Show
Page 2
The first steps in information security strategic planning in any form of business are risk management and risk evaluation. This is necessarily broad, including business processes, people and physical infrastructure, as well as the information system. The security risk evaluation needs to assess the asset value to predict the impact and consequence of any damages, but it is difficult to apply this approach to systems built using knowledge-based architectures.1 Knowledge-based systems attempt to represent knowledge explicitly via tools, such as ontologies and rules, rather than implicitly via procedural code, the way a conventional computer program does. Usually, professionals face challenges to give assurance for organizations on asset valuation, risk management and control implementation practices due to the nonexistence of clear and agreed-on models and procedures. The main objective of this article is to propose simple and applicable models for professionals to measure, manage and follow up on assets, risk and controls implementation in the organization. An ISACA Journal volume 5, 2016, article titled “Information Systems Security Audit: An Ontological Framework”2 briefly describes the fundamental concepts (owner, asset, security objectives, vulnerability, threat, attack, risk, control and security audit) and their relationships to the whole security audit activities/process. This article proposes different models that help to measure and implement concepts objectively by using the previously proposed ontological framework and empirical study. The objectives are to identify risk-based auditable areas required to carry out asset valuation and to help measure risk and identification of the existing control gap of the company’s IT assets for regulatory, management and audit purposes. The previous ontological framework briefly presents concepts hierarchically from asset valuation to control implementation processes for a specific asset based on the summarized steps. This article shows how to take the steps sensibly:
Asset Identification, Valuation and CategorizationIdentification, valuation and categorization of information systems assets are critical tasks of the process to properly develop and deploy the required security control for the specified IT assets (indicate data and container). Organizations or individuals able to implement security for assets by using this model must first identify and categorize the organization’s IT assets that need to be protected in the security process. Mapping an information asset (such as data) to all of its critical containers leads to the technology assets, physical records and people that are important to storing, transporting and processing the asset.4 The map of information assets will be used to determine all of the information assets that reside on a specific container. In addition, the value of a container depends on the data that are processed and transported (through the network) or stored (reside) within that specific container. Security audits should look into how the data or information is processed, transferred and stored in a secured manner.5 Risk Assessment and ManagementThe risk assessment comprises the qualitative assessment and quantitative measurement of individual risk, including the interrelationship of their effects. Risk management constitutes a strategy to avoid losses and use available opportunities or, rather, opportunities potentially arising from risk areas.6 Normally, no single strategy will be able to cover all IT asset risk, but a balanced set of strategies will usually provide the best solutions. Once the risk is identified, it can be evaluated as acceptable or not. If it is acceptable, no further actions are required other than communicating and monitoring the risk, but if the risk is not acceptable, it must be controlled through four separate options of prevention and/or mitigation measures:
This article discusses risk mitigation strategy based on the CIA security objectives. The overall objective of this section is to quantitatively measure risk impacts of an organization’s specific IT assets and to propose a proper mitigation strategy. Concepts from the International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC) ISO/IEC 27001:2013, Information technology—Security techniques—Information security management systems—Requirements,7 and empirical analysis results taken from interviews with professionals are used to illustrate various conclusions and approaches to implementation. Hence, quantitative measurement of risk impact is implemented based on the following formula:
Potential Risk
Probability of Occurrence Asset Valuation
Assumptions for asset valuation include:
