Research report

 

 Need to present a research reports on 

1. Sarbanes-Oxley Act of 2002

2. Solar Winds

 Both reports should be written with a word count of 70-105 words(not more than the count provided) and should provide a URL reference link too . 

Note : NO PLAGIARISM 

Should have minimum of 3 statements which describes the information about the report.

Tips: Should be in simple own words and no usage of critical words and attached the file to know in detail to write on it. This question is from a cyber security subject so that the matter should relate to cyber security for sure and should connect to readers.

Deadline Sep16, 2022 12:00Pm.Cst

Security in Computing,
Fifth Edition

Chapter 9: Privacy

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780

1

34085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

1

Chapter 9 Objectives
Define privacy and fundamental computer-related privacy challenges
Privacy principles and laws
Privacy precautions for web surfing
Spyware
Email privacy
Privacy concerns in emerging technologies

2

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

What Is Privacy?
Privacy is the right to control who knows certain aspects about you, your communications, and your activities
Types of data many people consider private:
Identity
Finances
Health
Biometrics
Privileged communications
Location data
Subject: person or entity being described by the data
Owner: person or entity that holds the data

3

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Computer-Related Privacy Problems
Data collection
Advances in computer storage make it possible to hold and manipulate huge numbers of records, and those advances continue to evolve (new cyber warfare technique)
Notice and consent
Notice of collection and consent to allow collection of data are foundations of privacy, but with modern data collection, it is often impossible to know what is being collected
Control and ownership of data
Once a user consents to provide data, the data is out of that user’s control. It may be held indefinitely or shared with other entities.
4

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Fair Information Practices
Data should be obtained lawfully and fairly
Data should be relevant to their purposes, accurate, complete, and up to date
The purposes for which data will be used should be identified and that data destroyed if no longer necessary for that purpose
Use for purposes other than those specified is authorized only with consent of data subject or by authority of law
Procedures to guard against loss, corruption, destruction, or misuse of data should be established
It should be possible to acquire information about the collection, storage, and use of personal data systems
The data subjects normally have a right to access and challenge data relating to them
A data controller should be designated and accountable for complying with the measures to effect these principles
5

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Based on a 1973 study led by Willis Ware.
5

U.S. Privacy Laws
The 1974 Privacy Act embodies most of the principles above but applies only to data collected by the U.S. government
Other federal privacy laws:
HIPAA (healthcare data)
GLBA (financial data)
COPPA (children’s web access)
FERPA (student records)
State privacy
law varies widely

6

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Non-U.S. Privacy Principles
European Privacy Directive (1995)
Applies the Ware Committee’s principles to governments and businesses
Also provides for extra protection for sensitive data, strong limits on data transfer, and independent oversight to ensure compliance
General Data Protection Regulation (GDPR)
Europeans will be able to tell companies to stop profiling them, they’ll have much greater control over what happens to their data, and they’ll find it easier to launch complaints about the misuse of their information. What’s more, the companies on the receiving end of those complaints face serious fines if they don’t toe the line.
A list of other nations’ privacy laws can be found at
http://www.informationshield.com/intprivacylaws.html

7

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Privacy-Preserving Data Mining
Removing identifying information from data doesn’t work
Even if the overtly identifying information can be removed, identification from remaining data is often possible
Data perturbation (probability or value distribution)
As discussed in Chapter 7, data perturbation can limit the privacy risks associated with the data without impacting analysis results
Data mining often focuses on correlation and aggregation, both of which can generally be reliably accomplished with perturbed data
8

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Precautions for Web Surfing
Cookies (EU Cookie Law update 2017)
Cookies are a way for websites to store data locally on a user’s machine
They may contain sensitive personal information, such as credit card numbers
Third-party tracking cookies
Some companies specialize in tracking users by having numerous popular sites place their cookies in users’ browsers
This tracking information is used for online profiling, which is generally used for targeted advertising
Web bugs
A web bug is more active than a cookie and has the ability to immediately send information about user behavior to advertising services
9

