, and facilitate more
targeted application of security controlstargeted application of security controls
• Must be done before system categorization and security plan Must be done before system categorization and security plan developmentdevelopment
• Separate of large and complex systems into multiple components Separate of large and complex systems into multiple components or sub-systems. Sub-systems…or sub-systems. Sub-systems…
• include data, technology and personnelinclude data, technology and personnel• should generally be under the same direct management controlshould generally be under the same direct management control• have same function or mission/business objectivehave same function or mission/business objective• have the same operating characteristics and information security have the same operating characteristics and information security
needsneeds• that reside in the same general operating environmentthat reside in the same general operating environment• that reside in different locations with similar operating systemsthat reside in different locations with similar operating systems
• Software applications do not require a separate security Software applications do not require a separate security authorization but rather include them in the authorization authorization but rather include them in the authorization boundary of the host system boundary of the host system
• Use commonsenseUse commonsense
System Security PlanSystem Security Plan• Prepared and maintained by the information system ownerPrepared and maintained by the information system owner• Living documentLiving document• Provides overview of security requirements and description of security Provides overview of security requirements and description of security
controlscontrols• Should contain supporting appendices or reference appropriate sourcesShould contain supporting appendices or reference appropriate sources
• Risk assessmentsRisk assessments• System interconnection diagramsSystem interconnection diagrams• Service level agreementsService level agreements• Data flow diagramsData flow diagrams• Disaster recovery and contingency plansDisaster recovery and contingency plans• Security configurationsSecurity configurations• Configuration management planConfiguration management plan• Incident response planIncident response plan• Applicable policies and proceduresApplicable policies and procedures• Hardware and software inventoriesHardware and software inventories
• Should be updated whenever events impact agreed upon security controlsShould be updated whenever events impact agreed upon security controls• Vulnerability scanVulnerability scan• New threat to systemNew threat to system• Redefinition of business priorities/objectivesRedefinition of business priorities/objectives• Addition of new hardware, software or firmwareAddition of new hardware, software or firmware• Change to operating environmentChange to operating environment• Addition of new connectionsAddition of new connections• Weaknesses or deficiencies discovered (before or after a breach)Weaknesses or deficiencies discovered (before or after a breach)
• Classify accordinglyClassify accordingly
Preparation PhasePreparation PhaseImplement Security Controls
• Task 1: Implement security controls specified in security plan• Task 2: Document “implemented” security controls in security
plan Functional description Planned inputs Expected behavior and outputs
Security Controls Assessment (examination, interview and test)• Task 1: Select an assessor• Task 2: Develop a plan to assess “all” security controls• Task 3: Review and approve assessment plan• Task 4: Obtain appropriate documentation needed to assess
security controls• Task 5: Perform assessment• Task 6: Prepare preliminary assessment report• Task 7: Review preliminary assessment report with system owner• Task 8: Perform remediation actions• Task 9: Assess remediated security controls• Task 10: Update security assessment report and prepare
executive summary• Task 11: Update security plan• Task 12: Prepare Plan of Action & Milestones
Authorization - Execution PhaseAuthorization - Execution PhaseAuthorize Information System
• Task 1: Assemble authorization package to submit to authorizing official for approval
• Task 2: Determine the risk to the organization• Task 3: Formally accept risk (authorization decision)
Compensating controls Risk mitigation strategy Residual risk
• Task 4: Prepare the security authorization decision and document
Authorization decision Terms and conditions for the authorization Authorization termination date
Authorization PackageAuthorization Package
AUTHORIZATION PROCESS
Authorization Package
Security Assessment Report
Security Plan
Plan of Action & Milestones
Continuous Monitoring - Continuous Monitoring - Maintenance PhaseMaintenance Phase
Strategy:Strategy:Maintain the security authorization for the system over time inMaintain the security authorization for the system over time inhighly dynamic operational environment with changing threats,highly dynamic operational environment with changing threats,vulnerabilities, technologies and business processesvulnerabilities, technologies and business processes
Objectives:Objectives:• Track the security “state” of a system on a continuous basisTrack the security “state” of a system on a continuous basis• Ensure security controls are checked for effectiveness on an Ensure security controls are checked for effectiveness on an
ongoing basisongoing basis• Address the security impact to systems when changes occur to Address the security impact to systems when changes occur to
hardware, software, firmware and operational environmenthardware, software, firmware and operational environment• Provide an effective process for updating security plans, Provide an effective process for updating security plans,
security assessment reports and plans of action and security assessment reports and plans of action and milestonesmilestones
• Security status reporting to authorizing officialSecurity status reporting to authorizing official
Continuous MonitoringContinuous Monitoring
Program includes:Program includes:• Configuration managementConfiguration management• Security impact analysis on actual or Security impact analysis on actual or
proposed changesproposed changes• Assessment of selected controlsAssessment of selected controls• Ongoing status reporting to appropriate Ongoing status reporting to appropriate
levels of managementlevels of management• Active involvement of Active involvement of Information System
Owner, Security Control Assessor and Authorizing Official
Continuous Monitoring Continues Continuous Monitoring Continues Until…Until…
• Changes to the system have Changes to the system have affected security controls in the affected security controls in the system or introduced new system or introduced new vulnerabilities into the system and;vulnerabilities into the system and;
• Organizational level risk to the Organizational level risk to the business operations, assets or business operations, assets or individuals has been affected or;individuals has been affected or;
• The authorization deadline has The authorization deadline has passed, then….passed, then….
“Reauthorization begins!”
