• Tiada Hasil Ditemukan

RA WHIZ - RISK ASSESSMENT AUTOMATION FOR AN

N/A
N/A
Protected

Academic year: 2022

Share "RA WHIZ - RISK ASSESSMENT AUTOMATION FOR AN "

Copied!
24
0
0

Tekspenuh

(1)

RA WHIZ - RISK ASSESSMENT AUTOMATION FOR AN

INFORMATION SECURITY MANAGEMENT SYSTEM

BY

NOR AZA RAMLI

A thesis submitted in fulfilment of the

requirement for the degree of Master of Computer Science

Kulliyyah of Information and Communication Technology International Islamic University Malaysia

APRIL 2016

(2)

ii

ABSTRACT

Information is a business asset that needs to be accessed and processed for it to bring value to the business. The use of technologies in handling information introduces information security risks that are inherited from flaws and weaknesses in the implementation of these technologies. Information security risks could be addressed systematically by having a comprehensive management system in place. ISO/IEC 27001 is a standard for information security management system (ISMS). It is published in a joint effort by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard introduces a risk-based approach in managing information security. A risk assessment exercise for an ISMS implementation requires human expertise with comprehensive understanding and considerable knowledge in information security. Risk assessment exercise is based on three steps; identification, analysis and evaluation. There are available tools which cater for the automation of the analysis and evaluation steps. However, there is still a lack of automation in an overall information security risk area. This could be due to the fact that the analysis and evaluations phases are based on risk assessment approach whereas the identification phase requires specific knowledge in information security risks. This work aims to automate the risk identification process by studying key parameters in risk assessment and develop relationship models of these parameters. Scopes undertaken by ISMS certified organizations in Malaysia will be analyzed to determine a significant scope for this study. Key parameters for risk assessment will be identified and relationship models will be developed for these parameters. The key parameters are assets with explicit grouping and definitions, corresponding threats and vulnerabilities. Asset relationship model presents a link between three types of assets. This model demonstrates the idea of information container, primary assets and supporting assets which needs to be understood by organizations to enable efficient risk assessment. Information is a primary asset with supporting assets such as infrastructure and system. Threats relationship model presents a link between the types of threats. It demonstrates how a data security threat could become a result of inherited risk from threats on infrastructure and system.

Vulnerabilities relationship model presents the relationship between specific threat and common vulnerabilities. The relationship models are implemented using Protégé, an ontology editor. The risk assessment ontology becomes the knowledge base of RA Whiz, a risk assessment advisory system. RA Whiz produces results for risk assessment on a secure data centre, which is a scope identified earlier in this study.

Validation of the results is sought from information security professionals with ISMS working experience to gauge the reliability of the results produced by RA Whiz.

(3)

iii

ﺚﺤﺒﻟا ﺔﺻﻼﺧ

ا ﺔﻤﻴﻗ ﻖﻴﻘﲢ ﻞﺟأ ﻦﻣ ﺎﻬﺘﳉﺎﻌﻣو ﺎﻬﻴﻟإ لﻮﺻﻮﻟا ﱃإ ﺔﺟﺎﺣ كﺎﻨﻫ ﺚﻴﺣ ﻊﻳرﺎﺸﳌا سﺎﺳا ﻲﻫ تﺎﻣﻮﻠﻌﳌ

عوﺮﺸﻤﻠﻟ طﺎﻘﻧو بﻮﻴﻌﻟا ﺔﺠﻴﺘﻧ ﺖﺛرو ﺔﻴﻨﻣأ ﺮﻃﺎﳐ ﱃا يدﺆﻳ تﺎﻣﻮﻠﻌﳌا ﻊﻣ ﻞﻣﺎﻌﺘﻟا ﰲ تﺎﻴﻨﻘﺘﻟا ماﺪﺨﺘﺳا .

تﺎﻴﻨﻘﺘﻟا ﻩﺬﻫ ﺬﻴﻔﻨﺗ ﰲ ﻒﻌﻀﻟا تﺎﻣﻮﻠﻌﳌا ﻦﻣأ ﺮﻃﺎﳐ ﺔﳉﺎﻌﻣ ﻦﻜﳝ .

مﺎﻈﻧ دﻮﺟو لﻼﺧ ﻦﻣ ﻢﻈﺘﻨﻣ ﻞﻜﺸﺑ

نﺎﻜﳌا ﰲ ﻞﻣﺎﺷ يرادإ .

