Security Assessment

and Methodologies
Michael Poon
NETdefence Co. Limited
08 Nov 2002
(mpoon@netdefence.com)

Agenda
Security Basics
Best Practice in InfoSec Management
InfoSec Risk Assessment
Policies, Standards and Procedures

Security is Very Complex

Security is currently

where networking was

15 years ago
Many parts & pieces
Complex parts
Lack of expertise in the
industry
No common GUI
Lack of standards
Attacks are growing
3

Security Basics: Information and

Value of Information
Information
Students, staff, plans, procedures, research, reports, mail,

contracts, archives, passwords ALL ARE DATA but NOT

ALL ARE INFORMATION
Beware: data aggregation can become sensitive information

Value of Information
Impact and value of service
Strategic value
Exam papers
Recovery value
Department image and reputation

Security Basics: The triads

Correctness
Integrity
Completeness
Validity
Authenticity
Non-repudiation

Manipulation
Destruction
Falsification
Repudiation

SECURITY = QUALITY

Availability
Continuity Interruption
Punctuality Delay

Confidentialit
Exclusivity Divulgation 5

Security Basics: The triads

Authentication
Verify Identity

ID Spoofing
ID Masquerade
Content Modification

SECURITY = QUALITY

Authorization
Verify CredentialsUnauthorized
Grants Rights
Access

Accounting
AuditabilityRepudiation6

Threats
Primary Threats

Unauthorized access
User masquerading
Denial of service
Physical attack

Secondary Threats

Introduction of malware
Bad security administration
Uncontrolled changes
Bad architecture, implementation or exploitation
Misconfiguration
Manual error

Best Practice InfoSec

Management
ISO/IEC 17799. Information Security Code of Practice (aka BS

7799)
ISO/IEC 13335. Guidelines for the Management of IT Security
(GMITS)
ITIL Security Management
Information Security Forums Standard of Good Practice
NISTs Principles and Practices for Securing IT Systems
ISACAs Control Objectives for Information and related
Technology (COBIT)

A Security Management Model

Costs

Goals
Strategy
Prevent
Protect
Control
React

Management
Operations

Operability
Efficiency
Monitoring & Maintenance
Incident Handling & Forensics
9

A Security Management Model

Define Goals: Availability
Integrity, Responsibility
Sponsorship
Policies, Standards, Procedures,
Reporting, Control, Legal, Training,
Awareness, Audit, Technology, PenTest
Operate Security
Awareness & Training
Verify Logfiles, control, alerts,
Update security, report incidents
Analyze evidence, restore service, report,
Lesson learnt, escalation procedures, contingency

10

ISO17799/BS7799: What is it?

A comprehensive set of controls comprising

best practices in Information Security.

An internationally recognized generic
information security standard covering
10 subject domains;
36 management objectives;
127 controls; and
500 detail controls.

11

ISO17799/BS7799: History
UK Government initiative to promote confidence in inter-company

trading
Contributed by Shell, BOC, BT, Marks & Spencer, Midland Bank,
Nationwide and Unilever
First Published as DTI Code of Practice as PD 0003 in 1993
Rebadged and published by British Standards Institution (BSI) as
BS7799 Version 1, in Feb 1995
Top selling BSI publication in Spring 1996
Major revision of BS7799 Version 2 published in May 1999
Formal certification and accreditation schemes launched by BSI in
the same year
Fast track ISO initiatives accelerated
Published as ISO standard in Dec 2000
Increasing international acceptance as the primary de facto
industry security standard

12

BSI Code of Practice Structure:

The 10 Subject Domains in Part 1
Security policy

Computer & network

Security organization
Assets classification &

control
Personnel security
Physical &
environmental security

management
System access control
System development &
maintenance
Business continuity
planning
Compliance

13

International Take Up
BS77999 adopted by UK, Netherlands, Australia, New

Zealand, Sweden, Switzerland and Norway since 1999.

Recommended in US NIST Generally Principles for
Securing IT Systems
High usage in Europe, beginning to penetrate US
market
Certification schemes completed and operational in
various countries since 1997
Five companies received BS7799 certification in Hong
Kong as of today.

14

Component Relationship
exploit

Threats
protect against

increase

Vulnerabilities
increase

expose

reduce

Security Controls
met by

Security Risks
indicate

Security
Requirements

increase

Assets
have

Asset Values
and Potential
Impacts

15

What is ISO 13335?

ISO/IEC 13335: Guidelines for the Management of IT

Security (GMITS)
ISO/IEC TR 13335-1: 1996 Part 1: Concepts and models for IT

Security
ISO/IEC TR 13335-2: 1997 Part 2: Managing and planning IT
Security
ISO/IEC TR 13335-3: 1998 Part 3: Techniques for the
management of IT Security
ISO/IEC TR 13335-4: 2000 Part 4: Selection of safeguards
ISO/IEC WD 13335-5: 1999 Part 5: Management guidance on
network security

16

Risk Assessment Methodology

Originally developed by U.S. National Security

Agency (NSA) as a standardised INFOSEC

Assessment Methodology (IAM) for Department of
Defence (DoD) organizations to perform their own
INFOSEC assessments.
A baseline methodology for information systems
security assessment in the U.S. Government over the
past fifteen years.

