SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK. A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL

Transcription

1 SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL CRC Press Taylor & Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an informa business AN AUERBACH BOOK

2 Contents Biography xix 1 Introduction The Role of the Information Security Manager Audit as a Driver for Security Initiatives Technology as a Driver for Security Initiatives Compliance as a Driver for Security Initiatives Security Risk as a Driver for Security Initiatives Ensuring a Quality Information Security Risk Assessment Security Risk Assessment The Role of the Security Risk Assessment Definition of a Security Risk Assessment The Need for a Security Risk Assessment Checks and Balances Periodic Review Risk-Based Spending A Requirement Security Risk Assessment Secondary Benefits Related Activities Gap Assessment Compliance Audit Security Audit Vulnerability Scanning Penetration Testing Ad Hoc Testing Social Engineering War Dialing The Need for This Book Who Is This Book For? 18 Exercises 19 Notes 20 VII

3 viii H Contents References 21 Bibliography 21 2 Information Security Risk Assessment Basics Phase 1: Project Definition Phase 2: Project Preparation Phase 3: Data Gathering Phase 4: Risk Analysis Assets Threat Agents and Threats Threat Agents Threats Vulnerabilities Security Risk Phase 5: Risk Mitigation Safeguards Residual Security Risk Phase 6: Risk Reporting and Resolution Risk Resolution 34 Exercises 35 Notes 36 References 37 3 Project Definition Ensuring Project Success Success Definition Customer Satisfaction Quality of Work Completion within Budget Setting the Budget Determining the Objective Limiting the Scope Underscoping 52 3 A.4.2 Overscoping Security Controls Assets Reasonableness in Limiting the Scope Identifying System Boundaries Physical Boundary Logical Boundaries Specifying the Rigor Sample Scope Statements 60

4 Contents a ix 3.2 Project Description Project Variables Statement of Work Specifying the Service Description Scope of Security Controls Specifying Deliverables Contract Type Contract Terms 67 Exercises 70 Notes '.. 71 References 72 Security Risk Assessment Preparation Introduce the Team Introductory Letter Pre-Assessment Briefing Obtain Proper Permission Policies Required Permission Required Scope of Permission Accounts Required Review Business Mission What Is a Business Mission? Obtaining Business Mission Information Identify Critical Systems Determining Criticality Approach 1: Find the Information Elsewhere Approach 2: Create the Information on a High Level Approach 3: Classify Critical Systems Identify Assets Checklists and Judgment Asset Sensitivity/Criticality Classification Approach 1: Find Asset Classification Information Elsewhere Approach 2: Create Asset Classification Information Approach 3: Determine Asset Criticality Asset Valuation Approach 1: Binary Asset Valuation Approach 2: Classification-Based Asset Valuation 91

5 Contents Approach 3: Rank-Based Asset Valuation Approach 4: Consensus Asset Valuation Approaches 5-7: Accounting Valuation Approaches Identifying Threats Threat Components Threat Agent Undesirable Events Listing Possible Threats Checklists and Judgment Threat Agent and Undesirable Event Pairing Threat Statements Validating Threat Statements Factors Affecting Threat Statement Validity Determine Expected Controls 104 Exercises 108 Notes 108 References 110 Bibliography Data Gathering Ill 5.1 Sampling Sampling Objectives Sampling Types Use of Sampling in Security Testing Approach 1: Representative Testing Approach 2: Selected Sampling Approach 3: Random Sampling The RIIOT Method of Data Gathering RIIOT Method Benefits RIIOT Method Approaches Review Documents or Designs Interview Key Personnel Inspect Security Controls Observe Personnel Behavior Test Security Controls Using the RIIOT Method 140 Exercises 141 Notes 141 References Administrative Data Gathering Threats and Safeguards 145

6 Contents xi Human Resources Recruitment Employment Termination Organizational Structure Senior Management Security Program Security Operations Audit Information Control User Accounts User Error Asset Control Sensitive Information Business Continuity Contingency Planning Incident Response Program System Security System Controls Application Security Configuration Management Third-Party Access The RIIOT Method: Administrative Data Gathering Review Administrative Documents Documents to Request Review Documents for Clarity, Consistency, and Completeness Reviewing Documents Other than Policies Interview Administrative Personnel Administrative Interview Topics Administrative Interview Subjects Administrative Interview Questions Inspect Administrative Security Controls Listing Administrative Security Controls Verify Information Gathered Determine Vulnerabilities Document and Review Findings Inspect the Security Organization Observe Administrative Behavior Test Administrative Security Controls Information Labeling Testing 200