ISO / IEC 27001 تﺎﻣﻮﻠﻌﳌا ﻦﻣأ ةرادإ مﺎﻈﻨﻟ رﺎﻴﻌﻣ ﻮﻫ

.(ISMS) ﰎ

ﻲﺳﺎﻴﻘﻟا ﺪﻴﺣﻮﺘﻠﻟ ﺔﻴﻟوﺪﻟا ﺔﻤﻈﻨﳌا ﻞﺒﻗ ﻦﻣ كﱰﺸﻣ ﺪﻬﺟ ﰲ ﻩﺮﺸﻧ (ISO)

ﺔﻴﻨﻘﺗوﺮﻬﻜﻟا ﺔﻨﺠﻠﻟاو

ﺔﻴﻟوﺪﻟا .(IEC) ﻣأ ةرادإ ﰲ ﺮﻃﺎﺨﳌا ﻰﻠﻋ ﻢﺋﺎﻗ ﺞﻬﻨﻣ رﺎﻴﻌﳌا ﻞﺜﳝ

تﺎﻣﻮﻠﻌﳌا ﻦ ﺬﻴﻔﻨﺘﻟ ﺮﻃﺎﺨﳌا ﻢﻴﻴﻘﺗ ﺔﻴﻠﻤﻋ .

ISMS تﺎﻣﻮﻠﻌﳌا ﻦﻣأ لﺎﳎ ﰲ ةﲑﺒﻛ ﺔﻓﺮﻌﻣو ﻞﻣﺎﺷ ﻢﻬﻓ ﻊﻣ نﺎﺴﻧﻹا ةﱪﺧ ﺐﻠﻄﺘﺗ

دﻮﺟو ،ﻚﻟذ ﻊﻣو .

لﺎا اﺬﻫ ﰲ تاودﻷا ﺮﻓﻮﺗ مﺪﻋ ﻊﻣ ﺔﻴﺳﺎﺳا ﺖﺤﺒﺻا ﺔﻠﻜﺸﳌاو دوﺪﳏ ﺔﺼﺘﺨﳌا ﺮﻃﺎﺨﳌا ﻲﻠﻠﳏ ﺪﻨﺘﺴﺗو .

تاﻮﻄﺧ ثﻼﺛ ﻰﻠﻋ ﺮﻃﺎﺨﳌا ﻢﻴﻴﻘﺗ ﺔﻴﻠﻤﻋ ﻢﻴﻴﻘﺗو ﻞﻴﻠﲢو ﺪﻳﺪﲢ ;

ﻫ . أ ﱯﻠﺗ ﺔﺣﺎﺘﻣ تاودأ كﺎﻨ ﺔﺘﲤ

ﻢﻴﻴﻘﺗو ﻞﻴﻠﲢ

ﻦﻜﻟو تاﻮﻄﳋا أ ﻰﻠﻋ ﺔﻠﺼﻟا تاذ ﻞﻤﻌﻟا

ﺔﺘﲤ ﻪﻴﻓ ﺮﻈﻨﻟا ﺪﻌﺑ ﻢﺘﻳ ﱂ ﺮﻃﺎﺨﳌا ﺪﻳﺪﲢ ةﻮﻄﺧ نﻮﻜﻳ ﺪﻗ اﺬﻫ .

ﺮﻃﺎﺨﳌا ﺪﻳﺪﲢ ﺔﻠﺣﺮﳌا نأ ﲔﺣ ﰲ ﺮﻃﺎﺨﳌا ﻢﻴﻴﻘﺗ ﺞ ﱃإ ﺪﻨﺘﺴﻳ ﻞﺣاﺮﳌا ﻢﻴﻴﻘﺗو ﻞﻴﻠﲢ نأ ﺔﻘﻴﻘﺣ ﱃإ ﺎﻌﺟار تﺎﻣﻮﻠﻌﳌا ﻦﻣأ ﺮﻃﺎﳐ ﰲ ةدﺪﳏ ﺔﻓﺮﻌﻣ ﺐﻠﻄﺘﺗ ﻷ ﻞﻤﻌﻟا اﺬﻫ فﺪﻬﻳو .

ﺔﺘﲤ لﻼﺧ ﻦﻣ ﺮﻃﺎﺨﳌا ﺪﻳﺪﲢ ﺔﻴﻠﻤﻋ

ﲑﻳﺎﻌﳌا ﻩﺬﻫ ﲔﺑ ﺔﻗﻼﻌﻟا جذﺎﳕ ﺮﻳﻮﻄﺗو ﺮﻃﺎﺨﳌا ﻢﻴﻴﻘﺗ ﰲ ﺔﻴﺴﻴﺋﺮﻟا ﲑﻳﺎﻌﳌا ﺔﺳارد تﺎﻗﺎﻄﻨﻟا .

ةذﻮﺧﺄﳌا ﻞﺒﻗ ﻦﻣ

ISMS ﺪﻳﺪﺤﺘﻟ ﺎﻬﻠﻴﻠﲢ ﻢﺘﻴﺳو ﺎﻳﺰﻴﻟﺎﻣ ﰲ ةﺪﻤﺘﻌﳌا تﺎﻤﻈﻨﳌا ﻲﻫ

ﺔﺳارﺪﻟا ﻩﺬﳍ ﲑﺒﻛ قﺎﻄﻧ ﺪﻳﺪﲢ ﻢﺘﻴﺳ .