Based on the model, it is possible to create a matrix for value of an asset as illustrated in figure 2. Weight of AssetFrom interviews and the author’s practical experience, it can be concluded that the actual value of an asset is determined by the sensitivity value of data in the container. The reason is that all similar containers are not equally important to the organization, and the value of a container is determined by the data it holds, processes or transfers. For example, servers with equal capacity, technology and cost may have different weights due to the data they hold, process or transfer. A database containing employee information may have less value than one containing customer transactions. Equally, data on prominent customers may have more value than data on ordinary/walk-in customers, based on business/organizational objectives.Therefore, to evaluate the sensitivity of assets, the concept of “weight” or “weighting” was developed, which helps to measure each asset’s value based on the data it holds/processes compared to other assets. To measure the value of the asset’s weight, the rating concepts shown in figure 3 can be used—3 for high, 2 for medium and 1 for low—to show value of a specific asset as compared to the another asset, based on business objectives. This concept differentiates this approach for the asset valuation concept. Therefore, according to the CIA matrix and the weight of an asset model, it is possible to determine the following total asset value using an asset weight matrix table as shown in figure 4.Asset CategorizationAt this stage, the organization should categorize assets in three levels based on the total asset value determined in the total asset matrix table. The category of an asset indicates the level of concern that needs to be given to that asset. Therefore, more security implementation, investment or attention would be given to category I assets (value of the total asset between 20 and 27) than to category II assets (between 12 and 18, inclusive, the highlighted amounts in figure 4) and to category III (value of 10 or less) assets. From figure 4, it can be concluded that the total asset value ranges from 3 (minimum) to 27 (maximum). Vulnerability and Threat Assessment and Rating MethodologyThe presence of vulnerability does not in itself cause harm; vulnerability is merely a condition or a set of conditions that could allow assets to be harmed by an attack.11 When a vulnerability is exploited by a threat, it increases the likelihood of attack and leads to risk.12 Vulnerability rating gives an indication or opportunity to see the weakness inherent or residing in the information assets of the organization. Vulnerability and threat valuation assumptions include:
Vulnerability Rating FactorsVulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.13 Susceptibility is simply to measure the effort required to successfully exploit a given weakness. For example, fire is a threat. Poor fire prevention standards, poorly managed flammable liquids and poor circuit insulation are some of the weaknesses (vulnerabilities) or factors that help the fire threat to happen and cause damage. Exposure (attacker access to the flow) is the potential exposure to loss, resulting from the occurrence of one or more threat events. It may be disseminated across other system components. Figure 5 depicts a model to rate the susceptibility and exposure of a flow or vulnerability of an asset. To measure the overall value of the severity of a vulnerability, the combination of the value of susceptibility and exposure rating must first be decided, as shown in figure 7. (Note: This rating table is similarly used for threat factors [impact and capability rating] in the following threat assessment section.)Threats Assessment and Rating MethodologyA general list of threats should be compiled, which is then reviewed by those most knowledgeable about the system, organization or industry to identify those threats that apply to the system.14 Each threat is derived from a specific vulnerability, rather than identifying threats generally without considering vulnerability. Measuring the value of a threat depends on the rating value of its impact and capability. Impacts are a forceful consequence or a strong effect of the launch of a threat on the business. Capability is a measure of a threat agent’s ability (including the level of effort required) to successfully attack an asset by exploiting its vulnerabilities, e.g., the threat agent’s technical ability, knowledge and available material to exploit the vulnerability. As with vulnerability measurement elements (susceptibility and exposure), rating, capability and impact should also be considered for threat measurement. Figure 8 shows how to use capability and impact for threat ratings. The model for grading the severity of the threat uses impact and capability of the threat, similar to the severity of vulnerability matrix in figure 6 and figure 7. The only difference is susceptibility and exposure for vulnerabilities are replaced with impact and capability for threat. Risk Impact MeasurementRisk management is the act of determining what threats the organization faces, analyzing the vulnerabilities to assess the threat level and determining how to deal with the risk.15 Security risk management is a strategy of management to reduce the possible risk from an unacceptable to an acceptable level.16 There are four basic strategies for managing risk: transference, acceptance, avoidance and mitigation.17 Risk assessment requires individuals to take charge of the risk management process. Risk assessment is the determination of a quantitative or qualitative estimate of risk related to a well-defined situation and a recognized threat (also called a hazard). Quantitative risk assessment requires calculations of two components of risk: the magnitude of the potential risk and the probability that the loss will occur.18
