Security Risk Management and Assessment System

Transcription

1 ABSTRACT SAGEPOT: A TOOL FOR SECURITY ASSESSMENT AND GENERATION OF POLICY TEMPLATES K. Saleh, A. Meliani, Y. Emad and A. AlHajri American University of Sharjah, Department of Computer Science Box 26666, Sharjah, UAE ksaleh@aus.edu Security is becoming an increasingly critical aspect guaranteeing the survivability of systems and the trustworthiness of the organizations owning them. One way to increase the trust in the existing security is to develop and maintain a set of comprehensive security policies directing the actions for preventing, eliminating or reducing security risks, threats, and vulnerabilities to an organization s assets. According to various security surveys [1], about half of the companies and organizations do not have clear security plans or policies. In this work, we have developed a tool for system Security Assessment and GEneration of POlicy Templates (SAGEPOT). The assessment of security is based on the areas identified in the ISO standard [2]. Starting from the standard, we have mapped the elements of the standard areas to twelve security policies that may need to be developed in an organization. After interacting with SAGEPOT, a report on the compliance with the standard is generated. In addition, templates for the various necessary security policies are generated. SAGEPOT can be used to identify the security gaps and to help in getting the organization ISO compliant and ready for certification. Our experience in the application of our tool to an existing organization will be reported. Keywords: assessment, ISO 17799, policy generation, security, standard, tool. 1. INTRODUCTION To increase users trust in the services they use, there is a need to ensure that the systems providing these services are trustworthy systems. These systems must meet the needs of the system s stakeholders with respect to security, privacy, reliability and business integrity. With the increasing dependency on the security and trustworthiness of information technologies for doing business using computers, palms, wireless devices, and the Internet, there is a need to formalize and quantify the process of assessing security of any information technology-based system. A formal process for assessing system security in a given organization providing IT-based services and the immediate attention to any security deficiencies would lead to the delivery of trustworthy and dependable services. The assessment and quantification of security can be embedded in a tool that can be used by the security auditor or system administrator to pinpoint any deficiency in the way security is being provided. Compliance with international security standards can be used as a reference point to identify any security gaps to the assessor. The rest of the paper is organized as follows. Section 2 includes an overview of the security engineering process including assets identification, risk analysis on assets, security requirements, security policies and controls. We also map the ISO standard areas to the different security requirement categories and to the twelve security policies. This mapping is very important since it is used to structure the interactions with our tool. Section 3 includes a description of the functionality and design of SAGEPOT, and reports on our experience with the tool on a case study. Finally, we conclude the paper and discuss future enhancements of this work.

2 2. SECURITY ENGINEERING PROCESS AND MAPPING The system security engineering process starts with the identification of risks relevant to the services provided by the system. Based on these risks, security requirements will be developed. Security assessment will be based on the conformity of the security implementations to the stated requirements. Finally, a mapping between risks, requirements and standard areas is done in order to facilitate the implementation of our assessment and policy generation tool Security Risks We have identified the following security risk areas that may generically exist in an IT-based system: 1. Personnel risks - these risks are related to personnel backgrounds and administrative issues. Examples of personnel risks are lack of unique identifier for users, and not identifying the type of access for users. 2. risks - these risks are related to electronic mail issues. Examples of risks are that electronic mail is not protected against modification. And viruses attached to s. 3. Asset identification risks - these risks are related to assets identification. An example of asset identification risks is the damage to valuable assets. 4. Audit risks these risks are related to the security audits collected by the system during its operation. An example of a risk is the damage to the backup media. 5. Integrity risks these risks are related to the integrity of data in storage or while being transferred, like information interception, modification, and fabrication by intruders. 6. Network risks these risks are related to the network exposures, like failure of the network and the interception of information transmitted via networks. 7. Survivability risks these risks are related to the availability of the organization s services. Examples of such risks include denial of service and single point of failure. 8. System development and maintenance risks these risks are related to the in-house software development and include modifying the software under development and the introduction of Trojan horses in the code. 9. Software risks these risks are related to the deployment of software in the organization. Examples of such risks include the unavailability of the software, the software including Trojan horses and some legal consequences. 10. Access control risks - these risks are related to unauthorized and unauthenticated accesses to system resources, like the risk of theft of passwords and accessing sensitive information. 11. Compliance risks related to non-compliance with the standard, for example the risk of not updating the security policy on a regular basis. 12. Hardware/Physical risks - these risks are related to the physical survivability of the system, like susceptibility to fire, flood, and natural disasters, and damaged storage devices containing sensitive information. Twelve security policies are centered on the above risk areas. Minimal generic templates were developed and selected parts of each template will be discarded based on the results of the interactions with the user Security Requirements and Standard Areas A security requirement is typically a detailed requirement driven by potential security threats in order to implement a security policy. Firesmith [3] identifies twelve types of security requirements. We have clustered them around the following types of requirements after adding the compliance requirements type. R1. Access Control Requirements: identification, authorization, and authentication.