ﲑﻳﺎﻌﳌا ﻩﺬﳍ ﺔﻗﻼﻋ جذﻮﳕ ﺮﻳﻮﻄﺗ ﻢﺘﻴﺳو ،ﺮﻃﺎﺨﳌا ﻢﻴﻴﻘﺘﻟ ﺔﻴﺳﺎﺳﻷا ﲑﻳﺎﻌﳌا ﻊﻣ لﻮﺻﻷا ﻲﻫ ﺔﻴﺳﺎﺳﻷا ﲑﻳﺎﻌﳌا .

ﺔﻠﺑﺎﻘﳌا ﻒﻌﻀﻟا طﺎﻘﻧو تاﺪﻳﺪﻬﺘﻟاو ﺔﳛﺮﺼﻟا تﺎﻔﻳﺮﻌﺘﻟاو ﻊﻤﺠﺘﻟا ﺔﻠﺻ دﻮﺟو ﺔﻗﻼﻌﻟا لﻮﺻأ جذﻮﳕ ضﺮﻌﻳ .

ﺻﻷا ﻦﻣ عاﻮﻧأ ﺔﺛﻼﺛ ﲔﺑ لﻮ

لﻮﺻﻷاو ﺔﻴﺳﺎﺳﻷا لﻮﺻﻷاو تﺎﻣﻮﻠﻌﳌا تﺎﻳوﺎﺣ ةﺮﻜﻓ جذﻮﻤﻨﻟا اﺬﻫ ﺢﺿﻮﻳ .

ةءﺎﻔﻜﺑ ﺮﻃﺎﺨﳌا ﻢﻴﻴﻘﺗ ﻦﻣ ﺎﻬﻨﻴﻜﻤﺘﻟ تﺎﻤﻈﻨﳌا ﻞﺒﻗ ﻦﻣ ﺎﻣﻮﻬﻔﻣ نﻮﻜﻳ نأ ﺐﳚ يﺬﻟا ﺔﻤﻋاﺪﻟا ﻲﻫ تﺎﻣﻮﻠﻌﳌا .

مﺎﻈﻨﻟاو ﺔﻴﺘﺤﺘﻟا ﺔﻴﻨﺒﻟا ﻞﺜﻣ ﺔﻤﻋاﺪﻟا لﻮﺻﻷا ﻊﻣ ﺔﻴﺳﺎﺳﻷا لﻮﺻﻷا رﻻا ﺔﻗﻼﻋ تاﺪﻳﺪﻬﺘﻟا جذﻮﳕ ضﺮﻌﻳ .

طﺎﺒﺗ

تاﺪﻳﺪﻬﺘﻟا عاﻮﻧأ ﲔﺑ ﻦﻣ ثورﻮﻣ ﺮﻄﺧ ﱃإ يدﺆﻳ نأ ﻦﻜﳝ تﺎﻧﺎﻴﺒﻟا ﻦﻣأ ﺪﻳﺪ نأ ﻒﻴﻛ ﺢﺿﻮﻳ ﻪﻧإ ﺚﻴﺣ .

مﺎﻈﻨﻟاو ﺔﻴﺘﺤﺘﻟا ﺔﻴﻨﺒﻟا ﻰﻠﻋ تاﺪﻳﺪﻬﺘﻟا ﻒﻌﻀﻟا طﺎﻘﻧو دﺪﳏ ﺪﻳﺪ ﲔﺑ ﺔﻗﻼﻌﻟا ﻒﻌﻀﻟا طﺎﻘﻧ جذﻮﳕ ضﺮﻌﻳ .

ﺔﻛﱰﺸﳌا ماﺪﺨﺘﺳﺎﺑ ﺔﻗﻼﻌﻟا جذﺎﳕ ﺬﻴﻔﻨﺗ ﻢﺘﻴﺳ .

Protégé رﺮﳏ ،

ontology ﻢﻴﻘﻣ نإ .

ﺮﻃﺎﺨﳌا ontology يرﺎﺸﺘﺳﻻا ﺮﻃﺎﺨﳌا ﻢﻴﻴﻘﺗ مﺎﻈﻨﻟ ﺔﻓﺮﻌﳌا ةﺪﻋﺎﻗ ﺢﺒﺼﻳ فﻮﺳ

RA Whiz .

RA

ﻩﺬﻫ ﻦﻣ ﻖﺑﺎﺳ ﺖﻗو ﰲ دﺪﺣ قﺎﻄﻧ ﻮﻫو ،ﻦﻣآ تﺎﻧﺎﻴﺑ ﺰﻛﺮﻣ ﻰﻠﻋ ﺮﻃﺎﺨﳌا ﻢﻴﻴﻘﺗ ﺞﺋﺎﺘﻧ ﺞﺘﻨﻳ Whiz

ﺔﺳارﺪﻟا ﻟا ﰲ ةﱪﺧ ﻢﳍ تﺎﻣﻮﻠﻌﳌا ﻦﻣأ ﰲ ﲔﻴﻨﻬﻣ ﻞﺒﻗ ﻦﻣ ﺖﲤ ﺞﺋﺎﺘﻨﻟا ﻰﻠﻋ ﺔﻗدﺎﺼﳌا .

