I. Why do we need information system security risk assessment
Obviously, when we are pleased to accept and use a new technology to assist us in our security work, this technology must have reasons that can drive us to use it. This reason is also the main role of this technology in certain aspects of security protection, and we use it only for these major functions.
For information system security risk assessment, we have already learned about his definition in the beginning of this article. From its definition, we can understand that risk assessment can be used at various stages of the information system's life cycle. Because the purpose of different security precautions in each stage of the information system's life cycle is different, the purpose of using risk assessment is also different. Therefore, the risk assessment performed at each stage of the information system life cycle will also have different effects.
The life cycle of an information system is divided into four major phases: design, implementation, operation and maintenance, and final destruction. The main role of the corresponding information system security risk assessment in each phase is as follows:
1. During the design and implementation phase of the information system life cycle, the use of information system security risk assessment can help to understand what kind of security precautions the current system needs in the end, help to formulate effective security protection strategies, and determine the best cost for security protection investment. Persuasion agency leaders agreed to the full implementation of the security strategy.
2. In the operation and maintenance phase of the information system life cycle, the use of information system security risk assessment can play the following role:
(1) Understand whether firewalls, IDSs, and other security devices are actually operating according to the original configuration. Are there any security requirements that meet the security objectives?
(2) Understand whether the security protection strategy is realistic and fully implemented;
(3) The safety consciousness of the internal staff of the inspection organization, whether the network operation behavior and data usage mode are normal;
(4) After the information system makes hardware or software adjustments for some reason, use information system security risk assessment to determine the original security
Whether the measures are still valid, if not, where they should be changed, etc.
3. In the final destruction stage of the information system life cycle, information system security risk assessment can be used to verify that it should be completely destroyed.
Data or equipment can no longer be recovered in any way; equipment in obsolete information systems has been properly preserved and has not been lost.
Second, the general processing flow of information system security risk assessment
Information system security risk assessment is not a task that can be performed at will, in order to ensure that risk assessment is performed in an orderly and correct manner according to a certain way, and that the assessment results are true and effective; and also to reduce the risk of risk assessment. The intentional or unintentional mistakes; at the same time in order to improve the efficiency of risk assessment, shorten the assessment time, in order to reduce the impact on normal business. It is necessary to develop an effective process for the evaluation of information system security risks.
In some of the information system risk assessment standards that have emerged today (such as China, on March 7, 2006, the "Information Security Risk Assessment Guide issued by the State Council Information Office") has proposed a general process for handling risk assessment. However, these general risk assessment processes do not include specific details. You and your risk assessment team should be determined based on the needs of the assessment. At the same time, in the process of risk assessment, we also use these risk assessment standards as reference standards for assessment results in order to give specific risk assessment values.
Here, I also just give the main framework of this common information system security risk assessment process. The specific processing details will be described in detail in the second section. The thorough risk assessment process is as follows:
1. Information security risk assessment preparation stage
2. Information system security risk assessment object risk detection stage
3. Analysis of Risk Detection Results of Information System Security Risk Assessment Objects and Stages of Assessment Report
4, late security maintenance phase
Third, to understand the three important terms in information system security risk assessment
1, the assessment object
In the process of information system security risk assessment, the first thing we must do is to specify the specific object of the assessment, that is, to limit the specific physical and technical scope of the assessment. In the information system, the evaluation object corresponds to the hardware and software components in the information system. For example, information systems include various servers, operating systems and various service programs running on servers, various network connection devices, various security protection devices or applications, and physical security assurance devices, which may constitute independent evaluations. Objects, even those who use these information systems, can also serve as an assessment object. In general, the entire computer information system can now be divided into six major evaluation objects:
(1) Information Security Risk Assessment
(2) Business Process Security Risk Assessment
(3), cyber security risk assessment
(4) Communication Security Risk Assessment
(5) Wireless security risk assessment
(6) Physical Safety Risk Assessment
2. Evaluation project
The evaluation project of information system security risk assessment is based on a specific assessment object and is used to determine a specific aspect of the assessment object. For example, for the physical security risk assessment, it is necessary to assess the surrounding environment of the assessment object. Conduct security risk assessments, and conduct risk assessments on the physical security measures that the assessment objects have completed. These are the risk assessment items for information system security.