Probability or Likelihood of RiskA likelihood assessment estimates the frequency of a threat happening. With this type of assessment, it is necessary to observe the circumstances that will affect the probability of the risk occurring. The likelihood can be expressed in terms of the frequency of occurrence,19 which are depicted in figure 9.Based on the previously discussed risk analysis concepts, risk mitigation options are acceptable, tolerable and intolerable risk, the values of which follow. Acceptable risk has a risk impact value of less than 540, which is the product of the maximum asset value (27), low vulnerability value (2), low threat value (2) and the maximum frequency of likelihood (5). The calculation, therefore, is 27*2*2*5=540. Tolerable risk has a risk impact value ranging from 540 to 1,215, which is the product of the maximum asset value (27), medium vulnerability value and threat value (3 each), and the maximum frequency of likelihood (5). The calculation is 27*3*3*5=1,215. Intolerable risk has a risk impact value greater than 1,215, which means the risk beyond the tolerable risk amount, 1,215.20 Control Implementation and Gap AnalysisA common mitigation for a technical security flaw is to implement a patch provided by the vendor. Sometimes the process of determining mitigation strategies is called control analysis.21 Control mechanisms are used to restrain, regulate or reduce vulnerabilities; they can be corrective, detective or preventive.22 It is possible to mitigate a risk by implementing different control techniques, but before implementing a new control, the assessor is responsible for identifying and measuring the existing control and showing the gap from the expected control of an asset. Assumptions for control valuation include:
Based on figure 10, a control matrix is presented in figure 11. Figure 12 shows calculations for existing controls and risk mitigation. Adding controls to mitigate the risk impact first requires identification of the existing control (the total amount of control measured by adding the value of CIA for each asset), then identification of the possible control (the sum of a control value of CIA derived by considering the maximum technology applied to that specific asset and the conditions to satisfy adoption of that additional control). The following formulas will calculate the “to be controlled risk” and the “mitigated risk”:
No organization can ever be 100 percent secure or free of risk. There will always be remaining, or residual, risk. In the first example shown in figure 13, the possible control is equal to the existing control (which is high for CIA). Therefore, the remaining risk, 375, is residual, not mitigated further because it already represents the maximum possible control. As per the risk analysis concepts described in this article, the 375 risk is acceptable because it is less than the maximum acceptable risk level of 540. ConclusionManaging the risk and valuation of an organization’s valuable IT assets is the first and critical stage of information security planning and security control implementation. Objectively measuring concepts like vulnerability, threat, risk impact, mitigated risk and implemented control of an asset is relatively the most difficult task in the process, because of a lack of uniformity on subjective judgments during the rating selection (high, low, medium) and the quality and accuracy of the results are highly dependent on the assessors’ professional experience. The models described in this article can minimize error and introduce uniformity of activities and process results carried out by different individuals/organizations. Generally, information security risk management/evaluation is still a very complex field of research, with a lot of unexplored areas. More research is needed to explore essentials. This research work can be based on the model proposed in this article and perhaps could be focused on creating mechanical or robotic techniques to implement quantitative measurement, thus avoiding subjective judgments of high, low or medium. Endnotes1 Foroughi, F., “Information Asset Valuation Method for Information Technology Security Risk Assessment,” Proceedings of the World Congress on Engineering 2008, vol. I, www.iaeng.org/publication/WCE2008/WCE2008_pp576-581.pdf
Shemlse Gebremedhin Kassa, CISA, CEH Page 2
Does the recent distributed denial of service (DDoS) attack on Dyn1 officially mark the passing of the Internet of Things (IoT) fear, uncertainty and doubt (FUD) stage, or is this still the beginning of the stage? IoT FUD pertains to IoT vulnerabilities leading to loss of data, service and possibly life. Traditionally, FUD about a security breach or regulatory noncompliance is the primary driver for management to invest in information security. The same FUD applies to IoT security, although it involves multiple variables that need to be considered. The resolve to address IoT device security at various levels—hardware and software, government and enterprise, consumers and services—is widespread. This soaring resolve is primarily due to the sheer quantity of IoT devices that are available and the ease with