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Spyware
Spyware is code designed to spy on a user, collecting data
General spyware:
Advertising applications, identity theft
Hijackers:
Hijack existing programs and use them for different purposes, such as reconfiguring file sharing software to share sensitive information
Adware
Displays selected advertisements in pop-up windows or the main browser window
Often installed in a misleading way as part of other software packages
10

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Where Does Email Go?
When Janet sends an email to Scott, the message is transferred via simple mail transfer protocol (SMTP)
The message is then transferred through multiple ISPs and servers before it arrives at Scott’s post office protocol (POP) server
Scott receives the email when his email client logs into the POP server on his behalf
Any of the servers in this chain of communication can see and keep Janet’s email
Demonstrate
11

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Anonymous or Disappearing Email
Disposable email addresses from sites like mailinator.com
Remailers are trusted third parties that replace real addresses with pseudonymous ones to protect identities in correspondence
Multiple remailers can be used in a TOR-like configuration to gain stronger anonymity
Disappearing email
Because email travels through so many servers, it cannot be made to truly disappear
Messaging services like Snapchat, which claims to make messages disappear, cannot guarantee that recipients will not be able to save those messages
12

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

The TOR-like configuration: The sender selects three remailers; he encrypts the message with each of their public keys in succession; he then sends the message through them in the reverse of that order, with each one’s public key being able to open only one layer of message.
12

Radio Frequency Identification (RFID)
RFID tags are small, low-power wireless radio transmitters
When a tag receives a signal on the correct frequency, it responds with its unique ID number
Privacy concerns:
As RFID tags become cheaper and more ubiquitous, and RFID readers are installed in more places, it may become possible to track individuals wherever they go
As RFID tags are put on more items, it will become increasingly possible to discern personal information by reading those tags
13

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Other Emerging Technologies
Electronic voting
Among other issues, research into electronic voting includes privacy concerns, such as maintaining privacy of who has voted and who each person voted for
Voice over IP (VoIP)
While VoIP adds the possibility of encryption to voice calls, it also allows a new set of service providers to track sources and destinations of those calls
Cloud computing
Physical location of information in the cloud may have significant effects on privacy and confidentiality protections
Cloud data may have more than one legal location at a time
Laws could oblige cloud providers to examine user data for evidence of criminal activity
Legal uncertainties make it difficult to assess the status of cloud data
14

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Summary
What data is considered private is subjective
Privacy laws vary widely by jurisdiction
Cookies and web bugs track user behavior across websites
Spyware can be used to track behavior for targeted advertising or for much more nefarious purposes
Email has little privacy protection by default
Emerging technologies are fraught with privacy uncertainties, including both technological and legal issues

15

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Security in Computing,
Fifth Edition

Chapter

1

0: Management and Incidents

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

1

Chapter 10 Objectives
Study the contents of a good security plan
Learn to plan for business continuity and responding to incidents
Outline the steps and best practices of risk analysis
Learn to prepare for natural and human-caused disasters
2
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Contents of a Security Plan
A security plan identifies and organizes the security activities for a computing system.
The plan is both a description of the current situation and a map for improvement.
The plan is both an official record of current security practices and a blueprint for orderly change to improve those practices.
3
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

3

Contents of a Security Plan
Policy, indicating the goals of a computer security effort and the willingness of the people involved to work to achieve those goals
Current state, describing the status of security at the time of the plan
Requirements, recommending ways to meet the security goals
Recommended controls, mapping controls to the vulnerabilities identified in the policy and requirements
Accountability, documenting who is responsible for each security activity
Timetable, identifying when different security functions are to be done
Maintenance, specifying a structure for periodically updating the security plan

4
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

4

Security Policy
A high-level statement of purpose and intent
Answers three essential questions:
Who should be allowed access?
To what system and organizational resources should access be allowed?
What types of access should each user be allowed for each resource?
Should specify
The organization’s security goals (e.g., define whether reliable service is a higher priority than preventing infiltration)
Where the responsibility for security lies (e.g., the security group or the user)
The organization’s commitment to security (e.g., defines where the security group fits in the corporate structure)
5
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

5

Security Policy
Security policies and plans can and often should exist at the level of systems or groups of systems.
An organization-wide security policy can address users and systems only in the context of fairly general roles, which, for many purposes, is not specific enough.
Whereas the organization as a whole may be primarily focused on maintaining confidentiality of data, certain systems in that organization may rightfully focus on maintaining availability as a top priority.
6
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