Each assessment object has its own unique assessment item, which is determined by the unique attributes of each assessment object. The following is a brief description of the main assessment items of the six major security risk assessment objects:
(1) Main assessment items for information security risk assessment
1. Information security status assessment
2, the integrity of the information review
3, confidential information investigation
4, network operation trace information check
5. Security review of information during use
6, privacy information confidentiality review
7, information controllability review
8, information storage security review
(2) Main assessment items of business process security risk assessment
1, business process security status assessment
2, business request security review
3, business anti-request security review
4, business process safety review
5, business processing personnel reliability test
(3) Main assessment items of cyber security risk assessment
1, network security status assessment
2, intrusion detection review
3, network transmission security assessment
4, network application security assessment
5, network vulnerability and vulnerability detection and verification
6. Security assessment of switches and routers in the network
7, access control test
8, the main network attack test (such as DOS)
9, online behavior review
10. Network Security Policy, Alerts, and Log File Review
(4) Major assessment items for communication security risk assessment
1, Modem and other communications equipment security testing
2. VOIP Security Assessment
3, network fax security assessment
4, remote access security assessment
5, instant messaging security assessment (including live chat, network video conferencing, network remote monitoring, etc.)
(5) Major assessment items for wireless security risk assessment
1, electromagnetic radiation test
2. 802.11a/b/g wireless network security risk assessment
3, Bluetooth security assessment
4, wireless input and output device safety testing
5, wireless handheld device security testing
6, wireless device access or exit security test
7, wireless transmission equipment safety test
8, wireless communication confidentiality test
9, other wireless communication detection (such as RFID and infrared connection, etc.)
(6) Major assessment items for physical security risk assessment
1, the physical security status assessment
2. Physical Security Access Control Security Testing
3, physical monitoring equipment operation review
4, alert response review
5, physical security guard position review
6. Physical security review of the location of the computer system
7. Survey of local natural conditions and environmental factors of computer systems
The assessment task refers to all the assessment operation tasks to be carried out when reaching the assessment target of a risk assessment project. The assessment task corresponds to each assessment item. The specific assessment task can be determined by you and your team based on actual needs. The evaluation task is not completely comprehensive and is not practical. It will directly affect whether the final result of the information system security risk assessment is consistent with the risk assessment objective. Therefore, when deciding on these assessment tasks, the personnel involved in the decision should not only have a wealth of experience, but also must have adequate and effective data related to the assessment object; at the same time, various systems must be addressed for the current security threats. Or equipment weaknesses and vulnerabilities, a variety of attack means have a full understanding; but also must be able to carefully identify the assessment object's asset type and its importance.
As the assessment task is determined with specific assessment objects and assessment items, it is also related to the current status of security threats and development trends, and due to the limitations of article length. Therefore, in this article, we can only give some common assessment tasks for one or two of the six evaluation objects. As for the assessment tasks of other assessment projects, you and your assessment team can refer to the examples of assessment task content given in this article and use brainstorming methods to determine the various effective data collected through analysis.
(1) Evaluation task of privacy information confidentiality review in information security risk assessment
The confidentiality review of private information is mainly to detect the completeness of the use, transmission and storage of the privacy information of employees and customers in the organization. Since these privacy may involve certain legal regulations regarding the location of the organization, when deciding on the evaluation tasks for this project, it is necessary to fully consider the national and regional regulations of the region in which the organization is located.
In general, to conduct a comprehensive privacy review, the following assessment tasks should be completed:
1. Compare the difference between the actual privacy information access method and the methods defined in the privacy access policy;
2. Check the privacy protection mode of monitoring and protection in line with local laws and regulations;
3, identify the database type and size of the stored private information;
4. Identify various privacy information collected by the organization;
5, determine the location of private information storage;
6, understand the current network browsing COOKIE save type and retention time;
7. Identify various privacy information stored in COOKIE;
8, verify the encryption method used by COOKIE;
9. The WEB server of the identification agency may generate an incorrect location and understand the type of information returned to the browsing user when an error occurs.
(2) Evaluation task of information inspection of network operation traces in information security risk assessment
The inspection of network operation trace information is mainly for the purpose of investigating the operation traces left by some employees within the organization after the network operation, and checking whether there are some confidential information related to the organization left on the Internet. This assessment project is a very important part of the information security risk assessment. To complete a comprehensive inspection of Internet operation behavior information, the following assessment tasks are indispensable:
1. Check the contents of the internal staff's WEB database and cache;
2. Check whether the internal staff of the organization disclosed the organizational structure of the organization or confidential information of other organizations through personal homepages, blogs, forums, and posting of resumes on the Internet;
3. Is the internal staff of the investigating institution using private emails, and if the law permits, check whether the employees send confidential information within the organization through the emails distributed by the organization;
4. Understand the computer technology level of the internal staff of the organization, and understand the departments and operating authority of employees with high computer technology level;
5. Whether the internal employees of the survey organization use instant communication tools during working hours, and monitor the content of instant communications under the conditions permitted by law;
6. Use Internet search engines to find out if there are confidential information related to the organization in the network, or search in a variety of specific newsgroups, forums and blogs;
7. Check if the internal staff of the organization is using P2P software and review the P2P communication content under legal conditions.
