Download Assessing Current Nets

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Ars Conjectandi wikipedia , lookup

Inductive probability wikipedia , lookup

Probability interpretations wikipedia , lookup

Risk aversion (psychology) wikipedia , lookup

Transcript
Assessing Current Network
Concerns
Lesson 5
The Assessment
Two important elements you will need
to determine in order to produce a
valuable assessment
Determine the value of the information and
resources that are to be protected
Determine the threats that may exist which
jeopardize the confidentiality, integrity, or
availability of the information and
resources
Asset Valuation
Can be qualitative or quantitative
Business Impact Assessment/Analysis (BIA):
used to determine what is important for
inclusion in a BCP/DRP (check to see if they
have accomplished one already). Will assess
how unavailability of each system/process
would affect the organization.
Business Continuity Plan (BCP) and Disaster
Recovery Plans: Desire is to protect the operations
of the organization, not just the computing systems.
May/ Should have done a BIA as part of one of
these and you can possibly use the results to save
some time.
Goals of a BIA
Identification of the processes that are critical to
the profitability and continued viability of the
organization
Quantification of the financial and operational
impact of an outage over time
A determination of the recovery priority, recovery
time, and recovery point for each application that
supports a critical business process.
For our purposes we want to use the BIA to help
us determine what needs to be protected and
how valuable these assets are.
Asset Valuation
So, either using the BIA or the BIA process,
we should know:
What the essential processes are for the
organization.
What the process consists of/requires (in terms of
information and resources).
What the value is of these processes (or more
appropriately, what the impact is on the
organization should they be lost).
Knowing what the assets are can help us
better determine what the threat might be to
the organization.
May also be used later when we start evaluating
acceptable residual risks.
Threats to the systems
“To control the risks of operating an
information system, managers and users
must know the vulnerabilities of the system
and the threats that might exploit them.”
“Knowledge of the threat environment allows
management to implement the most costeffective security measures.”
“In some cases, managers may find it most
cost-effective to simply tolerate the expected
loss.”
Types of Threats
Computer Viruses
Computer Hackers
Denial of Service Attacks
E-Mail Mistakes
Abuse of email can become public affecting image of
organization
Disgruntled Employees
Industrial Spying
Which one of these is most likely to occur? Which will have
the greatest impact? Which will be the hardest to protect
against?
Prioritizing Risks and Threats
According to the text:
“Once the possible threats have been identified, it is
necessary to prioritize those risks so that the NVA can
focus on those of highest concern. To accomplish this
task as quickly as possible, it is necessary to assemble a
team of interested employees. This team will determine
the probability that the identified risk might occur and
what its impact would be if it did occur.”
What’s the chance that a “team of interested
employees” will be able to “determine the
probability that the identified risk might occur and
what its impact would be if it did occur”?
Thus, the reason to obtain the BIA if available.
Prioritizing Risks and Threats
To simplify things a bit, try these definitions:
Impact: a measure of the magnitude of loss or harm on
the value of an asset
Low impact: when the business objective or mission of
enterprise is not significantly affected.
Medium impact: when the event is limited to a business objective
or a business unit is affected
High impact: when the entire business or mission of the
enterprise is affected
Probability: the chance that an event will occur or that a
specific loss value will be incurred should the event occur
Low probability: highly unlikely that the risk will occur during the
next year
Medium probability: possible that the risk will occur during the
next year
High probability: very likely that the risk will occur within the
next year
(don’t like the term “risk” being used in the above)
What to look at
Text discusses how to prioritize what to look at
during the assessment.
Impact
Prob.
Low
Medium
High
Low
1
4
7
Medium
2
5
8
High
3
6
9
Concentrate first on items of level 6 or higher. If
time permits continue with levels 5 then 4.
Impact is one thing, how do you (or the team)
determine the probability of an event occurring?
Checklists
Lots of checklists available out there, can prove
very useful.
Do not rely solely on checklists – use them as a
guide or a starting point. 3 included as
appendices in text:
ISO 17799 Self Assessment Questionnaire
Lots of good information covering a variety of areas. Look
at and adapt to specific environment.
Network Vulnerability Assessment Checklist
Again, some good, useful information. Look at and adapt.
Window NT Server 4.0
Focused checklists such as this often very useful – can
contain very valuable data.
This one a bit light, others available on line (check NIST)
Problems with checklists
What do you do with the results?
Great, so I have 20-Y’s, 32-N’s, and 4-N/A’s, now
what?
Does this mean that I’m in good shape, bad shape,
or somewhere in between?
Are all questions of equal importance?
Do you need to add some sort of weighting system
to help identify the most critical?
Checklists might overlook key components of
your security plan, may also include
unimportant aspects. Checklists need to be
tailored.
Composition of the Assessment Team
So, who should be part of an assessment team?
Need to cover all of the areas of concern
Information protection
Operations
Telecommunications
Systems support
Network management
Desktop deployment
Account administration
Auditing
Physical Security
Ideally, you’d have an “expert” in each of these areas.
In practice, you may not have that many folks to draw
on so a SME you can ask questions of may be all you
can hope for.
Assessment Timeline
How long should an assessment take?
Book mentions that one can take as long as 12 weeks.
In reality the real answer is “it depends”. Assessment
can take considerably longer than 12 weeks or can be
as short as only a few weeks. Depends on scope
(especially size).
In establishing the timeline, pay attention to:
Activities that must be accomplished before others
Activities that you can conduct in parallel
Make sure you allow sufficient time to write, and review
the final report.
Might include a preliminary “outbrief” for organization upon
completion of the assessment, to be followed by official report
at a later date.
Timeline for class assessments
For us, driven by academic calendar
A bit artificial but a constraint we must live with
Final report to be presented during finals week
Reports from each team to project leader a week
before end of class.
External to be performed before internal.
Internal and review of policies etc. can be done
concurrently
Need approximately two weeks for each part.
Public presence review, if requested, can be done
quickly and should be accomplished before external
begins.
Summary
What is the importance and significance
of this material?
How does this topic fit into the subject
of “Security Risk Analysis”?