which these devices can be compromised and converted into thingbots. Thingbots are botnets of infected IoT devices that can be used to launch attacks that are like the Dyn attack, which affected more than one million devices, of which about 96 percent were IoT devices.2, 3 The primary issue is with IoT device hardware, which is manufactured mostly outside of the United States and needs to be regulated.4 The retail industry sector has been the leading adopter of IoT technology because it reaches out directly to numerous customer bases, unlike the health care sector, which does not have benefits that are transparent immediately to the end user and has higher risk. IoT Security—The Game PlanThe game plan for IoT security provides an overview of the IoT ecosystem and addresses standards, frameworks and regulatory proposals that have developed recently. Figure 1 depicts an IoT ecosystem in which information security forms an integral part. IoT Standards and Framework Developments
Also in 2016, exemptions to the US Copyright Law were approved that allow independent researchers to be able to hack almost any IoT device.7 Although numerous limitations apply to the exemptions, they were granted for two years. This will help researchers unlock software for their research without any legal implications. The intentions are right, but the impact of this change, positive or negative, is yet to be seen. The Industrial Internet Consortium, primarily comprised of IoT-related enterprises, rolled out the Industrial Internet Security Framework (IISF), which outlines best practices to assist developers and end users with gauging IoT risk and possibly defending against this risk.8 In early 2017, the US Federal Trade Commission (FTC) announced that it is granting prize money to anyone who develops an innovative tool that detects and protects home devices from software vulnerabilities.9 Another recent development in IoT security is the Sigma Designs S2 security framework, which will be part of every Z-Wave-certified IoT device that is manufactured after March 2017 and is backward-compatible on existing Z-Wave IoT chipsets, making the devices more secure.10 Regulatory Proposals The US Food and Drug Administration (FDA) has been providing some guidance to manufacturers on the best practices to build security into medical devices since October 2014. In December 2016, the FDA added a guide that lists the best ways to secure medical devices after they enter the consumer’s hand, primarily to prevent any harm to patients. The guide also states that the IoT device manufacturers need to report to the FDA if the use of a device had resulted, or can result, in any kind of serious harm or the death of a person. Reporting to the FDA is waived only if customers and device users are notified about the vulnerability in the device within 30 days, the device is fixed within 60 days, and this information is shared with the Information Sharing and Analysis Organization (ISAO).12, 13 The premise is somewhat similar to the optical character recognition (OCR) sanctions on US Health Insurance Portability and Accountability Act (HIPAA) violations, but the difference is that the FDA guides are just recommendations and are not legally binding. It is believed that these guides will eventually lead to legislation, as in the case of HIPAA. More recently, the US Senate Commerce Committee approved the Developing Innovation and Growing the Internet of Things (DIGIT) Act. It is currently waiting on approval from the full senate. The DIGIT Act creates a working group that would focus on the security, privacy and other issues relating to IoT.14 The Game of IoT SecurityThe number of connected IoT devices is estimated to reach 200 billion by 2020.15 Similarly, it is estimated that approximately 4 billion people will be online by 2020.16 The online exposure increases multifold by 2020 for the simple reason that human-to-machine (H2M) interactions increase along with the machine-to-machine (M2M) interactions. The IoT Arena Defense Device-Manufacturer Level Hardware The nonprofit Internet of Things Security Foundation (IoTSF) aids all IoT manufacturers, vendors and end users to help secure IoT devices.17 Nevertheless, the best countermeasure to combat the hardware vulnerabilities is to regulate the process of manufacturing an IoT device. The manufacturers of IoT devices need to be accountable for not adhering to the appropriate IoT regulatory standards (there are not any standards at the time of this writing), industrial standards and/or guidelines. Today, there are no legal implications for not following the standards, but there can be a pushback at the enterprise level in adopting a substandard IoT device from a manufacturer. This pushback can prevent most hardware vulnerabilities and software weaknesses that may be inherently available in IoT devices. If hardware vulnerabilities are not mitigated, the rest of the controls, methodologies, frameworks, time, resources and investment to make IoT devices secure cannot be effective. Some of the regulations and pushback need to be driven by the respective governments, with assistance from the security community. Software
The Open Web Application Security Project (OWASP) helps IoT manufacturers build secure IoT software and periodically categorizes the top 10 IoT software vulnerabilities. Enterprise/Network Level