(3) Assessment tasks for network vulnerability and vulnerability detection and verification in network security risk assessment
Network weaknesses and vulnerability detection and verification are designed to identify security vulnerabilities and vulnerabilities in the network and verify whether these vulnerabilities and vulnerabilities can be really exploited. The use of some web-based vulnerability scanning and penetration testing tools during the assessment process can greatly improve the efficiency of the assessment.
However, when using the vulnerability scanning tool, the results of its detection cannot be fully accepted. This is because most of the vulnerability scanning tools now compare the vulnerability with the vulnerability data to determine whether the detection object has a weakness. Or loopholes. Once the tool's vulnerability database cannot be updated in a timely manner or does not include all currently discovered vulnerabilities, the test results may not be completely reliable. Moreover, due to the design flaws and limited capabilities of these tools, false positives and false negatives will occur in the process of use. False positives will cause us to worry about one thing, and omissions will put us at the edge of major safety accidents. . Therefore, manual verification and penetration testing after the vulnerability scan can reduce the occurrence of false negatives and false positives.
To complete a complete assessment of network vulnerabilities and vulnerabilities and assessments, complete the following assessment tasks:
1. Combine the most popular vulnerability scanning and infiltration tools to test the target network segment.
2. Use the vulnerability scanning tool to scan the target network segment from outside to inside and inside to outside.
3. Identify the types of systems and applications that have vulnerabilities or vulnerabilities;
4, determine the existence of loopholes in the service;
5, determine the type of application and service vulnerability;
6. Identify all vulnerabilities in operating systems and applications and identify all vulnerable operating systems and applications.
7, determine whether these loopholes can affect other similar target networks or systems;
8, through the human penetration test method to detect the existence of weaknesses or vulnerabilities found;
9. Check the probabilities that these loopholes can be exploited and the consequences that may occur after use.
(4) Assessing the security detection of communication equipment such as Modem in the communication security risk assessment
Modem and other communications equipment security testing is mainly to check the modem's login authentication method, whether it can be illegally controlled by the shipping process. To complete a comprehensive security inspection program for communication devices such as Modem, the following evaluation tasks will be fully implemented:
1. A comprehensive scan of modems and other communications equipment from the inside to the outside;
2. Make sure that the login user and password of the communication device such as Modem are not using the default settings or are easily guessed;
3. Ensure that the routers, three-layer switches, or computers directly connected to communication devices such as Modem have been equipped with appropriate security measures;
4. Check whether it is safe to remotely maintain communication equipment such as Modem;
5, verify remote dial authentication;
6, test the local dial authentication;
(5) Evaluation task of 802.11a/b/g wireless network security risk assessment in wireless security risk assessment
As 802.11a/b/g wireless network technology becomes more and more mature, more and more organizations are beginning to use it. However, due to the openness of 802.11a/b/g wireless network technology, most of the applications do not have corresponding security modifications to their default settings, or the security settings are very few and weak, resulting in 802.11a/b/g wireless. The network brings as much security risk as it does. Therefore, the use of 802.11a/b/g wireless network security risk assessment to identify the current security risks in wireless networks, in order to take better security measures to reduce the risk of wireless network applications.
To complete the 802.11a/b/g wireless network security risk assessment project, you must perform all of the following assessment tasks:
1. Does the inspection agency have a sufficiently good wireless security policy to ensure the application of 802.11a/b/g wireless networks and evaluate the hardware and firmware of 802.11a/b/g wireless networks and update status, etc.;
2. Conduct a comprehensive inventory of wireless devices connected to the target wireless network, evaluate the access control, the range of wireless signal coverage, and determine whether it is capable of preventing wireless signals from exceeding the specified range or being able to interfere with excessive wireless signals;
3. Determine the access control capability of the wireless network for horizontal access to the target wireless network, whether it can identify all allowed access points, and whether it can instantly identify unauthorized access points, and can locate and reject its access;
4, assess the wireless network configuration, authentication and encryption;
5. Evaluate the default service device identifier (SSID) of the wireless access point has been changed;
6. Verify that all wireless clients have installed anti-virus software and firewall security tools;
(6) Assessment tasks for security testing of physical security access control in physical security risk assessment
The security test of the physical security access control is an assessment item that is used to detect whether the physical information is in direct contact with important information assets in the organization. To complete a security test for physical security access control, you must complete the following assessment tasks:
1. Enumerate all areas where physical access control is required;
2. Check the access control devices and their types of all physical access control points;
3, check whether the type of alarm triggered is consistent with the description;
4. Determine the security level of the physical access control device;
5. Test physical access control devices for weaknesses and vulnerabilities;
6. Testing whether physical access control devices can be artificially or otherwise lost detection capabilities;
IV. Rules to be Observed in the Process of Information System Security Risk Assessment
In the process of risk assessment of information systems, the following factors will bring erroneous results to the assessment:
1. False positives and missing reports of vulnerability scanning software;
2. The system itself sets a fixed defect response to certain types of things. When testing a system with deceptive settings, it is common to make certain specified responses to all evaluation events;