ﰲ ﻞﻤﻌ ISMS

ﺎﻬﺠﺘﻨﺗ ﱵﻟا ﺞﺋﺎﺘﻨﻟا ﺔﻴﻗﻮﺛﻮﻣ سﺎﻴﻘﻟ RA Whiz

.

(4)

iv

APPROVAL PAGE

I certify that I have supervised and read this study and that in my opinion, it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a thesis for the degree of Master of Computer Science.

………

Normaziah Abdul Aziz Supervisor I certify that I have read this study and that in my opinion it conforms to acceptable standards of scholarly presentation and is fully adequate, in scope and quality, as a thesis for the degree of Master of Computer Science.

………..

Imad Fakhri Taha Examiner

………..

Omar Zakaria External Examinar This thesis was submitted to the Department of Computer Science and is accepted as a fulfilment of the requirement for the degree of Master of Computer Science.

………..

Normi Sham Awang Abu Bakar Head, Department of Computer Science This thesis was submitted to the Kulliyyah of Information and Communication Technology (KICT) and is accepted as a fulfilment of the requirement for the degree of Master of Computer Science.

………..

Abdul Wahab Abdul Rahman Dean, Kulliyyah of ICT

(5)

v

DECLARATION

I hereby declare that this thesis is the result of my own investigations, except where otherwise stated. I also declare that it has not been previously or concurrently submitted as a whole for any other degrees at IIUM or other institutions.

Nor Aza Ramli

Signature ... Date ...

(6)

vi YRIGHT PAGE

INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA

DECLARATION OF COPYRIGHT AND AFFIRMATION OF FAIR USE OF UNPUBLISHED RESEARCH

RA WHIZ - RISK ASSESSMENT AUTOMATION FOR AN

INFORMATION SECURITY MANAGEMENT SYSTEM

I declare that the copyright holders of this thesis are jointly owned by the student and IIUM.

Copyright © 2016 Nor Aza Ramli and International Islamic University Malaysia. All rights reserved.

No part of this unpublished research may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without prior written permission of the copyright holder except as provided below

1. Any material contained in or derived from this unpublished research may be used by others in their writing with due acknowledgement.

2. IIUM or its library will have the right to make and transmit copies (print or electronic) for institutional and academic purpose.

3. The IIUM library will have the right to make, store in a retrieval system and supply copies of this unpublished research if requested by other universities and research libraries.

By signing this form, I acknowledged that I have read and understand the IIUM Intellectual Property Right and Commercialization policy.

Affirmed by Nor Aza Ramli

……….. ………..

Signature Date

(7)

vii

ACKNOWLEDGEMENTS

نمحرلا ﷲ مسب ميحرلا

All praise is due to Allah, and Allah's Peace and Blessings be upon His Final Messenger.

This research is carried out under the supervision of Assoc. Prof. Dr. Normaziah Abdul Aziz in the Department of Computer Science, Kulliyyah of ICT, IIUM.

All praises is due to Allah, for without His blessings, I will not be able to complete and present this thesis.

My heartfelt appreciation goes to my supervisor for her continuous dedication and patience in guiding me throughout the process of completing this thesis.

I am indebted to my loving husband for his undivided support that allows me to dedicate my time through these few years, facing up to the many challenges that came by. Thank you for believing in me and for always standing by my side.

A very special thanks goes to my children, mother, siblings, relatives and friends for their understanding and support.

Last but not least, I would like to thank everyone especially the academic and administration staff at the Kulliyyah of ICT who have directly or indirectly helped me during my tenure here.

May Allah s.w.t reward all of you accordingly.

(8)

viii

TABLE OF CONTENTS

Abstract ... ii

Abstract in Arabic ... iii

Approval Page ... iv

Declaration ... v

Copyright ... vi

Acknowledgments ... vii

List of Tables ... x

List of Figures ... xii

Terms and Acronyms ... xiv

CHAPTER ONE: INTRODUCTION AND OVERVIEW ... 1

1.1 Introduction... 1

1.2 Thesis Overview ... 2

1.2.1 Problem Statement ... 3

1.2.2 Research Question ... 4

1.2.3 Research Objective... 4

1.2.4 Research Methodology... 7

1.2.5 Research Hypothesis ... 7

1.2.6 Significance of the Study ... 8

1.2.7 Scope and Limitations ... 8

1.2.7.1 Scope of the Research ... 8

1.2.7.2 Limitation of the Research ... 10

1.3 Thesis Structure ... 11

CHAPTER TWO: LITERATURE REVIEW ... 12

2.1 Introduction... 12

2.2 Information Security Management System Standards ... 12

2.3 Information Security Risk Assessment ... 14

2.4 Risk Assessment Tools ... 16

2.4.1 Documented Guidelines ... 16

2.4.2 Documentation Toolkit and Software ... 19

2.5 Risk Assessment on Expert System ... 19

2.6 Expert System Tools ... 23

2.6.1 Expert System Shells ... 23

2.6.1.1 CLIPS ... 23

2.6.1.2 Java Expert System Shell ... 24

2.6.1.3 JessGUI ... 24

2.6.1.4 JavaDON ... 24

2.6.2 Ontology Editor ... 25

2.6.3 Expert System Tools Review ... 26

2.7 Summary ... 27

(9)