Segmentation of all of the IoT devices onto a separate network zone is recommended, which makes it easier to quarantine the entire IoT zone in the case of a breach.19 The rest of IT can continue its operations without any major impact. If segmentation and zoning are not feasible, adopting a software-defined networking (SDN) model that not only improves IoT security, but also helps with identifying the location of the breach is suggested.20 Other commonplace controls that need to be implemented for IoT devices are the same controls that apply to most of the IT infrastructure today. They are two-factor authentication, stronger passwords or key-based authentication. It is of paramount importance to realize that the key to having these defense methodologies work as expected is to secure the IoT devices and the network from the day that they are introduced into the network. If not, the possibility is high that these IoT devices are hackable forever and they will not be able to be patched and secured. If such a rogue IoT device is detected, it should be replaced immediately.21 IoT devices need to be able to carry out a multifactor authentication, e.g., phone the human user/owner of the IoT device, before the user/owner performs the security update. Public key infrastructure (PKI) authentication for communication between IoT devices and gateways is a recommended countermeasure to prevent an IoT device from being jailbroken to install unauthorized software. Only certified software should be permitted to be installed during upgrades and patching. Frameworks are being introduced that can help to implement a robust security model for IoT devices. The KeyScaler 5.0 product from Device Authority offers certificate and key provisioning specifically for IoT devices during the registration process.22 Offense Testing IoT Risk Management
FDA guidance recommends that device manufacturers form or join an information sharing and analysis organization (ISAO), which is similar to the information sharing and analysis centers that exist today. An ISAO can help participating organizations by sharing looming security threats and risk in real time and devising appropriate responses in a timely manner. Analytics and Detection Team IoT GovernanceThe risk of an insecure IoT device is relative based on the domain in which it is operated and the jurisdiction in which it thrives. For example, privacy is at utmost risk when the device handles protected health information (PHI), compared to when it is in an industrial set up, in which the infrastructure or services are at risk. The geography of where the IoT device operates also matters because the legal and regulatory bindings can differ from place to place. The governance of IoT devices needs to be handled separately, but under the IT governance umbrella. The four critical success factors that contribute to an effective IoT project are an efficient IoT project management team, a project stakeholder who has the authority to drive the IoT project, data and telecommunication infrastructure to support IoT, and subject matter experts to maintain high data quality and integration issues.28 At a project-management level, the eight steps29 that can help enterprises to put in place a sustainable IoT security program are:
ConclusionThe IoT footprint will vary in size based on the industry vertical. As enterprises move forward on the IoT bandwagon to be more profitable and to be able to reach out to an extended customer base, they need to have an IoT strategy that encompasses the entire IoT device life cycle (from procurement to end of life) in place. Enterprises need to build an IoT risk strategy that evaluates and manages risk. Consider IoT as part of the overall security and risk management portfolio and have a dedicated focus on continuously evaluating and monitoring IoT risk. Early adoption of security into the IoT device life cycle, at the hardware and software level, is the best practice. The FUD factor mentioned earlier will continue to drive management to invest in information security and, more specifically, IoT security in the near future, at least until the risk of breaches reduces. Endnotes1 York, K.; “Dyn Statement on 10/21/2016 DDoS Attack,” Oracle, 22 October 2016, http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
Indrajit Atluri, CRISC, CISM, CEH, CISSP, CSSLP, HCISPP, ITILv3 Page 3
For 50 years and counting, ISACA® has been helping information systems governance, control, risk, security, audit/assurance and business and cybersecurity professionals, and enterprises succeed. Our community of professionals is committed to lifetime learning, career progression and sharing expertise for the benefit of individuals and organizations around the globe. Today, we also help build the skills of cybersecurity professionals; promote effective governance of information and technology through our enterprise governance framework, COBIT® and help organizations evaluate and improve performance through ISACA’s CMMI®. We serve over 165,000 members and enterprises in over 188 countries and awarded over 200,000 globally recognized certifications. ISACA is, and will continue to be, ready to serve you.