Reauthorization Reauthorization Reauthorization occurs at the discretion of the authorizing official in accordance with federal or organizational policy
Time Driven Authorization termination date has been reached
Event Authorizing official changes Routine environment/system changes Significant environment/system changes (per NIST 800-
37) Installation of a new or upgraded operating system,
middleware component or application Modifications to system ports, protocols or services Installation of a new or upgraded hardware platform or
firmware component Modifications to cryptographic modules or services Changes in laws, directives, policies or regulations
NOTE: Event driven reauthorization should be avoided in situations where the continuous monitoring process provides the necessary and sufficient information to the authorizing official to manage the potential risk arising from significant environment or system changes.
Process ImplementationProcess Implementation
““Crawl before you walk, walk before you Crawl before you walk, walk before you run”run”
If you have to comply with FISMA, you must have a security authorization process in place
Based on NIST SP 800-37 Flexibility
Even if you don’t implement this process, consider the value of this process
Pre-production assessment Security plan 3rd party assessment Business involvement
Where to get more informationWhere to get more information I-Assure ForumI-Assure Forum
www.i-assure.com/forums/Default.aspxwww.i-assure.com/forums/Default.aspx
NIST SP 800-37NIST SP 800-37http://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdfhttp://csrc.nist.gov/publications/drafts/800-37-Rev1/SP800-37-rev1-IPD.pdf
BooksBooksFISMA Certification & Accreditation Handbook FISMA Certification & Accreditation Handbook
by Laura Taylor (ISBN-10: 1597491160)by Laura Taylor (ISBN-10: 1597491160)
Building and Implementing a Security Certification and Accreditation Building and Implementing a Security Certification and Accreditation ProgramProgram
by Patrick D. Howard (ISBN-10: 0849320623) by Patrick D. Howard (ISBN-10: 0849320623)
2009 Prediction2009 Prediction
““More and more private sector companies and universities More and more private sector companies and universities will have to comply with FISMA. Why? Many companies will have to comply with FISMA. Why? Many companies that are government contractors are being required to that are government contractors are being required to comply with FISMA already as a stipulation in their comply with FISMA already as a stipulation in their contracts with the government. Organizations that accept contracts with the government. Organizations that accept grants from the government are increasingly being required grants from the government are increasingly being required to comply with FISMA.”to comply with FISMA.”
““FISMA 2008 will pass and government CISOs will become FISMA 2008 will pass and government CISOs will become more empowered.”more empowered.”
Laura Taylor, Founder of Relevant Technologies and author of the Laura Taylor, Founder of Relevant Technologies and author of the “FISMA Certification & Accreditation“FISMA Certification & AccreditationHandbook”Handbook”
Status of FISMA Related NIST Status of FISMA Related NIST PublicationsPublications
SP 800-30, Revision 1: Guide for Conducting Risk Assessments - SP 800-30, Revision 1: Guide for Conducting Risk Assessments - FEBRUARY 2010FEBRUARY 2010
SP 800-37, Revision 1: Guide for the Security Authorization of Federal SP 800-37, Revision 1: Guide for the Security Authorization of Federal Information Systems: A Security Life Cycle Approach - Information Systems: A Security Life Cycle Approach - JUNE 2009JUNE 2009
SP 800-39: Managing Risk from Information Systems: An Organizational SP 800-39: Managing Risk from Information Systems: An Organizational Perspective - Perspective - JULY 2009JULY 2009
SP 800-53A, Revision 1: Guide for Assessing the Security Controls in SP 800-53A, Revision 1: Guide for Assessing the Security Controls in Federal Information Systems – Federal Information Systems – DECEMBER 2009DECEMBER 2009
SP 800-CM: Guide for Security Configuration Management and Control SP 800-CM: Guide for Security Configuration Management and Control (Publication number TBD) – (Publication number TBD) – NOVEMBER 2009NOVEMBER 2009
Points to RememberPoints to Remember
Assess a defined environment (authorization boundary) not the Assess a defined environment (authorization boundary) not the worldworld
Security authorization is an ongoing processSecurity authorization is an ongoing process
Security control assessors make recommendations, they do not Security control assessors make recommendations, they do not accept risk or approve mitigating controls on behalf of the accept risk or approve mitigating controls on behalf of the organizationorganization
Risk acceptance is the sole responsibility of the authorizing officialRisk acceptance is the sole responsibility of the authorizing official
Reuse and share of security control development, implementation, Reuse and share of security control development, implementation, and assessment-related information to reduce cost and timeand assessment-related information to reduce cost and time
An active continuous monitoring program reduces time and effort An active continuous monitoring program reduces time and effort
Lets try again!Lets try again! Which of the following is the responsibility of IT?Which of the following is the responsibility of IT?
System ownerSystem owner Data ownerData owner System custodianSystem custodian All of the aboveAll of the above
True or False – The CIO/IT Director is responsible True or False – The CIO/IT Director is responsible for accepting information and system security for accepting information and system security risks on behalf of the organization?risks on behalf of the organization?
True or False – The individual in charge of True or False – The individual in charge of information security is responsible for:information security is responsible for: Defining security controlsDefining security controls Implementing security controlsImplementing security controls Managing security controlsManaging security controls All of the aboveAll of the above
QuestionsQuestions
Thank You!Thank You!
Rick Ensenbach CISSP-ISSMP, CISA, CISMRick Ensenbach CISSP-ISSMP, CISA, CISM
[email protected]@state.mn.us
651-201-2790651-201-2790