INFOSEC Assessment
Methodology (IAM) developed
by The National Security Agency
(NSA) of the US Government

17

IAM - Baseline Categories

INFOSEC documentation

Contingency Planning

INFOSEC Roles and

Maintenance

Responsibilities
Identification & Authentication
Account Management
Session Controls
External Connectivity
Telecommunications
Auditing
Virus Protection

Configuration Management
Back-ups
Labelling
Media Sanitization/Disposal
Physical Environment
Personnel Security
Training and Awareness

18

Part 2: Risk Assessment

Pre-Assessment

Assessment

Post-Assessment
Reduce
Risk

Planning
- Aim
- Scope
- Boundary
- Gathering
information
- System
description
- Target risk &
required certainty

Assessment
Preparation

Risk
Analysis

- Identify assets
- Asset valuation

- Identify threats
- Assess likelihood of a
compromise
- Assess consequence
of a compromise
- Identify vulnerabilities
- Identify safeguards
- Assess risk

Recommendations

Policy
Framework
&
Requirement
Definition

Safeguard
Selection

Risks
- Avoid
- Transfer
- Reduce
- Accept

Decision

Accept
Risk

- Administrative
- Personnel
- Physical
- Technical

Construction
and
Implementation

Certification
Avoid or Transfer Risk

Refine System Design

Significant

Change Required
Decision
Insignificant

Operations
and
Maintenance

Decision

Accreditation

19

Assessment Steps
Pre-Assessment
Planning

Information Gathering

- Identify system and

information assets
- Understand the
criticality of information
and system
- Pre-analysis

Onsite-Assessment
Risk Analysis
- Analyse Policy and
Standards
- Asset Identification
and Valuation
- Threat Analysis
- Vulnerability
Assessment
- Impact and likelihood
Analysis
- Risk Level Analysis
Assessment of Risks

Established
assessment boundary
and Prepared
Assessment Plan

Post-Assessment
Recommendations
Identification/
Review of
Constraints
Risk
Acceptanc
e
Section of Safeguards

Final Assessment
Report

20

Risk Analysis
Qualitative Methodology
A qualitative methodology is adopted throughout the

assessment in which scales (e.g. High, Low, Medium,

0,1,2,3,4) are used in rankings and description.

21

Risk Analysis
Asset Identification and Valuation
Assets of IT infrastructure and systems within assessment boundary
are identified
Information asset is valued according to its sensitivity or criticality
Agree upon the scale to be used and the guideline for assigning a
value to an asset, e.g. on a scale of 0-4 based on CIA properties as
shown in the table below.
Other valuation method can be used, e.g.
Safety
Loss of goodwill
Financial loss/disruption of activities, etc.
Confidentiality

Integrity

Availability

Email Message

DNS Record

Firewall Configuration

22

Risk Analysis
Threat and Likelihood Analysis
To identify the threats and to determine the likelihood of their
occurrence
Vulnerability and Ease of Exploitation Analysis
To identify and analyze the vulnerabilities of the IT Infrastructure and
systems
Levels of Threats

Asset
Value

Low

Medium

High

Levels of Vulnerability

23

Risk Assessment Report

Risk Analysis
Assets Identification and Valuation
Threat and Vulnerability Analysis
Impact and Likelihood Analysis
Risk Level Analysis
Assessment of Risks
Findings
Priority
Discussion
Recommendation

24

From Best Practice to Security

Management Model
Risk Assessment Report
On Current State of
Information Security

Document
Review

1. STRATEGY
1.1 Continuity of Business
1.2 Quality Criteria
1.3 Sponsorship
2. MANAGEMENT

2.1 Policies, Standards, Procedures

InfoSec Risk Assessment

Interviews

Findings
Risk Analysis
Recommendations

Tests

Gap Analysis

2.2 Awareness & Training

2.3 Legal & Regulatory
2.4 Security Controls & Audit
3. OPERATIONS
3.1 Perimeter Security
3.2 Network Security
3.3 Operating System Security
3.4 Database Security
3.5 Application Security
4. MAINTENANCE

Best Practice,
e.g.
ISO 17799

InfoSec
Enhancement
Plan

4.1 Technology Watch

4.2 Monitoring
5. INCIDENT HANDLING
5.1 Penetration Testing
5.2 Forensics

25

Building Information Security

Policies, Standards & Procedures
Laws, Regulations
& Requirements

HKSAR Laws and Legislations

PCO Guidelines & Regulations
Best Practice InfoSec Management,
e.g.
ISO 17799 Standard
ITS Security Policy
Departmental Security
Requirements

Policies

Standards

Procedures,
Practices

Guidelines

26

Step by Step to InfoSec

Management
1.

Assess Risk
and Determine
Needs

2.

Establish A
Central
Management
Focal Point

5.
6.

Implement
Appropriate
Policies and
Related Controls

Promote
Awareness

Monitor and
Evaluate Policy
and Control
Effectiveness

3.
4.

7.
8.

Recognize information resources as essential

organizational assets
Develop practical risk assessment procedures
that link security to needs and objectives
Hold individual accountable
Manage risk on a continuing basis

Designate a central group to carry out key activities.

Provide the central group ready and independent
access to senior members.
Designate dedicated funding and staff.
Enhance staff professionalism and technical skills

9. Link policies to needs and objectives

10. Distinguish between policies and guidelines.
11. Support policies through central security group.

12. Continually educate users and others

on
risks and related policies
13. User attention-getting and userfriendly
techniques.
14. Monitor factors that affect risk and indicate
security effectiveness.
15. Use results to direct future efforts and hold
individuals accountable.
16. Be alert to new monitoring tools and

27

Thank you!

28