W4 Tut for L3 Managing Security PDF

Preview

Summary

Responses to week 4 tutorial ...

Description

SCIENCE AND ENGINEERING FACULTY

CAB240 Information Security Semester 2 2020

Week 4 tutorial questions for Lecture 3: Managing Security Essential definitions: Review the definitions given in the lecture slides for the following terms: a) Risk b) Consequence c) Likelihood d) Stakeholder e) Risk Assessment f) Risk Identification g) Risk Analysis: also the more specific terms Quantitative analysis and Qualitative analysis.

h) Risk Evaluation i) Risk Treatment Important note on the Australian Standards documents: Some of this tutorial refers to Australian Standards: AS/NZS 27001:2015 (ISO/IEC 27001:2013), AS/NZS 27002:2015 (ISO/IEC 27002:2013) and AS27005:2012 (ISO/IEC 27005:2011). These are expensive to buy, but available FREE to QUT students online via the Library. Take advantage of your student status to access and explore this useful resource. How to Access the Standards: 1. Go to the QUT library homepage, and type Australian Standards in the Search box. (Alternatively, from Databases and specialized search tools, look under A, and scroll to find Australian Standards (via Techstreet Enterprise). 2. Follow the instructions for first-time users, (requires registration – use your QUT email in this process). Click the link. 3. Once you have access to Techstreet Enterprise, enter the Australian standard number (for example 27002) or the title in the Search box, and click Search. 4. Download the document, and then please take care to log out (click the logout link in footer). 5. Browse your saved local version. NOTE: QUT has a limited number of concurrent licenses (4). If all licenses are in use, the system will return an error message, and you will need to try again later. Be aware that CAB240 is a large class. Be courteous - download the documents and log out to provide others with an opportunity to access Standards documents also.

Week 4 tutorial questions for Lecture 3: Managing Security Attempt these questions before you attend the tutorial and have your prepared answers with you. Be prepared to discuss your answers and/or any problems you encountered in trying to answer these questions.

QUESTION 1 – Info Sec Risk Management Process Use the Australian Standard AS27005:2012 Information Security Risk Management or the Lecture 3 Part A slides to answer the following questions: a) Give a clear and concise explanation of the main elements of the information security risk management process shown in Figure 2 (on p8) of AS27005:2012 (also included as slide 14 in Lecture 3 Part A). – first context needs to be established (both internal and external), then risks must be identified, analyses and evaluated. From that the risk must be treated (or accepted). Throughout the process the risk must be communicated and consulted. Once a treatment has been determined the risk must be monitored and reviewed consistently. b) How is the term ‘risk’ defined in AS27005:2012 (See Lecture 3 Part A slide 7)? – risk is defined as the effect of uncertainty on objectives. c) How are the terms `consequence' and `likelihood' defined in AS27005:2012? – consequence is defined as an outcome of an event affecting objectives. Likelihood is defined as the chances of something happening. d) Clause 8 of AS27005:2012 deals with Information Security Risk Assessment (see Lecture 3 slides 16 to 24). i. List the three steps that comprise risk assessment. – risk identification, risk analysis and risk evaluation. ii. Give a brief description of each of the three steps; noting the required inputs, actions and outputs.- in risk identification the aim is to determine what can happen, when and where and why something could occur. A mix of systems analysis, judgement and checklists from standards documents are used to determine risks. In risk analysis the aim is to determine the magnitude of identified risks. This can be achieved via qualitative (use of descriptive scales), quantitative (use of numerical scales) or semi-quantitative (use of qualitative scales with numerical values assigned) analysis. In risk evaluation the aim is to compare the risk identified with the risk criteria

and then determine the treatment required. e) Clause 12 of AS27005:2012 deals with monitoring and review (see Lecture 3 Part A slide 31). i. What should be monitored and reviewed? – any changes in the likelihood or consequences of risks, the effectiveness of treatment plans and strategies as well as controls in place and emerging risks such as new assets, modification of assets and entirely new threats. ii. Why is monitoring and review necessary? – monitoring and review is necessary because new threats are constantly popping up whether its new technology or new environments. Also, the success of a risk treatment plan is determined by the people following the system. Without monitoring and review it is possible that it is not being followed correctly. f) [OPTIONAL]: If you have access to AS27005:2012, look in Annex C at the examples of typical threats. Although this standard is intended for application by organisations, many of these threats are relevant for individual users. List threats that you, as an individual user of information assets, should consider in a risk assessment.

