Основы ИБ. Фан_6363_лаб-7-23.12. Отчет по лабораторной работе 7 по дисциплине Основы информационной безопасности Тема а нализ рисков с использованием программного обеспечения RiskWatch 1
 Скачать 185.49 Kb.
|
|
МИНОБРНАУКИ РОССИИ Санкт-Петербургский государственный электротехнический университет «ЛЭТИ» им. В.И. Ульянова (Ленина) Кафедра ИБ отчет по лабораторной работе №7 по дисциплине «Основы информационной безопасности» Тема: Анализ рисков с использованием программного обеспечения RiskWatch v8.1
Санкт-Петербург 2019 Цель работы. Построение стохастических оценок эффективности СЗИ и выбор наиболее эффективного комплекса из набора альтернатив, анализ угроз на эталонной риск-модели ПДн, оценка результативности стандартных мер защиты ПДн на эталонной риск-модели при помощи программы «RiskWatch». 02/12/2019 12:32 AM FINAL REPORT Risk Analysis of RUNETSOFT Prepared by: [[[-----------------]]] [[[----------------]]] [[[------------------]]] NAME Phan Thi Hai Ha NAME NAME Project Manager Asst Project Manager Senior Security Analyst Risk Analysis Team Risk Analysis Team Risk Analysis Team TABLE OF CONTENTS I. Executive Summary II. Recommendations Chapter 1 - General Information Operational Environment and System Configuration 1.1.1 The Risk Assessment Team 1.1.2 Organizational Details of COMPANY IBS 1.1.3 Physical Plant and Physical Security System Configuration Terms and Definitions 1.3 Risk Analysis Methodology RiskWatch Parameters and Data Analysis Chapter 2 - Assets Summary of Asset Categories 2.2 Assets Listed Within Category 2.2.1 Assets Within Category 1 === 2.2.N Assets Within Category N Chapter 3 - Threats 3.1 Summary of Threats 3.2 Incidents Involving Each Threats 3.2.1 Incidents Involving Threat 1 === 3.2.N Incidents Involving Threat N Chapter 4 - Areas of Vulnerability 4.1 Summary of Vulnerabilities 4.2 Question Report 4.2.1 Question Report For Vulnerability Area 1 === 4.2.N Question Report For Vulnerability Area N 4.3 Incidents Linked to Each Vulnerability Area 4.3.1 Incidents Linked To Vulnerability Area 1 === 4.3.N Incidents Linked To Vulnerability Area N Chapter 5 - Safeguards 5.1 Summary of Safeguards 5.2 Cost-Benefit Analysis Report 5.2.1 Cost-Benefit Analysis Report For Safeguard 1 === 5.2.N Cost-Benefit Analysis Report For Safeguard N 5.3 Incidents Affected by Each Safeguard 5.3.1 Incidents Affected By Safeguard 1 === 5.3.N Incidents Affected By Safeguard N Appendixes Appendix A - Assets Appendix B - Threats Appendix C - Vulnerability Areas Appendix D - Safeguards Chapter 1 - General Introduction The development of effective plans is a manager's most important responsibility, and the measurement of the compliance of an organization with these plans is essential. For Automated Information Systems (AIS) facilities, one of the most important categories of planning is security planning because of the catastrophic impact that total shut down of the AIS facility would have on the entire organization. A quantitative risk analysis is a tool for measuring the compliance of an organization with applicable security requirements and is a standardized methodology which can be used to analyze a system or organization to identify vulnerabilities that could result in losses. This standardized methodology is based on the interrelationships of four key factors: 1. Asset Any useful or valuable resource; 2. Vulnerability Weakness or susceptibility of an asset or a collection of assets to losses of various kinds; 3. Threat An event, process, or act which, when realized, has an adverse effect on one or more assets; and 4. Safeguard Countermeasure, control, or action taken to decrease the existing level of vulnerability of an asset to one or more threats. To facilitate the performance of the risk analysis, COMPANY IBS acquired a risk analysis system called RiskWatch II for Windows. This PC-based software package, which is available on GSA Schedule, was originally developed for the Department of the Navy; it has been redesigned and rewritten to make it a Windows application and it is currently being used by the Department of Defense, NASA, several State and local governments, and private industry. The scope of the risk analysis was limited to COMPANY IBS and threats arising from its environment including all telecommunications links to COMPANY IBS. The purpose of the risk analysis was to identify the vulnerability of the assets of COMPANY IBS to a variety of threats and to recommend safeguards which could reduce or eliminate the vulnerability of COMPANY IBS to these threats. In some instances, applicable safeguards were 100% implemented, but were not being fully employed by the user community. As a general rule, when such noncompliance with policy within the enterprise occurs, it is frequently because there is a lack of awareness of the security issues; this may result from inadequate security training and enforcement of security requirements . 