Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

Published byJeremy Oliver Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software."— Presentation transcript:

1 © 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software Engineering Institute Carnegie Mellon University

2 © 2003 by Carnegie Mellon University page 2 Copyright Statement Copyright Carol Woody 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

3 © 2003 by Carnegie Mellon University page 3 Objectives Internet Context Security Risk Management Information Security Risk Evaluation using the OCTAVE® Approach

4 © 2003 by Carnegie Mellon University page 4 Internet Context

5 © 2003 by Carnegie Mellon University page 5 The Old ’Net

6 © 2003 by Carnegie Mellon University page 6 The New ’Net Source: http://cm.bell- labs.com/who/ches/map/gallery/index.html

7 © 2003 by Carnegie Mellon University page 7 Unwarranted Trust Address spoofing Viruses & worms Denial of service attacks Packet sniffing Password cracking

8 © 2003 by Carnegie Mellon University page 8 All Sites are Potentially Vulnerable Design Vulnerabilities Implementation Vulnerabilities Configuration Vulnerabilities Resource Vulnerabilities User Vulnerabilities Business Process Vulnerabilities

9 © 2003 by Carnegie Mellon University page 9 Growth in Number of Vulnerabilities Reported to the CERT/CC

10 © 2003 by Carnegie Mellon University page 10 Attack Impact v Intruder Knowledge Source: www.cert.org

11 © 2003 by Carnegie Mellon University page 11 Statistics from IT Security CSI & FBI 2003 Computer Crime and Security Survey 78% of 530 respondents detected Internet security breaches 30% detected internal security breaches

12 © 2003 by Carnegie Mellon University page 12 Statistics from IT Security Likely sources of attack Independent hackers Disgruntled employees (current & former) Competitors Foreign governments & corporations

13 © 2003 by Carnegie Mellon University page 13 Protection Responses Implement effective security practices Fire walls Intrusion detection Encryption and authentication Software upgrades and patching Self-hacking

14 © 2003 by Carnegie Mellon University page 14 Protection is Incomplete Security management requires a plan to recognize, resist, and recover Hackers are running programs on the Internet at all times looking for security holes (technical vulnerabilities). People using the Internet are unaware of the risks (organizational vulnerabilities)

15 © 2003 by Carnegie Mellon University page 15 Selecting Security Practices - 1 What do you need to protect? What will protection failure mean? What vulnerabilities exist in your environment? How much protection can you afford?

16 © 2003 by Carnegie Mellon University page 16 Selecting Security Practices - 2 Technical Vulnerability Management Focus is primarily on technology Led by external experts Driven by software vendor information Accurate for a very limited timeframe

17 © 2003 by Carnegie Mellon University page 17 Selecting Security Practices - 3 Security Risk Management Led by the organization Defines and prioritizes the risks based on organizational goals Includes security issues in the planning, policy and procedures of the organization Considers a wider range of risks

18 © 2003 by Carnegie Mellon University page 18 Security Risk Management

19 © 2003 by Carnegie Mellon University page 19 Risk Management Each organization must “own” its risk. Each organization has a unique set of information security risks. Information security risks can affect an organization’s ability to meet its mission.

20 © 2003 by Carnegie Mellon University page 20 Organizational Gap

21 © 2003 by Carnegie Mellon University page 21 Multiple Perspectives of Security Internal and external participants Information technology (IT) staff Employees Managers Contractors Service providers Partners and collaborators

22 © 2003 by Carnegie Mellon University page 22 Risk Management Regulations Regulations may mandate security risk management: Health Insurance Portability and Accountability Act (HIPAA) for health care organizations Gramm-Leach-Bliley Act for financial organizations

23 © 2003 by Carnegie Mellon University page 23 Risk Aware Culture Information security risks cannot be addressed if they aren’t communicated to and understood by the organization’s decision makers. Everyone must be able to identify and respond to security risks.