Validate your expertise and experience. Whether you are in or looking to land an entry-level position, an experienced IT practitioner or manager, or at the top of your field, ISACA® offers the credentials to prove you have what it takes to excel in your current and future roles. Take advantage of our CSX® cybersecurity certificates to prove your cybersecurity know-how and the specific skills you need for many technical roles. Likewise our COBIT® certificates show your understanding and ability to implement the leading global framework for enterprise governance of information and technology (EGIT). More certificates are in development. Beyond certificates, ISACA also offers globally recognized CISA®, CRISC™, CISM®, CGEIT® and CSX-P certifications that affirm holders to be among the most qualified information systems and cybersecurity professionals in the world.
ISACA® is fully tooled and ready to raise your personal or enterprise knowledge and skills base. No matter how broad or deep you want to go or take your team, ISACA has the structured, proven and flexible training options to take you from any level to new heights and destinations in IT audit, risk management, control, information security, cybersecurity, IT governance and beyond. ISACA delivers expert-designed in-person training on-site through hands-on, Training Week courses across North America, through workshops and sessions at conferences around the globe, and online. Build on your expertise the way you like with expert interaction on-site or virtually, online through FREE webinars and virtual summits, or on demand at your own pace.
Get in the know about all things information systems and cybersecurity. When you want guidance, insight, tools and more, you’ll find them in the resources ISACA® puts at your disposal. ISACA resources are curated, written and reviewed by experts—most often, our members and ISACA certification holders. These leaders in their fields share our commitment to pass on the benefits of their years of real-world experience and enthusiasm for helping fellow professionals realize the positive potential of technology and mitigate its risk. Available 24/7 through white papers, publications, blog posts, podcasts, webinars, virtual summits, training and educational forums and more, ISACA resources.
Author: ISACA | Reviewed by Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
Organizations today are concerned about information security primarily due to the fact that the type and nature of attacks are undergoing a lot of changes that make them difficult to detect and prevent. One example is targeted attacks. A targeted attack is a combination of multiple attacks faced earlier by organizations with a focus on stealing information or sabotaging the operations of the targeted organization, and which is difficult to detect. To help address this threat, ISACA has issued Responding to Targeted Cyberattacks with experts from Ernst and Young, as an initiative under ISACA’s Cybersecurity Nexus (CSX) program. This 88-page book is divided into six chapters and two appendices. The chapters follow the natural sequence of cyber security activities; after an introduction, there follow chapters on preparation, investigation, eradication, post-eradication and conclusion. The appendices include questions relating to other issues that the investigation team should address and tools required for investigations. This book is useful for security professionals, consultants and students pursuing cyber security as it provides guidance for identifying/detecting, responding and eradicating targeted cyberattacks. Information systems (IS) auditors can use this book to understand what they should be looking for while performing an IS audit to assess the preparedness of the auditee to respond to targeted cyberattacks. Chapter one introduces the changing landscape of cyberattacks, covering the life cycle of targeted attacks and advanced persistent threats (APT). Organizations require this information to understand the nature of attacks and plan for investigations. The book then describes the basics of information security that are required to detect and respond to targeted attacks. Early detection helps in controlling the spread of an attack and the damage due to an attack. The basics of information security include risk management, asset management, incident management, emergency response management and building intelligence. The third chapter covers conducting investigations of security breaches and references the incident response life cycle. The chapter also addresses the focus of investigation and evidence collection for forensic requirements. It emphasizes getting answers to who attacked, determining how the attack might have happened, and identifying the spread and objectives of the attack. The fourth chapter discusses eradicating an incident and the need to do so more efficiently and faster to prevent the attacker from reestablishing the attack. The chapter offers a great deal of detail on eradication planning and executing the plan with precision. The next chapter discusses post-eradication activities, e.g., monitoring for reentry, verifying and strengthening controls, and documenting lessons learned. It also emphasizes the possibility of making relevant changes to the strategic plan (if required). The book concludes by emphasizing the importance of being prepared to respond to cyberattacks. Appendix A provides a useful questionnaire for the investigation team. Although small in size, the book addresses the current security threat of targeted attacks and guides readers in preparing to detect and respond to these attacks. Editor’s NoteResponding to Targeted Cyberattacks is available from the ISACA Bookstore. For information, visit www.isaca.org/bookstore, contact Support or telephone +1.847.660.5650.
Reviewed by Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
|