1.1 Operational Environment and System Configuration The four sections below, numbered 1.1.1 through 1.1.4, provide detailed information about: The team responsible for the management of risks within the enterprise; The organizational details of the enterprise; The physical plant and measures in place to ensure physical security; The configuration of systems that are deemed within the scope of this analysis; 1.1.1 The Risk Assessment Team [[[ The Risk Analysis Team for the analysis of COMPANY IBS consisted of NAME, Project Manager; NAME, Assistant Project Manager, and NAME, Senior Security Analyst. The following individuals provided considerable support to the project by providing advice on risk analysis and internal control review planning, meeting to discuss the progress of the risk analysis effort, and reviewing and commenting on risk analysis deliverables: 1. NAME Office of Computer Operations 2. NAME Office of Computer Operations 3. NAME Office of Computer Operations 4. NAME Office of Computer Operations 5. NAME Office of Computer Operations 6. NAME Office of Computer Operations 7. NAME Office of Computer Operations 8. NAME Office of Information Resources Management 9. NAME Office of Information Resources Management 10. NAME Office of Information Resources Management 11. NAME Office of Budget and Administration 12. NAME Office of Budget and Administration ]]] 1.1.2 Organization Details of COMPANY IBS Organization and Staffing The Office of Computer Operations, which is headed by [[[NAME]]]. [[[NAME]]], directs the management, operation, and maintenance of all COMPANY IBS facilities and equipment (see organization chart immediately below). COMPANY IBS's staffing level is [[[xx]]]. [[[ [[[NAME]]] is the current contractor for the DATA CENTER. [[[NAME]]] is the project manager for the [[[NAME Contract]]] which is responsible for performing tasks assigned by COMPANY IBS for the operation and maintenance of COMPANY IBS facilities (see organization chart on page 9). COMPANY IBS and its subcontractor, [[[NAME]]], have [[[xx]]] staff assigned to this contract. ]]] [[[ THE DATA CENTER provides data processing for COMPANY IBS application systems, program management systems, COMPANY IBS financial management and other administrative systems, and decision support systems supporting COMPANY IBS policy formulation. For the approximate 7,000 Statewide users, the data center processes approximately 50,000 batch jobs and 26,000 individual sessions per month; along with about 150,000 tape mounts. In addition, the data center maintains near 100% availability of the system for its users ]]] Figure 1 [[[ PLACE ORGANIZATION CHART HERE ]]] 1.1.3 Physical Plant and Physical Security [[[ Data Center Building COMPANY IBS Data Center is a Government-owned, contractor-operated facility housed in the NAME building at ADDRESS which is a 32,000+ square foot facility which consists of the following: computer equipment area, office area, uninterruptible power system area, tape library area, and warehouse. Physical Security The NAME Building is a single level building of masonry construction with embedded windows around the perimeter. There are twelve (12) exterior doors leading into the facility. Two (2) doors are secured via a card key system, and six (10) are manually locked at all times. The facility is equipped with an intrusion detection alarm system that is monitored by the local security service. One of the two entrances controlled by the card system is located in the front of the building facing NAME Road. The other is the visitors' entrance located on the side of the building facing the parking lot. The visitors' entrance is monitored by a security guard twenty-four (24) hours a day, seven (7) days a week. The visitors' entrance card key system is in operation Monday through Friday from 6:00 P.M. to 6:00 A.M. and twenty-four (24) hours a day on weekends and holidays. Although the front door card key system is operational twenty-four (24) hours a day, seven (7) days a week, the exterior door is bolted and key locked from 6:00 P.M. to 6:00 A.M. The Computer room has four entrances. All four entrances are off a hallway that leads into a raised floor, recessed ceiling environment. Each door has a card key system with different access levels that is in operation twenty-four (24) hours a day, seven (7) days a week. Fire Detection and Suppression The fire detection system consists of heat detectors and Ionization-type smoke detectors located above and below the suspended ceiling and under the raised floor. When an alarm sounds, a panel inside the computer room indicates which device detected the problem. The fire alarm system is also monitored by the local security service. The building contains an automatic fire suppression system consisting of a "total-flooding, wet-pipe system" with sprinkler heads above and below the suspended ceiling. Energy Management The data center is environmentally controlled by twelve 20 ton Liebert air conditioning units that compensate for the generated heat load, which varies across the seasons. Heat and air conditioning are provided to office space external to the data center by roof-mounted units and a oil-fired, hot water baseboard heat system. The warehouse area is environmentally controlled by a eight-ton, roof-mounted heat pump. Electrical power is provided by redundant feeds originating in separate commercial electric power substations. Critical electrical power is provided by two Emmerson Electric automatic transfer switches and two Liebert Uninterruptible Power Systems (UPS), with 15-minute battery backup. One of the two 500 KVA UPS systems is modular in design, with a total capacity of 2,000 kVA. Off-Site Data Storage The data center backs-up all data media storage on a daily basis. The data are then transported to the NAME off-site storage facility in ADDRESS. The NAME facility subcontract is managed by the NAME Contractor. NAME meets all Government requirements for an off-site storage facility. Hot-Site for Disaster Recovery COMPANY IBS has a contract with NAME of ADDRESS, for hot-site support. In the event of a total or partial disaster at COMPANY IBS data center and the decision is made to activate the hot-site, a designated team will travel to the hot site to operate the facility in place of the COMPANY