3 R2. Immunity Requirements R3. Integrity and Non-repudiation Requirements R4. Intrusion Detection and Prevention Requirements R5. Security Auditing Requirements R6. Survivability Requirements R7. System Maintenance Security Requirements R8. Physical Protection Requirements R9. Security standard compliance Requirements R10. Privacy Requirements The ISO standard [2] includes the following conformity areas of information systems security: S1. Information Security Policy S2. Organizational Security S3. Asset Classification and Control S4. Personnel Security S5. Physical and Environmental Security S6. Communications and Operations Management S7. Access Control S8. System Development and Maintenance S9. Business Continuity Management S10. Compliance Compliance of a system to standard is assessed by checking many elements of security described under each of the ISO standard areas. The standard does not put any emphasis or weight on any area or on any element within an area. However, the acceptable risk level for a particular risk area may be used to evaluate different areas with different weights or impacts Mapping In this section, we provide a mapping of security risks, security requirements, and policies to ISO standard areas. Based on this mapping, our tool will be able to assess compliance of the system under examination to the ISO standard. Table 1 below shows this mapping. Table 1: Mapping of risks, policies and requirements to ISO17799 standard areas. Risk area / Policy Requirements Standard areas Personnel R1, R3, R8 S1, S2, S4, S6, S7, S8, S10 R1, R2, R3, R9 S6 Asset identification R1, R5 S2, S3 Audits R3, R5, R6, R8 S4, S6, S7 Integrity R3 S6, S8, S10 Network R1, R2, R4, R6, R8 S6, S7 Survivability R6 S4, S6, S9, S10 System development and R7 S10 maintenance Software R2 S6, S7, S8, S10 Access control R1 S2, S6, S7, S8, S10 Compliance R9 S10 Physical assets security R8 S5, S10 Privacy R10 S1

4 3. ASSESSMENT TOOL AND APPLICATION In this section, we first briefly describe our tool and then we report on the use of the tool to assess an IT-provider that preferred to be anonymous Brief Tool Description Our tool, SAGEPOT, was developed in Visual Basic connecting to Microsoft s SQL Server 2000, and consisted of about 6,000 lines of code. In addition to the basic file management functionalities that include the creation, editing and saving of individual security profiles of systems to assess, the tool includes modules to deal with risk management, policy assessments and policy generation. The risk management modules help the security auditor to identify the relevant security risk areas and the tolerable level of risk in each area. This will help the policy assessment modules to direct the interactions towards the relevant risk areas. For example, if the auditor does not identify as a risk area (i.e., because is not used), then no questions related to services will be asked in the assessment part. After finishing the assessment part, the system will inform the user of the percentage of compliance with ISO standard. All questions in the assessment carry equal weight in this quantification. In case the user did a partial assessment and needs to continue later, the profile can be saved and updated later. Once the assessment is completed, the user can invoke the security policy generation modules to generate templates around the twelve security policies identified generically in our work. The policy templates and the degree of compliance depends on the accuracy of the user answers to each of the questions posed. The user can for each question indicate that the security item in question is dealt with, or is necessary but not dealt with, or is not necessary (and therefore not dealt with) or finally, or unknown if the user cannot understand the question Application of the Tool We have approached an IT-provider organization to check the usefulness of our tool. We were asked to be anonymous when reporting the case. This organization found the tool to be useful since they were going to go through a security audit shortly after using our tool. 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% unknown action missing but not required action taken action missing but required Figure 1: Compliance with the ten areas of ISO17799.

5 Figure 1 shows the summary of the assessment according to compliance with the ten security standard areas. After completing the assessment process, the tool indicated a 47% compliance with ISO17799, and templates of the relevant security policies were generated. CONCLUSION AND FUTURE WORK In this paper, we have introduced a tool for the assessment of security and the identification of security gaps by considering ISO as a reference standard. The tool interacts with the security auditor through a series of structured questions centered around ten security domains of the ISO standard. Consequently, the tool generates statistics on ISO compliance, in addition to generic templates addressing the necessary security policies that need to be developed. Further work on making the tool more user-friendly is under way. In addition, experimentation with the tool to assess systems in different application contexts should be performed. Evaluation of the usefulness of the tool and ways to improve it should also be done. ACKNOWLEDGEMENT The authors would like to acknowledge support of this work by AUS research unit. REFERENCES [1] Information Security Breaches Survey 2004 by PriceWaterhouseCooper. [2] ISO/IEC 17799, Code of Practice for Information Security Management, International Organization for Standardization (ISO), Switzerland, [3] Firesmith D., Engineering Security Requirements, Journal of Object Technology, vol.2, no.1, Jan- Feb 2003.