ix

CHAPTER THREE: METHODOLOGY AND DESIGN ... 29

3.1 Introduction... 29

3.2 Research Methodology ... 29

3.3 Research Design ... 31

3.3.1 Studying Published Standards ... 32

3.3.2 Developing RA Whiz ... 32

3.3.3 Validating RA Whiz Results ... 34

3.4 The Underlying Concept of RA Whiz ... 35

3.4.1 ISMS Scope ... 35

3.4.2 Risk Assessment Approach ... 37

3.4.3 Relationship Models ... 41

3.4.3.1 Assets Identification ... 41

3.4.3.2 Threats Identification ... 43

3.4.3.3 Vulnerabilities Identification ... 46

3.4.4 Formulation of Questionnaires ... 48

3.5 Summary ... 51

CHAPTER FOUR: DEVELOPMENT OF RA WHIZ ... 52

4.1 Introduction... 52

4.2 Facts and Rules ... 52

4.3 Relationship Models ... 56

4.3.1 Relationship 1 – Assets Relationship ... 57

4.3.1.1 Relating Primary Asset (Information) to Supporting Assets (Infrastructure and System) ... 63

4.3.2 Relationship 2 – Threats Relationship ... 65

4.3.3 Relationship 3 – Vulnerabilities Relationship ... 77

4.4 RA Whiz User Interface ... 81

4.5 Summary ... 82

CHAPTER FIVE: RESULTS AND ANALYSIS ... 83

5.1 Introduction... 83

5.2 Risk Assessment Results ... 83

5.3 Validation of Results ... 86

5.3.1 Identification of Key Assets ... 86

5.3.2 Identification of Specific Threats ... 89

5.3.3 Identification of Common Threats ... 93

5.4 Overall Observation of Analysis ... 101

5.5 Summary ... 103

CHAPTER SIX: CONCLUSION AND MOVING FORWARD ... 104

6.1 Introduction... 104

6.2 Finding Summary ... 105

6.3 Contribution ... 108

6.4 Future Work ... 110

REFERENCES ... 111

PUBLICATION / PRESENTATION ... 114

(10)

x

LIST OF TABLES

Table 1.1 Context of Research Questions in Association with Research

Objectives 6

Table 2.1 Description of OCTAVE Methods 17

Table 2.2 Summary of Features of RA Whiz vs Expert Systems on Risk

Assessment 22

Table 2.3 Summary of Expert System Tools Reviewed 26

Table 3.1 Asset – Impact Valuation 39

Table 3.2 Likelihood of Occurrence 39

Table 3.3 Types of Assets 41

Table 4.1 Facts and Rules in Risk Assessment 53

Table 4.2 List of Threats and Corresponding Vulnerabilities 55 Table 4.3 Summary of Relationship Between Physical Security Threats

And Data Security Threats 76

Table 4.4 Summary of Relationship Between Network Security Threats

and Data Security Threats 76

Table 4.5 Summary of Physical Security Threats and Corresponding

Vulnerabilities 79

Table 4.6 Summary of Network Security Threats and Corresponding

Vulnerabilities 80

Table 5.1 Description of Key Assets 87

Table 5.2 Q1 of Questionnaire 88

Table 5.3 Responds to Q1 of Questionnaire 88

Table 5.4 Q2 of Questionnaire 89

Table 5.5 Q2.1 of Questionnaire 90

Table 5.6 Responds to Q2.1 of Questionnaire 91

Table 5.7 Suggested Additional Threats 92

(11)

xi

Table 5.8 Q2.2 of Questionnaire 94

Table 5.9 Responds to Q2.2 of Questionnaire 94

Table 5.10 Q3 of Questionnaire 95

Table 5.11 Q3.1 of Questionnaire 96

Table 5.12 Responds to Q3.1 of Questionnaire 96

Table 5.13 Suggested Additional Vulnerabilities 98

Table 5.14 Overall Observation of Analysis 101

Table 5.15 Summary of RA Whiz Results Validation 103

Table 6.1 Research Objective and Hypothesis Justification 105

(12)

xii

LIST OF FIGURES

Figure 1.1 The Main Stages Undertaken in the Study 7

Figure 2.1 Risk Assessment Process 15

Figure 2.2 Summary of Literature Review 27

Figure 3.1 Description of the Phases in the Research Methodology 30

Figure 3.2 Research Design Process Flow 31

Figure 3.3 Architecture of RA Whiz 33

Figure 3.4 ISMS Certificates in Malaysia (ISO Survey of Management

System Standard Certifications, 2013) 35

Figure 3.5 ISMS Certificates in Malaysia (breakdown by scope) 36 Figure 3.6 Information Security Risk Management Process