IBS data center. ]]] 1.1.4 System Configuration The system consists of the following (see attached floor plan): Figure 2 [[[ Attach Floor Plan HERE ]]] [[[ SYSTEM 0 Processors IBM 3090-500E & 600S 0 Disk Storage IBM/STK/AMDAHL 0 Library Storage Modules (6) STK 4400 0 Cartridge Drives (96) IBM/STK 0 Cartridges (200,000) 3480's 0 Tape Reel Drives (8) 6250 BPI 0 Tapes 15,000 Round Media 0 Printers (Page) (1) Xerox 90 PPM (Line) (1) IBM 2,000 LPM (1) STK 1,500 LPM Communications High speed link to COMPANY IBS, Department Information Management. Exchange System to Regional Offices, Value Added Networks to COMPANY IBS Sites, Intermediaries, and Contractors 0 IBM Information Network 0 FTS 2000 ]]] 1.2 Terms and Definitions 1.2.1 Annual Frequency Estimate (AFE): The Annual Frequency Estimate (AFE) is a factor based on historical data which indicates the approximate number of times a defined threat might occur in a specific environment, system, or location in a given year. 1.2.2 Annual Loss Expectancy (ALE): The sum of the Individual Annual Loss Expectancies (IALE) for all assets, of a specific loss type, and attributed to a specific threat. 1.2.3 Annual Loss Expectancy, Individual: Per Asset (IALE) The Individual Annual Loss Expectancy (IALE) represents the proportion of an individual asset that could be lost as the result of a single instance of a threat event, multiplied by the Annual Frequency Estimate (AFE) of the specific threat. 1.2.4 Application Software: A program or set of programs designed for a specific function such as payroll, accounts payable, inventory control, property management, etc., Both source code and object code ought to be considered.. 1.2.5 Assets: Assets are defined as useful or valuable possessions of the enterprise. All assets, including data, residing in a computer system can be properly identified, quantified with respect to one or more evaluative perspectives (such as replacement cost), and classified into one or more of the following distinct categories: 1.2.5a Critical Assets: Those assets which provide direct support to the organization's ability to sustain its mission. Assets or resources are considered critical if their absence or non-availability would significantly degrade the ability of the organization to carry out its mission, and when the time that the organization can function with out the asset is substantially lower than the time needed to replace the asset. Critical assets can be backed up to reduce their potential impact. 1.2.5b Financial, Controlled, Validated, Certified or Accountable Assets: Moveable property, cash, inventories, accounting or auditing systems, and automatic money-handling software are financial or accountable. These assets are susceptible to both internal and external fraud. This category also includes payroll, billings, supply inventories, accounts payable and receivable, other financial assets, small pilfer items, cash, consumable, negotiable instruments and services as well as automated billing systems. (Special attention is required as a result of the report by the U.S. Government Accounting Office directive entitled, `Improvements Needed in Managing Automated Decision-making by Computers Throughout the Federal Government', FGMSD-76-5, April 23, 1976.) This category includes data bases, programs, and information on which unauthorized and invalid modifications can not be tolerated. 1.2.5c Sensitive Assets: Includes processes and information, assets that need controlled dissemination and that are considered classified, controlled, proprietary, or private. The unauthorized disclosure and dissemination of sensitive matter can result in losses of high magnitude which are generally irrecoverable. Sensitivity is the status of importance accorded to an asset (generally data) which has been agreed upon between the person or organization furnishing the sensitive resource and the person or organization receiving it, and which describes the resource's warranted degree of protection. Privacy data is a subset or special case of sensitivity which requires protection under the Privacy Act of 1974. In this case, it is most important to have an effective liaison with each functional office maintaining personal data. The Privacy Act is very specific on the scope and requirements for data protection and the reporting of privacy data collected. Generally, losses relating to sensitive matters results from disclosure, in which 1.2.5d Supportive Assets: These are all other justifiable, organizational assets not otherwise classified in one or more of the critical, sensitive or financial/accountable categories. For example, items like furniture, vending machines and other property that can be amortized. The loss resulting from the occurrence of a threat upon these assets is too small to warrant further consideration and development of safeguards. Therefore, these resources are excluded from the risk analysis evaluation. 1.2.6 Computer System: The hardware consisting of CPU, memory, controller and peripherals, disc driver, tape drive(s), printer(s), etc. 1.2.7 Contingency Plan: A plan that identifies resource schedules, procedures and documentation to be used in providing continued operating capability and support to all critical mission components in case of disaster. 1.2.8 Continuity of Operations Plan (COOP): Same as Contingency Plan, (see above). 1.2.9 Emergency Response: Identified actions, procedures, and resources to be used in emergency situations. 