Software Process Improvement Overview

1
Information Security Risk Evaluationsand OCTAVE

• Software Engineering Institute
• Carnegie Mellon University
• Pittsburgh, PA 15213
• Sponsored by the U.S. Department of Defense

2
Current State of Evaluations

• Products and services vary widely
• Technological focus
• Often conducted without a sites direct
  participation
• Precipitated by an event
• Evaluation criteria are often inconsistent or
  undefined

3
OCTAVESM

• Operationally Critical Threat, Asset, and
  Vulnerability EvaluationSM
• Operationally Critical Threat, Asset, and
  Vulnerability Evaluation and OCTAVE are service
  marks of Carnegie Mellon University

4
Goals of OCTAVE Approach

• Organizations are able to
• direct and manage risk assessments for themselves
• make the best decisions based on their unique
  risks
• focus on protecting key information assets
• effectively communicate key security information

5
OCTAVE Approach
OCTAVE-S Method
OCTAVE Method
6
OCTAVE Method

• Defines a systematic, context-sensitive method
  for evaluating risks for large organizations.
• Defines implementation
• detailed procedures for each process
• worksheets and templates for each process
• information catalogs
• preparation and tailoring guidance
• briefing slides

7
(No Transcript)
8
Conducting OCTAVE
time
Analysis Team

• An interdisciplinary team of an
  organizationspersonnel who facilitate the
  process and analyze data
• business or mission-related staff
• information technology staff

9
(No Transcript)
10
Asset

• Something of value to the organization
• information
• systems
• software
• hardware
• people
• Examples Personnel data base, your local network
  and office workstations, etc.
• What types of assets are critical to you?

11
Critical Assets

• The most important information assets to the
  organization
• There will be a large adverse impact to the
  organization if one of the following occurs
• The asset is disclosed to unauthorized people.
• The asset is modified without authorization.
• The asset is lost or destroyed.
• Access to the asset in interrupted.

12
Security Requirements

• Outline the qualities of an asset that are
  important to protect
• confidentiality
• integrity
• availability
• Example Your personnel records must be kept
  confidential and they must be correct and
  complete.
• Do you know what the security requirements are
  for the assets you work with?

13
Security Practices

• Actions that help initiate, implement, and
  maintain security in an organization.
• Example Security awareness is provided for all
  new employees.
• Do you know what security practices you are
  supposed to follow?

14
OCTAVE Catalog of Practices
15
Strategic Practice Areas
Strategic Practice Areas
Security Awareness and Training
Collaborative Security Management
Security Management
Contingency Planning/ Disaster Recovery
Security Policies and Regulations
Security Strategy
16
Operational Practice Areas
Operational Practice Areas
Physical Security
Information Technology Security
Staff Security
Physical Security Plans and Procedures Physical
Access Control Monitoring and Auditing Physical
Security
System and Network Management System
Administration Tools Monitoring and Auditing IT
Security Authentication and Authorization Vulnerab
ility Management Encryption Security Architecture
and Design
Incident Management General Staff Practices
17
What is a Threat?

• An indication of a potential undesirable event
• Threat properties
• Asset
• Actor
• Motive (or objective)
• Access
• Outcome

18
Threat Profile

• One threat profile per critical asset
• visually represented using asset-based threat
  trees.
• A threat profile contains a range of threat
  scenarios for the following sources of threats
• human actors using network access
• human actors using physical access
• system problems
• other problems
• How are your critical assets threatened?

19
Human Actors - Network Access
disclosuremodificationloss/destructioninterrupt
ion
accidental
inside
disclosuremodificationloss/destructioninterrupt
ion
deliberate
network
asset
disclosuremodificationloss/destructioninterrupt
ion
accidental
outside
disclosuremodificationloss/destructioninterrupt
ion
deliberate
asset access actor motive outcome
20
Other Problems
disclosuremodificationloss/destructioninterrupt
ion
natural disasters
disclosuremodificationloss/destructioninterrupt
ion
ISP unavailable
asset
disclosuremodificationloss/destructioninterrupt
ion
telecommunications problems or unavailability
disclosuremodificationloss/destructioninterrupt
ion
power supply problems
asset actor outcome
21
(No Transcript)
22
Vulnerability Evaluations and Tools

• Vulnerability evaluations evaluate systems and
  components with tools
• Vulnerability tools identify
• known weaknesses in technology
• misconfigurations of well known administrative
  functions, such as
• file permissions on certain files
• accounts with null passwords
• what an attacker can determine about your systems
  and networks

23
What Vulnerability Tools Identify
Operational Practice Areas
Physical Security
Information Technology Security
Staff Security
Physical Security Plans and Procedures Physical
Access Control Monitoring and Auditing Physical
Security
System and Network Management Monitoring and
Auditing IT Security Authentication and
Authorization Encryption Vulnerability
Management System Administration Tools Security
Architecture and Design
Incident Management General Staff Practices
24
What Vulnerability Identification Tools Do Not
Identify

• Misapplied or improper system administration
  (users, accounts, configuration settings)
• Unknown vulnerabilities in operating systems,
  services, applications, and infrastructure
• Incorrect adoption or implementation of
  organizational procedures

25
Which Systems? Which Components?

• For your critical assets, identify
• related systems
• key components on those systems
• Select an approach for evaluating each system/
  component.
• Gain approvals or contract for the evaluation
• who will perform the evaluation?
• which tool(s) will be used?
• when?

26
Sample Report Data
27
(No Transcript)
28
Risk

• Risk is a combination of the threat and the
  impact to the organization resulting from the
  following outcomes
• disclosure
• modification
• destruction /loss
• interruption
• Example If a person with a home PCs brings a
  file with a virus to their office, they could
  corrupt every other PC and the network. At best,
  a few hours to clean up the system at worst,
  days to recover damaged files.

29
Evaluating Risks

• Risks are evaluated to provide key information
  needed by decision makers
• which risks to actually mitigate
• relative priority
• Impact and probability are two attributes of
  risks that are often evaluated.
• Only impact is evaluated in OCTAVE.

30
Risk Mitigation Plan

• Defines the activities required to mitigate
  risks/threats
• A mitigation plan focuses on activities to
• actions to recognize or detect this threat type
  as it occurs
• actions to resist this threat type or prevent it
  from occurring
• actions to recover from this threat type if it
  occurs
• other actions to address this threat type
• Draw from the catalog of practices to help define
  the activities

31
OCTAVE Catalog of Practices
32
Protection Strategy Development

• The analysis team uses the results of the surveys
  and the mitigation plans to build a
  organization-wide strategy for improving
  security.
• practices to improve
• new practices to add
• practices to keep doing
• A key artifact is OCTAVEs Catalog of Practices
• strategic practices
• operational practices

33
Some Keys to Success

• Getting senior management sponsorship
• Selecting the right analysis team
• Scoping the evaluation
• Selecting participant

34
Where Is OCTAVE Going?

• Monitoring pilots in DoD, Government, and
  industry sectors
• Public release of OCTAVE Method Implementation
  Guide - 3Q 2001
• Public release of the OCTAVEcriteria - 4Q 2001
• OCTAVE Method Training 1Q FY 2002
• Prototyping OCTAVE-S for small organizations

35
Questions?
36
For Additional Information

• Telephone 412 / 268-5800
• Fax 412 / 268-5758
• Internet customer-relations_at_sei.cmu.edu
• security-improvement_at_cert.org octave-info_at_sei.cm
  u.edu
• WWW http//www.cert.org/octave
• U.S. mail Customer Relations Software
  Engineering Institute Carnegie Mellon
  University Pittsburgh, PA 15213-3890