QUESTION 2 – Risk monitoring and review An article by Gareth Corfield in The Register on 30 July 2020, reported that a device manufacturer, Netgear, had declared more than 40 of the home routers it produced “outside the security support period”. That is, Netgear will no longer release software updates for these products, even if vulnerabilities are revealed. Read the article, available online from: https://www.theregister.com/2020/07/30/netgear_abandons_45_routers_vuln_patching/ Consider the information in the article in the context of information security risk management, and answer the following questions: a) What vulnerability in the routers was revealed by Trend Micro’s Zero Day Initiative in June 2020, and, if the vulnerability is exploited by a threat actor, what can occur? - the vulnerability found in the routers was a stack buffer overflow which could allow an attacker to conduct unauthenticated remote code executions with root privileges. b) How does the decision by Netgear to stop support for these products affect the risk for persons and organisations who are using the affected routers?- with Netgear not releasing updates to fix vulnerabilities, owners of these routers are now vulnerable to attacks. To become secure again the persons and organisations will need to purchase

new routers that are covered under a security support period. c) Explain how this information is relevant for risk monitoring and review. Consider whether other organizational changes, such as a need for staff to work from home rather than on company premises (due to COVID-19 or similar), may interact with this router vulnerability to create emerging risks. – risk monitoring and review relates to this article because Netgear has failed to act on additional vulnerabilities found. Additionally, people using this technology must be monitoring the security support provided by netgear in order to stay protected. For people working from home this vulnerability could create even more risks such as attackers being able to remotely access personal data from within their home and not just company data.

QUESTION 3 – Risk analysis An article in The Register on 11 April 2016 reported on the findings of an investigation into user behavior with respect to found USB devices. Read the article, available online from: http://www.theregister.co.uk/2016/04/11/half_plug_in_found_drives/. Use this information to answer the following questions: d) What did the researchers do with the USBs? – uploaded HTML files masked as .img files to USBs and dropped them in public places. The files then allowed the researchers to see whether the USBs had been plugged into PCs. e) What did the users do with the USBs? – the users picked up the USBs and downloaded the files to their computers f) What percentage of the USBs were subsequently plugged in? – 48% of the USBs where plugged in. g) Find out about the distribution of malware infected USBs to IBM customers in May 2017. Do you think this delivery method would have a higher or lower success rate than the ‘left behind’ USBs? Justify your answer. – I believe this delivery method would have a higher success rate than the dropped USB method because customers are more likely to trust a reputable company than a random USB on the street. h) When performing risk analysis, both likelihood and consequence may be determined quantitatively or qualitatively. i. Explain the difference between quantitative and qualitative expressions. – quantitative analysis uses numerical values to assess the likelihood and/or consequence of risks. (such as money lost, probability of threat occurring etc.) qualitative analysis uses descriptive scales instead (such as minor, moderate,

catastrophic or certain, likely, unlikely) ii. For both consequence and likelihood, give an example of a. a quantitative scale – consequence – money lost from the threat occurring, likelihood – probability of the threat occurring b. a qualitative scale – likelihood – unlilkely, possible, likely, certain; consequence – insignificant, minor, moderate, major. iii. How could the information in the article investigating user behaviour with regard to found USBs be used to inform risk analysis? What sort of analysis? – the percentage of people who plugged in the USBs could be used as a quantitative risk analysis for likelihood.

QUESTION 4 – Risk analysis Suppose the risk management process performed by company ABC produced the following information regarding threats associated with their internet connected information system: Threat to asset

Cost per

Annualized Rate

incident ($)

of Occurrence

Theft of equipment

50,000

2

Software malfunction

10,000

0.10

100,000

0.25

Data corruption due to malicious code

a) Use the information about the threats recorded in the table above to determine the Annualized Loss Expectancy (ALE) associated with each threat event. – ALE = SLE * ARO = 50000 * 2 = $100,000 = 10000 * 0.10 = $1000 = 100000 * 0.25 = $250,000 b) How much can justifiably be spent on controls to address this risk to the ABC company (if the risk criteria is financial)? - $351,000 c) Which information security standard provides some guidance on the sort of controls the company could consider applying to treat the risks? – AS/NZS 27002:2015 QUESTION 5 – Relationships between standards For each of the standards documents AS27001:2015 and AS27002:2015, read the preface (on p ii of each document) and note the objective (or refer to Lecture 3 Part B, slides 8-16).