24 © 2003 by Carnegie Mellon University page 24 Risk - 1 The possibility of suffering harm or loss Risk consists of an event consequence uncertainty

25 © 2003 by Carnegie Mellon University page 25 Risk - 2 Event Consequence Uncertainty

26 © 2003 by Carnegie Mellon University page 26 Risk - 3 Threat Actor Asset Organizational vulnerabilities Technology vulnerabilities Impact on organization Event Consequence Uncertainty

27 © 2003 by Carnegie Mellon University page 27 Effective Risk Management Effective information security risk management requires: a systematic process experience and expertise information (e.g., risks, lessons learned) a risk-aware culture

28 © 2003 by Carnegie Mellon University page 28 Information Security Risk Management Framework

29 © 2003 by Carnegie Mellon University page 29 The OCTAVE ® Approach Operationally Critical Threat, Asset, and Vulnerability Evaluation SM ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon University SM Operationally Critical Threat, Asset, and Vulnerability Evaluation is a service mark of Carnegie Mellon University.

30 © 2003 by Carnegie Mellon University page 30 Establish a Shared Risk Language

31 © 2003 by Carnegie Mellon University page 31 OCTAVE Approach Use OCTAVE to identify, analyze, and plan security risk management.

32 © 2003 by Carnegie Mellon University page 32 OCTAVE Phases OCTAVE is structured into the following three phases: Phase 1: Build Asset-Based Threat Profiles Phase 2: Identify Infrastructure Vulnerabilities Phase 3: Develop Security Strategy and Plans

33 © 2003 by Carnegie Mellon University page 33

34 © 2003 by Carnegie Mellon University page 34 OCTAVE Analysis Team An interdisciplinary team – consisting of -teaching and administrative staff -information technology staff

35 © 2003 by Carnegie Mellon University page 35 Catalog of Security Practices Security Practice Survey OCTAVE Catalog of Practices Protection Strategy Mitigation Plan

36 © 2003 by Carnegie Mellon University page 36 Catalog Structure

37 © 2003 by Carnegie Mellon University page 37 Strategic Practice Areas

38 © 2003 by Carnegie Mellon University page 38 System and Network Management System Administration Tools Monitoring and Auditing IT Security Authentication and Authorization Vulnerability Management Encryption Security Architecture and Design Incident Management General Staff Practices Physical Security Plans and Procedures Physical Access Control Monitoring and Auditing Physical Security Operational Practice Areas

39 © 2003 by Carnegie Mellon University page 39 Outputs of the OCTAVE Approach Defines organizational direction Plans designed to reduce risk Near-term action items Protection Strategy Mitigation Plan Action List

40 © 2003 by Carnegie Mellon University page 40 OCTAVE Method Focused on large-scale (300 or more employees) or complex organizations A systematic, context-sensitive method for use across the organization, involving multiple organizational levels and IT Uses open-ended “essay” worksheets for information collection Requires moderate level of security expertise

41 © 2003 by Carnegie Mellon University page 41 OCTAVE-S Focused on small (less than 100 employees) or simple organizations Requires analysis team to have a full, or nearly full, understanding of the organization and what is important Uses “fill-in-the-blank” worksheets in a structured process Requires less security expertise

42 © 2003 by Carnegie Mellon University page 42 Key Selection Question - 1 Does the analysis team (i.e., 3-5 people) have sufficient insight into the organization to characterize the information security risks affecting the organization?

43 © 2003 by Carnegie Mellon University page 43 Key Selection Question - 2 Does the organization have the capability (security expertise) to conduct the Phase 2 vulnerability evaluation?

44 © 2003 by Carnegie Mellon University page 44

45 © 2003 by Carnegie Mellon University page 45 OCTAVE Information Visit http://www.cert.org/octave Introduction to the OCTAVE® Approach OCTAVE® Method Implementation Guide OCTAVE®-S (preliminary version)

46 © 2003 by Carnegie Mellon University page 46 Additional Options OCTAVE® Transition Partners: licensed to train and assist organizations in using the OCTAVE Approach Book: Managing Information Security Risks: The OCTAVE SM Approach Public Training at the SEI http://www.sei.cmu.edu/products/courses/

47 © 2003 by Carnegie Mellon University page 47 Questions?

Download ppt "© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software."

Similar presentations

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA 15213-3890 Ways to Fit Security Risk Management.

© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA Ways to Fit Security Risk Management.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.

Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, 18-29 July 2005.

Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, July 2005.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.

Similar presentations

Ads by Google