1.2.10 Risk Analysis: The application of a standardized methodology in the determination of threats, risk factors, vulnerability exposures and potential losses. Risk analysis is an approach to satisfying the need of an organization to protect the assets in which it has made an investment. It also serves to identify the particular problems an organization could expect to encounter in the performance of its mission, and the adverse affects these problems might present to the organization's ability to meet its obligations. Finally, risk management, growing out of the analysis, is a mechanism by which management can address these problems according to their relative importance based on financial analysis, and to develop safeguards which are both reasonable and cost-effective. 1.2.11 Safeguards: Safeguards are countermeasures, specifications, or controls, consisting of actions taken to decrease the organization's existing degree of vulnerability to a given threat probability (Risk), that the threat will occur. Safeguards are put into effect to reduce the organization's potential losses and resultant impact to the mission. Safeguards are designed, implemented and maintained with the objective of minimizing losses by providing improved means of deterrence, prevention, mitigation, detection of and recovery from incidents (realizations of potential threat events). Generally, the safeguards are grouped into the following broad categories: 1.2.11a Administrative Safeguards: This category includes all policies, procedures, guidelines, auditing checks and tabulations which are defined by management. 1.2.11b Physical Safeguards: These are devices or mechanisms that protects assets. These include such things as door locks, terminal shielding, vaults, walls, fire suppression systems, and guards; 1.2.11c Technical Safeguards: These are usually associated with the protection of information inside of a computer system; this category includes such items as data encryption, internal access controls, system and file passwords, recovery software, and auditing software. 1.2.12 Single Loss Expectancy Individual: Per Asset (SLEI) The monetary value of a single specified asset, or set of assets, multiplied by its associated vulnerability exposures, which are related to a specific realized threat. 1.2.13 Single Loss Expectancy: Per Threat Occurrence (SLE) The sum of the Single Loss Expectancies for all assets attributed to a specific realized threat. These are all losses associated with the single occurrence of a defined threat. 1.2.14 System Software: Programs that control the operation of a computer system, generally consisting of utility programs (both source code and object code. System software refers to special application programs, whose function is the operation of a computer or one of its specialized subsystems. 1.2.15 Threat: An event, process, activity (act), or substance, either accidental or perpetrated by one or more threat agents, which, when realized, has an adverse effect on organizational assets (possibly aggravated by existing organizational or other forms of vulnerability to that threat), resulting in losses that may be classified as: 1.2.15a direct loss; 1.2.15b related direct loss; 1.2.15c delays (in processing)/denials (of service) (acting against availability of the asset); 1.2.15d disclosure(of sensitive information); (acting against its confidentiality); 1.2.15e modification(also called contamination); (acting against its integrity); 1.2.15f intangible (acting against intangible assets) The combination of all possible losses resulting from one occurrence of a threat is called the Single Loss Expectancy (SLE). 1.2.16 Threat Agent: Any person or thing which acts, or has the power to act, to cause, carry out, transmit or support a threat. As stated in the threat definition, it is the case that the realization of many threats will correspondingly cause the occurrence of other threats, and therefore, many threats will themselves be threat agents. The identification of threat agents is an important element in attempting to calculate the Annual Frequency Estimate (AFE) of a threat occurrence and then the amount of loss (ALE) of an asset. Generally, a threat can occur through more than one agent, and to properly estimate the losses and subsequent impact to the mission, the individual AFEs and ALEs associated with each agent must be separately determined. Unfortunately, the statistics are not collected based on the agent. Therefore, with current statistics, the values would be overlapping and the resulting annual loss expectancy would be greatly exaggerated. 1.2.17 Threat Probability of Occurrence with Cumulative Probability, Confidence Interval, and Standard Deviation: Based on available statistics, the probability or annual frequency estimate is calculated with the associated level of confidence and the applicable standard deviation. 1.2.18 Vulnerability: A vulnerability, or weakness, is the susceptibility of an asset, or a set of assets, to an increased level of loss resulting from an occurrence of a defined threat against that asset. It is a characteristic, condition, or perceived lack of a procedural method or control, associated with one or more assets or safeguards, which would result in an increased loss if a threat were to be realized. The presence of a vulnerability does not in itself result in a loss, nor does the total absence of any vulnerability necessarily ensure that a loss will not occur should the threat become realized. 1.2.19 Degree of Seriousness: The extent (for denial/delay forms of loss), or percentage of the value of affected assets (for all other forms of loss), that would be experienced as a result of the realization of a particular threat. |