(Reference: ISO/IEC 27005) 38

Figure 3.7 Risk Scales (Reference: ISO/IEC 27005) 40

Figure 3.8 Assets Relationship Model 43

Figure 3.9 Threats Relationship Model – 1 44

Figure 3.10 Threats Relationship Model – 2 45

Figure 3.11 Threats and Vulnerabilities Relationship Model 47 Figure 4.2 RA Whiz - Risk Assessment Tool Based on Protégé

Ontology Editor 54

Figure 4.3 The Three Categories of Assets 57

Figure 4.4 Types of Assets in Ontograph 58

Figure 4.5 The Extension of Assets Based on Three Categories 59

Figure 4.6 Description of Data Centre Infra 60

Figure 4.7 Ontograph of Data Centre Infrastructure Assets 60

Figure 4.8 Description of Data Centre System 61

(13)

xiii

Figure 4.9 Ontograph of Data Centre System Assets 62

Figure 4.10 Description of Information 62

Figure 4.11 Ontograph of Information Assets 63

Figure 4.12 Information Containers 64

Figure 4.13 Description of Threats 65

Figure 4.14 Threats Ontograph 66

Figure 4.15 Description of Physical Security Threat 67

Figure 4.16 Ontograph of Physical Security Threats 68

Figure 4.17 Physical Security Threat – Equipment Failure 69 Figure 4.18 Physical Security Threat – Unauthorized Physical Access 70 Figure 4.19 Ontograph on the Relationship Between Physical Security Threat

and Data Security Threat 71

Figure 4.20 Description of Network Security Threat 72

Figure 4.21 Ontograph of Network Security Threats 72

Figure 4.22 Network Security Threat – DoS/DDoS 73

Figure 4.23 Network Security Threat – Reconnaissance Attacks 74 Figure 4.24 Network Security Threat – Malware Attacks 74 Figure 4.25 Ontograph on the Relationship of Network Security Threat

and Data Security Threat 75

Figure 4.26 Description of Vulnerability 77

Figure 4.27 Ontograph on the Relationship of Physical Security Threats

and Their Corresponding Vulnerabilities 78

Figure 4.28 Ontograph on the Relationship of Network Security Threats

and Their Corresponding Vulnerabilities 80

Figure 5.1 RA Whiz Screen Capture with Extended ViewComponent Tab

Labelled as Security 84

Figure 5.2 Results of Risk Assessment – Data Centre System 85

(14)

xiv

TERMS AND ACRONYMS

CIA Confidentiality, integrity and availability CLIPS C Language Integrated Production System ISMS Information Security Management System

ISO/IEC International Organization for Standardization and International Electrotechnical Commission

JESS Java Expert System Shell

NIST National Institute of Standards and Technology, United States OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation OWL Web Ontology Language

(15)

1

CHAPTER ONE

INTRODUCTION AND OVERVIEW

1.1 INTRODUCTION

Organizations that are dependent on information technologies consequently have to face a common issue of managing information security risks which are inherited with the use of the technologies. A report entitled Trial by fire (2009) published by PricewaterhouseCoopers based on its annual Global State of Information Security Survey for year 2010 has in its findings, organizations have considered taking a risk- based approach as well as adopting a recognized security framework in addressing information security issues. Consistent outcome of this annual survey for year 2011 in a report entitlted Respected - but still restrained (2010) emphasized on the importance of understanding information security risks and prioritizing investment to mitigate the most critical ones.

According to Humphreys (2008), if an organization does not know the risks it faces, it will not be able to implement proper and effective protection. Kailay and Jarrat (1995) have highlighted that one of the gaps then was limited risk analysis methodologies and corresponding tools for certain domain users. At present that gap has been addressed by several risk assessment methodologies that are available such as the ISO/IEC 27005 which is published by the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC). This research aims to automate the risk assessment process by identifying a plausible set of risks for a particular scope in an Information Security Management System (ISMS) implementation.

(16)

2

Chapter 1 is organized as follows; Section 1.1 presents the introduction of this chapter. It discusses the needs to respond to information security issues through understanding of risks. Thesis overview in Section 1.2 briefly explains risk-based approach in information security management system. Section 1.2 includes details of the research such as the problem statement, research objectives, research method, research questions and research hypotheses. At the end of Section 1.2, the significance of the study, the scope and limitations are discussed. Finally, the thesis structure is outlined in Section 1.3.