3. There are certain settings in the system to be evaluated that have been designated to safely respond to all events.
4. In the process of risk assessment, a target's response was received, but this response did not really come from the actual assessment target. Some inexperienced risk assessment personnel did not correctly identify the appearance of such an illusion, resulting in an error. result;
5, risk assessment tools There are problems with the device itself, you may have a wrong response. And when there is high noise in the Ethernet path of risk assessment, or there are devices that interfere with the target wireless network signal, wrong results will occur;
6. When an environment in the process of risk assessment receives incorrect results, but it is not identified and re-evaluated in a timely manner, subsequent evaluations use this wrong result as an evaluation condition. This will allow this type of The wrong inheritance leads to a wrong final risk assessment result;
7. The risk assessment must be performed by people. Risk assessment personnel may have erroneous risk assessment results due to their technical level, experience level, their assessment attitude, and different understanding of risk assessment. .
As a result of the above-mentioned reasons, the risk assessment results of the system security risk of the wrong information, once accepted, will bring new security risks to the security protection of the information system. The consequences are unthinkable. Therefore, we must comply with the following risk assessment rules in the risk assessment process of the information system, which can effectively reduce the above error factors:
1. Understand that when conducting a risk assessment, any details are just as important and understand the purpose of each evaluation project.
2. Pay attention to every little detail in the risk assessment process. The effectiveness of risk assessment results is often reflected in some details. This is because some major safety accidents are caused by some minor security weaknesses. In addition, a single small detail may not bring about certain types of security risks. However, after many small details are accumulated, accidentally, it will bring major information security accidents to the information system;
3. Do not think it is better to spend less and do more things. Many organizations now have less security budgets, and therefore require security risk assessments to be more efficient in less time. However, if you think that an inefficient risk assessment strategy will save you a lot of money and decide to use it, then this inefficient risk assessment strategy may not detect all the security risks. Therefore, while you use your time and money for risk assessment, you can't get any benefit of risk assessment. Instead, you increase the security cost and the possibility of business disruption.
Obviously, risk assessment requires a certain amount of cost. Therefore, when you start the risk assessment, you must consider how to balance the efficiency of evaluation with the cost of input. Only if these two parties reach a satisfactory balance can they be achieved. The best risk assessment efficiency and effectiveness;
4. For a risk assessment process involving multiple risk assessment objects, there must be a risk assessment strategy that is practical and considers comprehensive and can be fully implemented. At any time, we must not overlook the importance of tactics in security work. The risk assessment strategy is used to indicate the main purpose of a risk assessment, the tasks to be completed, and some operational details. Risk assessment strategies play a guiding role in the risk assessment process and control the entire assessment process.
5, to know how to calculate the economic account of risk assessment. The purpose of risk assessment is usually to achieve the security of a certain program, and the results of the assessment will provide solutions to the weaknesses found. In this way, it will involve increasing the investment in security costs. A good risk assessment project manager will understand whether the organization has enough economic capacity to solve the discovered loopholes. How much cost will be calculated to achieve the level of security risk acceptable to the agency leader? How will the budget be used by the agency's decision makers? Accepted and so on. If you do not consider these issues, then how comprehensive and accurate your risk assessment results are not managed, but not accepted by institutional decision makers, is still an unsuccessful risk assessment. This will only allow the organization to waste a lot of risk assessment time and money. Therefore, knowing the economic account for risk assessment is also an important aspect;
6. Understand the reference standards for risk assessment. The key point of whether or not the risk assessment result is authoritative is that you should indicate in the assessment results which risk assessment criteria are used for the assessment method. For example, the information security risk assessment guideline of my country mentioned above. 》 You can also use some international standards, such as the risk assessment standards in the ISO/IEC 17799/27001 international information security management system. These standards can provide you with a reference standard on how to give final security and risk levels;
7. The risk assessment personnel must complete the designated assessment task within the specified scope of authority. During the evaluation process, they cannot freely go outside the prescribed physical scope. When the task was found to be doubtful during the assessment, it should be immediately stopped and reported to the person in charge of the assessment team. Before the question can be clearly resolved, we cannot continue to perform the next assessment. Evaluators' assessment sites should have records indicating the specific time of entry and exit. Each evaluator should wear a work permit that clearly indicates his or her identity. Each risk assessor should use the prescribed assessment tools, and can not bring the tools outside the regulations into the assessment site. The scope of authority and the physical location of each risk assessor should be clarified, and any assessor must not exceed the power or physical scope of these provisions.
Having a systematic understanding of the basics of the above-mentioned information system security risk assessment will allow us to understand how we can effectively complete a security risk assessment. The next task is to grasp how the security risk assessment of the information system should be done specifically.