6

Assessment of Current Security Status
A risk analysis—a systemic investigation of the system, its environment, and what might go wrong—forms the basis for describing the current security state
Defines the limits of responsibility for security
Which assets are to be protected
Who is responsible for protecting them
Who is excluded from responsibility
Boundaries of responsibility

7
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

We look at risk analysis in more detail later in this chapter.
7

Security Requirements
Security requirements are functional or performance demands placed on a system to ensure a desired level of security
Usually derived from organizational business needs, sometimes including compliance with mandates imposed from outside, such as government standards
Characteristics of good security requirements:
Correctness
Consistency
Completeness
Realism
Need
Verifiability
Traceability
8
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

8

Security Requirements
Correctness: Are the requirements understandable? Are they stated without error?
Consistency: Are there any conflicting or ambiguous requirements?
Completeness: Are all possible situations addressed by the requirements?
Realism: Is it possible to implement what the requirements mandate?
Need: Are the requirements unnecessarily restrictive?
Verifiability: Can tests be written to demonstrate conclusively and objectively that the requirements have been met? Can the system or its functionality be measured in some way that will assess the degree to which the requirements are met?
Traceability: Can each requirement be traced to the functions and data related to it so that changes in a requirement can lead to easy reevaluation?
9
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

9

Responsibility for Implementation
A section of the security plan will identify which people (roles) are responsible for implementing security requirements
Common roles:
Users of personal computers or other devices may be responsible for the security of their own machines. Alternatively, the security plan may designate one person or group to be coordinator of personal computer security.
Project leaders may be responsible for the security of data and computations.
Managers may be responsible for seeing that the people they supervise implement security measures.
Database administrators may be responsible for the access to and integrity of data in their databases.
Information officers may be responsible for overseeing the creation and use of data; these officers may also be responsible for retention and proper disposal of data.
Personnel staff members may be responsible for security involving employees, for example, screening potential employees for trustworthiness and arranging security training programs.

10
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Timetable and Plan Maintenance
As a security plan cannot be implemented instantly, the plan should include a timetable of how and when the elements in it will be performed
The plan should specify the order in which controls are to be implemented so that the most serious exposures are covered as soon as possible
The plan must be extensible, as new equipment will be acquired, new connectivity requested, and new threats identified
The plan must include procedures for change and growth
The plan must include a schedule for periodic review
11
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Inputs to the Security Plan

12
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

This is a conceptual model of how the previous slides fit together.
12

Security Planning Team Members
Security planning touches every aspect of an organization and therefore requires participation well beyond the security group
Common security planning representation:
Computer hardware group
System administrators
Systems programmers
Applications programmers
Data entry personnel
Physical security personnel
Representative users

13
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Assuring Commitment to a Security Plan
A plan that has no organizational* commitment collects dust on a shelf
Three groups of people must contribute to making the plan a success:
The planning team must be sensitive to the needs of each group affected by the plan.
Those affected by the security recommendations must understand what the plan means for the way they will use the system and perform their business activities. In particular, they must see how what they do can affect other users and other systems.
Management must be committed to using and enforcing the security aspects of the system.

14
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Business Continuity Planning
A business continuity plan documents how a business will continue to function during or after a computer security incident
Addresses situations having two characteristics:
Catastrophic situations, in which all or a major part of a computing capability is suddenly unavailable
Long duration, in which the outage is expected to last for so long that business will suffer
15
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

The next slide addresses the specific tasks involved in business continuity planning.
15

Continuity Planning Activities
Assess the business impact of a crisis
What are the essential assets?
What could disrupt use of these assets?
Develop a strategy to control impact
Investigate how the key assets can be safeguarded
Develop and implement a plan for the strategy
Define:
Who is in charge when an incident occurs
What to do when an incident occurs
Who does what tasks when an incident occurs
16
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Incident Response Plans
A security incident response plan tells the staff how to deal with a security incident
In contrast to a business continuity plan, the goal of incident response is handling the current security incident without direct regard for the business issues
An incident response plan should
Define what constitutes an incident
Identify who is responsible for taking charge of the situation
Describe the plan of action
17
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Incident Response Teams
The response team is charged with responding to the incident. It may include
Director : The person in charge of the incident, who decides what actions to take
Technicians: People who perform the technical part of the response
Advisors: Legal, human resources, or public relations staff members as appropriate
Matters to consider when identifying a response team:
Legal issues
Preserving evidence
Records
Public relations
18
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