1.2 THESIS OVERVIEW

The impeccable importance of understanding and managing information security risk has resulted into a global effort in developing standard for an Information Security Management System (ISMS). As stated by Humphreys (2008), the initiative of developing ISMS standards has started in the early 90s with the first draft of a British Standard BS 7799 that focused in security related to people, processes, information and Information Technology (IT). Humphreys (2007) described the evolution of the BS 7799 Part 2, that was developed as a national standard and later formalized and published as an international standard known as the ISO/IEC 27001 in 2005.

Humphreys (2007) further elaborated that this standard adopts a risk-based approach for an effective information security management taking into consideration the information security aspects of various areas within an organization.

Acknowledging the importance of information security management, in Malaysia, the Ministry of Science, Technology and Innovation (MOSTI) has included risk assessment framework as an initiative for Thrust 6: Compliance and Enforcement, one of the eight policy thrusts in the National Cyber Security Policy (2005).

(17)

3

CyberSecurity Malaysia (2010) stated that the Malaysian cabinet has agreed that all Critical National Information Infrastructure (CNII) organizations were to fulfill the ISMS standard requirements. In an ISMS implementation, organization will have to identify a scope for the ISMS and this scope will be subject to risk assessment and the entire process of the management system. Hence, the inclusion of risk assessment framework in the national policy has provided a sound foundation for the implementation of ISMS in Malaysia.

1.2.1 Problem Statement

In ISMS, information security is managed by applying a risk management process within the management system. One of the sub-processes in risk management is risk assessment. According to Liao and Song (2003), automating risk assessment is difficult due to heavy dependence on human experts in each phase of the process as well as lack of historical data than can be used.

In the year 2002, the National Institute of Standards and Technology in the United States has published NIST 800-30, a Risk Management Guide for Information Technology Systems document. This document includes a detail risk assessment procedure. According to Peterson (2008), conducting risk assessment that complies to the NIST 800-30 is problematic for many organizations as the standards are voluminous and complex. A tool has been developed to automate the risk management to address the issue.

In the case of ISMS stanadards, guidelines on risk assessment such as the ISO/IEC 27005 provides threats and vulnerabilities in a listing which still needs to be carefully analysed by expert assessors. Experts in both risk management and information security areas are required by organizations to conduct risk assessment

(18)

4

that comply to the requirements of the ISMS standards. According to Aime et al (2007), there is still a lack of automation in information security risk area. Hence, automating the risk assessment process is seen as a gap that needs to be addressed to assist organizations in their ISMS implementation and certification efforts.

1.2.2 Research Question

The following research questions (RQ) will be addressed in thesis:

1. RQ1: What is a significant scope of an ISMS implementation?

2. RQ2: What are key assets within the scope and what are the corresponding threats and vulnerabilities that would lead to information security risks on the assets?

3. RQ3: What are the relationships between the key parameters that can be used to automate risk identification?

4. RQ4: How to automate the risk assessment process?

1.2.3 Research Objective

This work attempts to automate the risk identification process by identifying a plausible set of risks for a particular scope in an ISMS implementation. An advisory system prototype named RA Whiz will be developed to demonstrate this automation.

Relationship models for risk identification focusing on assets, threats and vulnerabilities will be developed to be implemented in RA Whiz. Various guidelines in information security best practices document will be used to achieve the overall research objectives guided by the research questions described in Section 1.2.2. The research objectives are:

(19)

5

1. RO1: To identify a scope that would be significant in an ISMS implementation

- To study the landscape of ISMS certification in Malaysia. Scopes undertaken by the ISMS certified organizations will be analysed and a significant scope to be used in this study will be identified.

2. RO2: To study a plausible set of risks for the identified scope - To identify key assets in the scope that need to be protected.

- To study potential threats and corresponding vulnerabilities on these assets. Assets, threats and vulnerabilities are the three key parameters in risk assessment.

3. RO3: To develop a relationship model and implement it in an advisory system prototype to demonstrate a risk assessment automation

- To develop relationship models of the key parameters.

- To use ontology editor to create classes and object properties to represent the relationship models. These models will be used for automating risk identification. Other relevant risk parameters such at the risk assessment approach will be included to facilitate the risk assessment automation.

Table 1.1 shows the context of the research objectives in addressing the research questions.

(20)

6 Table 1.1

Context of Research Questions in Association with Research Objectives Research Question (RQ) Research Objective (RO)

RQ1:

What is a significant scope of an ISMS implementation?

RO1:

To study the landscape of ISMS certification in Malaysia. Scopes undertaken by the ISMS certified organizations will be analysed and a significant scope to be used in this study will be identified.

RQ2:

What are key assets within the scope and what are the corresponding threats and vulnerabilities that would lead to

information security risks on the assets?

RO2:

To identify key assets in the scope that need to be protected.

To study potential threats and

corresponding vulnerabilities on these assets. Assets, threats and

vulnerabilities are the three key parameters in risk assessment.

RQ3:

What are the relationships between the key parameters that can be used to automate risk identification?

RQ4:

How to automate the risk assessment process?