Use this information to answer the following questions: a) How are the standards AS27001:2015 and AS27002:2015 related? – 27001 details management requirements for creating, implementing, maintaining etc. an info sec management system. 27002 details the security goals and controls available to organisations. b) Which one of these standards can be used for certification? Note that SAI-Global is the certification body in Australia. (http://www.sai-global.com/). – organisations can be certified against 27001. c) If an organization is certified, or claims to conform to this Standard, what assurance does that give about the management of information security within the organization? – certified organisations can prove that they have all the requirements in place to adequately manage information security. This can give them an advantage over other uncertified companies for consumers who are sensitive to information security. QUESTION 6 – AS27002 AS27002:2015 provides guidelines for effective information security management practices. Use Clause 5 Security policy in AS27002:2006 (or Lecture 3 slides 47 to 50) to answer the following questions: a) Briefly explain the main objective of the information security policy. – to set a clear policy direction in line with business objectives and show support for the maintenance of information security throughout the organisation. b) Who should read it? – all employees and relevant external parties. c) Where should it originate? – from an approved management personnel. d) What should happen to it after it is produced? – once prodced the policy should be approved, published, and reviews at planned intervals and where applicable. e) Now locate the Information Security Policy for QUT (in the MOPP, within Chapter F Information Management). i. Is it consistent with these guidelines? – yes ii. Who does it apply to? – this policy applies to all users of QUTs information assets. iii. How is information classified? What are the two tiers in the QUT information security

classification

framework?

(Look

in

the

Information

security

classification sub-section for this information.) – confidentiality, integrity and availability.

iv. What are the consequences for security breaches? (Look in the Security breaches sub-section for this information.) – security breaches may result in disciplinary action or termination of access rights. QUESTION 7 – AS27002 Read

the

story

of

the

stolen

law

enforcement

officer’s

laptop

at:

https://nakedsecurity.sophos.com/2013/06/27/thieves-pounce-on-one-of-a-sheriffs-officeslast-unencrypted-laptops/. Based on the article, identify: a) The information assets involved. – personal data of crime victims, suspects and police officers. i.e. SSN, licence numbers etc. b) Plausible threats to the sheriff’s office information assets. – threats include unauthorized people accessing confidential data. c) Potential attacks. – attackers could use this data to pretend to be the people whose data was stolen. Identity theft etc. d) Possible consequences if the potential attack occurs. – an attack could damage people financially or reputationally. e) Could these consequences lead to subsequent events (chain of events)? Explain or give examples.- once the attack has occurred, police officers and crime suspects data could be accessed by vigilante like people and further attacks could be made with addresses and contact details exposed. f) Now read through Clause 6 Organization of information security in AS27002:2015, particularly Clause 6.2.1 Mobile device policy. Use the list of things a mobile device policy should consider (on p 6 and 7 of AS27002:2015) to suggest policy items that, if implemented, may have prevented this incident, or at least minimized the damage (or make your own suggestions if you are unable to access the AS27002). – encryption on mobile devices, physical protection such as safes, locks etc. policies and training in place to prevent human mistakes. QUESTION 8 – AS27002 A major data breach occurred at credit monitoring firm Equifax in 2017. a) Read

the

following

news

story

concerning

the

data

breach

at:

https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happenedwho-was-affected-what-was-the-impact.html. Use the information in the story to answer these questions:

i. What sort of data was compromised? – personal data including, SSNs, addresses, names, numbers and credit card details. ii. How many records are thought to be involved? – over $40mil Americans iii. How did the data breach occur? Failure to patch a vulnerability in a consumer complaint web portal. The hackers where then able to infiltrate further into Equifax and extract consumer data. iv. When did the data breach occur? Started in March 2017 with the incident being picked up by Equifax in July and finally reported in September. v. When did the Equifax notify consumers about the incident? – September, over a month after being identified. b) As part of their response to the incident, Equifax set up a site to provide information on the breach and to enable consumers to determine whether they were affected by the breach. However, the following Naked Security article describes a few problems with this process: https://nakedsecurity.sophos.com/2017/09/22/equifax-has-beensending-customers-to-a-fake-phishing-site-for-weeks/. Read the article and list the things that Equifax (or other organisations) could learn from this to improve this aspect of their incident response. – use domain names that are secure and match the original website, consult with IT and HR experts before sharing on social media. c) In the standard AS27002:2015, Clause 16 deals with information security incident management (Or see Lecture 3 Part B, slide 38). Which aspects of this clause are relevant to the Equifax case? Justify your answer. – all of the clause can be related to the equifax event. Specifically, the learning from incident as Equifax has a lot to learn from the mistakes, they made during the incident reporting process. It is also likely that Equifax had either a poor procedure in place to responding to security incidents or management were not trained properly or aware of their responsibilities....