CSIRTs
Computer Security Incident Response Teams (CSIRT) are teams trained and authorized to handle security incidents
CSIRTs are closely related to Security Operations Centers (SOC), which perform day-to-day monitoring of a network and may be the first to detect an incident.
Responsibilities of a CSIRT include
Reporting: Receiving reports of suspected incidents and reporting as appropriate to senior management
Detection: Investigation to determine if an incident occurred
Triage: Immediate action to address urgent needs
Response: Coordination of effort to address all aspects in a manner appropriate to severity and time demands
Postmortem: Declaring the incident over and arranging to review the case to improve future response
Education: Preventing harm by advising on good security practices and disseminating lessons learned from past incidents

19
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

19

CSIRT Skills
Collect, analyze, and preserve digital forensic evidence
Analyze data to infer trends
Analyze the source, impact, and structure of malicious code
Help manage installations and networks by developing defenses such as signatures
Perform penetration testing and vulnerability analysis
Understand current technologies used in attacks
20
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Risk Analysis
Risk analysis is an organized process for identifying the most significant risks in a computing environment, determining the impact of those risks, and weighing the desirability of applying various controls against those risks
A risk is a potential problem that the system or its users may experience – like the cost of a data breach*
Characteristics of a risk:
Associated loss (also known as a risk impact)
Likelihood of occurring
Degree to which we can change the outcome (risk control)
We can theoretically quantify the effects of a risk, or risk exposure, by multiplying likelihood by risk impact

21
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Note that even though risks have likelihoods associated with them, those likelihoods, in the context of cybersecurity, are generally impossible to measure.
21

Strategies for Dealing with Risk
Avoid the risk by changing requirements for security or other system characteristics
Transfer the risk by allocating the risk to other systems, people, organizations, or assets or by buying insurance to cover any financial loss should the risk become a reality
Assume the risk by accepting it, controlling it with available resources, and preparing to deal with the loss if it occurs
22
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Steps of a Risk Analysis
Identify assets.
Determine vulnerabilities.
Estimate likelihood of exploitation.
Compute expected annual loss.
Survey applicable controls and their costs.
Project annual savings of control.

23
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

These steps are discussed in more detail in the next slides.
23

Step 1: Identify Assets
Hardware: Processors, boards, keyboards, monitors, terminals, microcomputers, workstations, tape drives, printers, disks, disk drives, cables, connections, communications controllers, and communications media
Software: Source programs, object programs, purchased programs, in-house programs, utility programs, operating systems, systems programs (such as compilers), and maintenance diagnostic programs
Data: Data used during execution, stored data on various media, printed data, archival data, update logs, and audit records
People: Skilled staff needed to run the computing system or specific programs, as well as support personnel such as guards
Documentation: On programs, hardware, systems, administrative procedures, and the entire system
Supplies: Paper, forms, laser cartridges, recordable media, and printer ink, as well as power, heating and cooling, and necessary buildings or shelter
Reputation: Company image
Availability: Ability to do business, ability to resume business rapidly and efficiently after an incident
24
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Step 2: Determine Vulnerabilities
25

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

This is an example of a matrix mapping vulnerabilities to assets. In real life, the matrix would be much longer and include much more specific assets. Numerous vulnerability types can apply broadly to a class of assets, however, so broad categories are useful and help identify organization-wide concerns.