RO3:

To develop relationship models of the key parameters.

To use ontology editor to create classes and object properties to represent the relationship models. These models will be used for automating risk

identification. Other relevant risk parameters such at the risk assessment approach will be included to facilitate the risk assessment automation.

(21)

7 1.2.4 Research Methodology

The study is carried out in phases to accomplish the overall research objectives. The research methodology is based on actual ISMS implementation within Malaysia. The landscape of ISMS certifications in Malaysia is used as the scope of the research.

Figure 1.1 illustrates the main stages undertaken in conducting this study.

Figure 1.1: The Main Stages Undertaken in the Study

There are 5 phases undertaken in conducting this study. The research methodology corresponding to these phases are further explained in Chapter 3.

1.2.5 Research Hypothesis

The purpose of the case study is to find out if there is a relationship between the types of assets identified in a particular scope of an ISMS implementation with the risks

(22)

8

identified. It is common that a set of risks were found to be repetitively identified due to the inefficient grouping of key assets. Hence, the hypothesis of this study is that automation of risk identification to enable a full risk assessment will lead to an acceptable risk assessment results based on predetermined relationship models.

1.2.6 Significance of the Study

The findings of this research are expected to benefit organizations by aiding their information security risk assessment process. The advisory system may become a tool for risk assessors in the identification of assets, relevant threats and vulnerabilities.

The advisory system will also facilitiate in the analyzing and estimation of corresponding risk levels for a specific scope in an ISMS implementation. This may become very handy during the initial attempt in risk assessment especially for organization that is working towards ISMS certification. By using a user-friendly ontology editor, the knowledge base could be updated from time to time. The relationships models could also be further expanded for different scopes of ISMS implementation.

1.2.7 Scope and Limitations 1.2.7.1 Scope of the Research

The main objective of this research is to model and implement a risk identification automation within risk assessment. This study focuses on a scope of an ISMS implementation thus, limiting the boundary of relevant assets being identified and are subject to a risk assessment exercise. The scope of this study is listed below to guide the limitation:

(23)

9

1. Looking at ISMS certification landscape in Malaysia

2. Focusing on three key processes of risk assessment; risk identification, risk analysis and risk evaluation.

3. Automating risk identification for assets within an identified scope of an ISMS implementation.

This study focuses on secure data centre sevices as a scope of an ISMS implementation. There are several types of threats, including those related to human factors. Threats related to human factors are excluded from this study as it is an elaborate topic on its own. Threats related to human can be categorized into motivation, opportunity and capability (Colwill, 2010). Human threats are also presented by identifying threat-source like hacker, cracker, insiders and listing corresponding motivation and threat actions as published by the National Institute of Standards and Technology (Stoneburner et all, 2002) in the Risk Management Guide for Information Technology Systems document.

There are many studies focusing on people as threat sources. Amongst others are studies on improving compliance through training program (Puhakainen &

Siponen, 2010), user education in computer security (Gorling, 2006) and enforcement of baseline security policies and procedures as well as ongoing personnel checks (Colwill, 2010). With many guidelines available, organizations with good governance would have implemented some baseline controls with regards to human resources security to address common threats related to human.

(24)

10 1.2.7.2 Limitation of the Research

There are limitations and challenges in the context of this study that should be noted:

1. Data constraint

The data available for public research is limited due to the confidentiality of classified information uphold by the certified organizations. However, reliable and sufficient data could be obtained by studying and analyzing relevant data from the following sources:

a) the International Register of ISMS Certificates available at http://www.iso27001certificates.com; and

b) the ISO Survey of Management System Standard Certifications available at http://www.iso.org/iso/home/standards/management- standards.htm.

2. Technical challenges

As much as this study hopes to focus on technical aspect of information security, ISMS being a management system, technical issues would be addressed from all the three aspects of information security building blocks namely people, process and technology.

Rujukan

DOKUMEN BERKAITAN

Note 2: A management system includes organisational structure, planning activities (including, for example, risk assessment and the setting of objectives),

Nevertheless, for this study, the established Hazard Identification, Risks Assessment and Risk Control (HIRARC) method was selected as a base format for indoor

The security risk assessment method in cloud computing should be able to consider both cloud service provider and cloud client during the risk assessment process;

ABSTRACT CASBEE (Comprehensive Assessment System for Building Environmental Efficiency) is an environmental labeling method for buildings, based on assessment of

(1977), values serve as an assessment and criteria for consumers to get involved in a particular buying behaviour. Moreover, some studies have carried out studies pertaining the

Better fuel mix to ensure sustainability Fuel diversification reduces supply interruption risk and security risk. Nuclear is a good candidate for reliability, but the risks have to

This review elucidates the complete leachate management process, beginning with leachate composition, plume migration, fate of contaminant, plume monitoring techniques, risk

• Identify a risk assessment methodology that is suited to the ISMS and the identified business information the ISMS, and the identified business information security, legal