7 xii Contents Media Destruction Testing Account and Access Control Procedures Testing Outsourcing and Information Exchange 209 Exercises 211 Notes 212 References 214 Bibliography Technical Data Gathering Technical Threats and Safeguards Information Control User Error Sensitive and Critical Information User Accounts Business Continuity Contingency Planning System Security System Controls Application Security Change Management Secure Architecture Topology Transmission Perimeter Network Components Access Control Intrusion Detection Configuration System Settings Data Security Storage Transit The RIIOT Method: Technical Data Gathering Review Technical Documents Technical Documents to Request Review Technical Documents for Information Review Technical Security Designs Interview Technical Personnel Technical Interview Topics Technical Interview Subjects Technical Interview Questions 248

8 Contents B xiii Inspect Technical Security Controls List Technical Security Controls Verify Information Gathered Determine Vulnerabilities Document and Review Findings Observe Technical Personnel Behavior Test Technical Security Controls Monitoring Technology Audit Logs Anti-Virus Systems Automated Password Policies Virtual Private Network Firewalls, IDS, and System Hardening Vulnerability Scanning Penetration Testing Testing Specific Technology 280 Exercises 283 Notes 283 Reference 285 Bibliography 285 Physical Data Gathering Physical Threats and Safeguards Utilities and Interior Climate Power Heat Humidity Fire Fire Impact and Likelihood Fire Safeguards Fire Alarm Systems Fire Alarm Installation Types Fire Suppression Fire Evacuation Flood and Water Damage Lightning Earthquakes Volcanoes Landslides Hurricanes Tornadoes Natural Hazards Summary Human Threats to Physical Security 312

9 xiv H Contents Personnel Screening Barriers Lighting Intrusion Detection Physical Access Control Preventing Unauthorized Entry Preventing Unauthorized Removal The RIIOT Method: Physical Data Gathering Review Physical Documents Physical Documents to Request Review Physical Documents for Information Interview Physical Personnel Physical Security Interview Topics Physical Security Interview Subjects Physical Security Interview Questions Inspect Physical Security Controls Listing Physical Security Controls Verify Information Gathered Determine Physical Vulnerabilities Document and Review Physical Findings Observe Physical Personnel Behavior Test Physical Security Safeguards Doors and Locks Intrusion Detection 352 Exercises 352 Notes 362 References Security Risk Analysis Determining Security Risk Uncertainty and Reducing Uncertainty Review Available Data Examine Historical Data Use Judgment Use Tools Use Conditional Probabilities Creating Security Risk Statements Team Review of Security Risk Statements Obtaining Consensus Deriving Overall Security Risk 378 Exercises 378 Notes 378 References 379

10 Contents a xv 10 Security Risk Mitigation Selecting Safeguards Method 1: Missing Control Leads to Implementing Safeguard Method 2: People, Process, Technology Method 3: Administrative, Physical, Technical Method 4: Preventive, Detective, Corrective Method 5: Available Technology Safeguard Solution Sets Safeguard Cost Calculations Justifying Safeguard Selections Justification through Judgment Cost-Benefit Analysis Establishing Security Risk Parameters 389 Exercises 392 Notes 392 Bibliography Security Risk Assessment Reporting Cautions in Reporting Pointers in Reporting Report Structure Executive-Level Report Base Report Appendices and Exhibits Document Review Methodology: Create the Report Using a Top-Down Approach Document Specification Draft Final Assessment Brief Action Plan 406 Exercises 406 Note 407 References 407 Bibliography Security Risk Assessment Project Management Project Planning Project Definition Project Planning Details Project Phases and Activities Phases and Activities Scheduling Allocating Hours to Activities 412

11 xvi H Contents Project Resources Objectivity vs. Independence Internal vs. External Team Members Skills Required Team Skills Team Member Skills Project Tracking Hours Tracking Calendar Time Tracking Project Progress Tracking Taking Corrective Measures Obtaining More Resources Using Management Reserve Project Status Reporting Report Detail Report Frequency Status Report Content Project Conclusion and Wrap-Up Eliminating "Scope Creep" Eliminating Project Run-On 432 Exercises 432 Notes 433 Reference Security Risk Assessment Approaches Quantitative vs. Qualitative Analysis Quantitative Analysis Expected Loss Single Loss Expectancy Annualized Loss Expectancy Safeguard Value Quantitative Analysis Advantages Quantitative Analysis Disadvantages Qualitative Analysis Qualitative Analysis Advantages Qualitative Analysis Disadvantages Tools Lists Templates Security Risk Assessment Methods FAA Security Risk Management Process OCTAVE FRAP 448

12 Contents a xvii CRAMM NSAIAM 451 Exercises 451 Notes 452 References 452 Index 455