In considering the contents of each matrix entry, we can ask some helpful questions:
What are the effects of unintentional errors? Consider typing the wrong command, entering the wrong data, using the wrong data item, discarding the wrong listing, and disposing of output insecurely.
What are the effects of willfully malicious insiders? Consider disgruntled employees, bribery, and curious browsers.
What are the effects of outsiders? Consider network access, remote access, hackers, people walking through the building, people snooping at coffee shops, and people sifting through the trash.
What are the effects of natural and physical disasters? Consider fires, storms, floods, power outages, and component failures.
25

Step 3: Estimate Likelihood of Exploitation
Because it is impossible to know all of a system’s vulnerabilities or all the ways those vulnerabilities can be exploited, is also impossible to accurately assess likelihood of exploitation
Possible approaches to estimation:
Apply frequency probability using observed data for a similar system
Use an analyst familiar with such systems to estimate number of occurrences in a given time period
Use descriptive adjectives or a simple rating system
The Delphi approach
26
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

The Delphi approach:
Provide each of several experts with information describing the situation surrounding the event under consideration. For example, the experts may be told about the software and hardware architecture, conditions of use, and expertise of users.
Each expert individually estimates the likelihood of the event. The estimates are collected, reproduced, and distributed to all experts.
The individual estimates are listed anonymously, and the experts are usually given some statistical information, such as mean or median.
The experts are then asked whether they wish to modify their individual estimates in light of values their colleagues have supplied.
If the revised values are reasonably consistent, the process ends with the group’s reaching consensus.
If the values are inconsistent, additional rounds of revision may occur until consensus is reached.
26

Quantitative vs. Qualitative Estimation
27

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

27

Step 4: Compute Expected Loss
In addition to the obvious costs, such as the cost to replace a hardware asset, there are hidden costs:
Cost of restoring the system to a previous state
Cost of downtime
Legal fees
Loss of reputation and confidence
Loss of confidentiality
Some hidden costs may be impossible to accurately evaluate, but considering them will nonetheless aid in risk management
28
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Step 5: Survey and Select New Controls
Once you understand your assets, vulnerabilities, estimated likelihood of exploitation, and cost of exploitation, you have enough information to select controls
Each vulnerability may have one or more controls associated with it, and each control may work for many assets and multiple vulnerabilities
One approach is to use graph theory to select a minimal set of controls to address all vulnerabilities
29
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Step 6: Project Costs and Savings
This step is meant to determine whether the costs of implementing controls outweigh the expected benefits
The effective cost of a given control is the actual cost of the control (including purchase price, installation and deployment costs, and training costs) minus the expected loss the control is expected to prevent
The cost may be positive if the product is very expensive or introduces new risks to the system, or it may be negative if the expected reduction in risk is greater than the cost of the control
30
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Access Control Software Cost Example
31

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Arguments for Risk Analysis
Improve awareness*
Relate security mission to management objectives
Identify assets, vulnerabilities, and controls
Improve basis for decisions
Justify expenditures for security
32
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Improve awareness: Discussing issues of security can raise the general level of interest and concern among developers and users. Especially when the user population has little expertise in computing, the risk analysis can educate users about the role security plays in protecting functions and data that are essential to user operations and products.
Relate security mission to management objectives: Security is often perceived as a financial drain for no gain. Management does not always see that security helps balance harm and control costs.
Identify assets, vulnerabilities, and controls: Some organizations are unaware of their computing assets, their value to the organization, and the vulnerabilities associated with those assets. A systematic analysis produces a comprehensive list of assets, valuations, and risks.
Improve basis for decisions: A security manager can present an argument such as “I think we need a firewall here” or “I think we should use token-based authentication instead of passwords.” Risk analysis augments the manager’s judgment as a basis for the decision.
Justify expenditures for security: Some security mechanisms appear to be very expensive and without obvious benefit. A risk analysis can help identify instances where it is worth the expense to implement a major security mechanism. Managers can show the much larger risks of not spending for security.
32

Arguments Against Risk Analysis
False sense of precision and confidence
Hard to perform
Immutability
Lack of accuracy
33
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

False sense of precision and confidence: The heart of risk analysis is the use of empirical data to generate estimates of risk impact, risk probability, and risk exposure. The danger is that these numbers will give us a false sense of precision, thereby giving rise to an undeserved confidence in the numbers. However, in many cases the numbers themselves are much less important than their relative sizes. Whether an expected loss is $100,000 or $150,000 is relatively unimportant. It is much more significant that the expected loss is far above the $10,000 or $20,000 budget allocated for implementing a particular control. Moreover, anytime a risk analysis generates a large potential loss, the system deserves further scrutiny to see if the root cause of the risk can be addressed.
Hard to perform: Enumerating assets, vulnerabilities, and controls requires creative thinking. Assessing loss frequencies and impact can be difficult and subjective. A large risk analysis must consider many factors. Risk analysis can be restricted to certain assets or vulnerabilities, however.
Immutability: Many software project leaders view processes such as risk analysis as an irritating fact of life—a step to be taken in a hurry so that the developers can get on with the more interesting jobs related to designing, building, and testing the system. For this reason, risk analyses, like contingency plans and five-year plans, have a tendency to be filed and promptly forgotten. But if an organization takes security seriously, it will view the risk analysis as a living document, updating it at least annually or in conjunction with major system upgrades.
Lack of accuracy: Risk analysis is not always accurate, for many reasons. First, we may not be able to calculate the risk probability with any accuracy, especially when we have no past history of similar situations. Second, even if we know the likelihood, we cannot always estimate the risk impact very well. The risk management literature is replete with papers about describing the scenario, showing that presenting the same situation in two different ways to two equivalent groups of people can yield two radically different estimates of impact. And third, we may not be able to anticipate all the possible risks. For example, bridge builders did not know about the risks introduced by torque from high winds until the Tacoma Narrows Bridge twisted in the wind and collapsed. After studying the colossal failure of this bridge and discovering the cause, engineers made mandatory the inclusion of torque in their simulation parameters. Similarly, we may not know enough about software, security, or the context in which the system is to be used, so there may be gaps in our risk analysis that cause it to be inaccurate.
33

Natural Disasters
Examples:
Flood
Fire

Earthquake

Mitigations:
Develop contingency plans so that people know how to react in emergencies and business can continue
Insure physical assets—computers, buildings, devices, supplies—against harm
Preserve sensitive data by maintaining copies in physically separated locations
Prevent power loss using uninterruptable power supplies and surge suppressors
34
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Interception of Sensitive Information
Mitigations:
Shred paper copies of sensitive information
Overwrite magnetic data several times using software designed for that purpose
Degauss magnetic media
Protect against RF emanation by trapping signals or adding spurious ones
35
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Contingency Planning
Backups
Offsite backup
Cloud backup
Failover
Cold site
Hot site
36
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

Summary
A security plan is both an official record of current security practices and a blueprint for orderly change to improve those practices
Business contingency and incident response planning help establish an orderly, carefully considered response to emergencies and other security incidents
Risk analysis is a complex and imperfect process but forces an organization to carefully consider important assets, vulnerabilities, risks, and control options
Prepare for disasters by contingency planning, insuring assets, backing up data, and deploying failover sites
37
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.

37

image2.emf

image3

image4

Pros

Cons

Quantitative

Chapter 1 Assessment and results based on independently objective processes and metrics. Meaningful statistical analysis is supported

Chapter 2 Value of information assets and expected loss expressed in monetary terms. Supporting rationale easily understood

Chapter 3 Provides credible basis for cost/benefit assessment of risk mitigation. Supports information security budget decision-making

Chapter 4 Calculations are complex. Management may mistrust the results of calculations and hence analysis

Chapter 5 Must gather substantial information about the target IT environment

Chapter 6 No standard independently developed and maintained threat population and frequency knowledge base. Users must rely on the credibility of the in-house or external threat likelihood assessment

Qualitative

Chapter 7 Simple calculations, readily understood and executed

Chapter 8 Not necessary to quantify threat frequency and impact data

Chapter 9 Not necessary to estimate cost of recommended risk mitigation measures and calculate cost/benefit

Chapter 10 A general indication of significant areas of risk that should be addressed is provided

Chapter 11 Results are subjective. Use of independently objective metrics is eschewed

Chapter 12 No effort to develop an objective monetary basis for the value of targeted information assets

Chapter 13 Provides no measurable basis for cost/benefit analysis of risk mitigation. Difficult to compare risk to control cost

Chapter 14 Not possible to track risk management performance objectively when all measures are subjective

image5