China Defender

Information System Security Risk Assessment

Release time:





1. why we need information systems security risk assessment It is clear that when we are very happy to accept and use a new technology to assist us in our security work, this technology must have a reason to drive us to use it. This reason is the main function of this technology in a certain security aspect, and we only use it for these main functions. For information system security risk assessment, we have roughly understood his definition at the beginning of this article, from its definition, we can understand that risk assessment can be in the life cycle of information systems.

1. why we need information systems security risk assessment

Obviously, when we are to readily accept and use a new technology to assist us in our security work, this technology must have a reason to drive us to use it. This reason is the main function of this technology in a certain security aspect, and we only use it for these main functions.

For information system security risk assessment, we have a general understanding of his definition at the beginning of this article, from its definition, we can understand that risk assessment can be used at all stages of the life cycle of information systems. Because of the different security purposes of each stage of the information system life cycle, the purpose of using risk assessment is also different, so the role of risk assessment at each stage of the information system life cycle is also different.

The life cycle of an information system is divided into four main stages: design, implementation, operation and maintenance, and final destruction. The main functions of each stage for the corresponding information system security risk assessment are as follows:

1. In the design and implementation stage of the information system life cycle, the use of information system security risk assessment can play a role in understanding what kind of security precautions are needed in the current system, helping to formulate effective security strategies, determining the best cost of security precautions, and persuading the leaders of institutions to agree to the full implementation of security strategies.

2, in the operation and maintenance phase of the information system life cycle, the use of information system security risk assessment can play the following role:

(1) Understand whether firewalls, IDS and other security devices are really operating as originally configured, and whether their actual security effects meet the requirements of security objectives;

(2) Understand whether the security strategy is practical and whether it is fully implemented;

(3) Check whether the safety awareness, network operation behavior and data usage of the internal staff of the organization are normal;

(4) When the information system makes hardware or software adjustments for some reason, use the information system security risk assessment to determine the original security.

Whether the measures are still effective, if not, in which areas should be modified accordingly, etc.

3. At the final destruction stage of the information system life cycle, the information system security risk assessment can be used to verify that it should be completely destroyed.

Data or equipment can no longer be restored in any way; the equipment in the obsolete information system has indeed been properly kept and is not in danger of being lost.

A General Process Flow for Security Risk Assessment of 2. Information Systems

Information system security risk assessment is not a task that can be completed at will. In order to ensure that the risk assessment is carried out orderly and correctly in a certain way, and the assessment results are true and effective. Also in order to reduce the intentional or unintentional errors that may occur in the risk assessment process; At the same time, in order to improve the efficiency of risk assessment, shorten the assessment time and reduce the impact on normal business. It is necessary to develop an effective process for the assessment of information system security risks.

In some information system risk assessment standards that have emerged (for example, in my country, on March 7, 2006, the "Information Security Risk Assessment Guidelines" issued by the Information Office of the State Council), a common process for handling risk assessment has been proposed. However, these generic risk assessment processes do not include specific details, and you and your risk assessment team should make your own decisions based on who needs to be assessed. At the same time, we also use these risk assessment criteria as a reference for the results of the risk assessment process in order to give a specific risk assessment.

Here, I also only give the main framework of this general information system security risk assessment process, the specific processing details will be detailed in the second section. This thorough risk assessment process is as follows:

1, information system security risk assessment preparation phase.

2, information system security risk assessment object risk detection stage.

3, information system security risk assessment object risk detection results analysis and evaluation report stage.

4. Later stage of safety maintenance

3. understand three important terms in information system security risk assessment

1. Evaluation object

In the process of information system security risk assessment, the first thing we need to do is to specify the specific object of the assessment, that is, to limit the specific physical and technical scope of the assessment. In an information system, the object of evaluation corresponds to the hardware and software components of the information system. For example, information systems include various servers, operating systems and various service programs running on servers, various network connection devices, various security devices or applications, and physical security assurance devices, all of which can constitute independent evaluation objects, and even people who use these information systems can be used as evaluation objects. In general, the entire computer information system can currently be divided into six main evaluation objects:

(1), information security risk assessment

(2) Business process security risk assessment

(3), network security risk assessment

(4) Communication security risk assessment

(5), wireless security risk assessment

(6) Physical security risk assessment

2. Assessment project

The assessment project of information system security risk assessment is determined for a specific assessment object and is used to determine a specific aspect of the assessment object. For example, for physical security risk assessment, it is necessary to carry out security risk assessment on the surrounding environment where the assessment object is located and carry out risk assessment on the physical security measures completed by the assessment object. These are the risk assessment projects of information system security.

Each evaluation object has its own unique evaluation project, which is determined by the unique attributes of each evaluation object. The following is a short description of the main evaluation items of the six main security risk assessment objects:

(1) Main assessment items for information security risk assessment

①. Information security assessment

②. Information integrity review

③ Confidential information investigation

④ Network operation trace information inspection

⑤ Security review of information during use

⑥. Review of confidentiality of privacy information

⑦. Information controllability review

⑧. Information storage security review

(2) Main assessment items for business process security risk assessment

① Business process safety status assessment

②, business request security review

③ Security review of business counter-request

④ Security review of business process

⑤, business processing personnel reliability test.

(3) Main assessment items for network security risk assessment

① Assessment of the current situation of network security

② Intrusion Detection Review

③. Network transmission security assessment

④. Network application security assessment

⑤. Network vulnerability and vulnerability detection and verification

⑥. Security assessment of switches and routers in the network

⑦. Access control test

⑧, the main network attack mode test (such as DOS)

⑨, network behavior review

⑩, Network Security Policy, Alerts and Log File Review

(4) Main assessment items for communication security risk assessment

① Security detection of communication equipment such as Modem

② VOIP security assessment

③ Network fax security assessment

④. Remote access security assessment

⑤ Instant messaging security assessment (including instant chat, network video conferencing, network remote monitoring, etc.)

(5) Main assessment items of wireless security risk assessment

① Electromagnetic radiation test

②. 802.11a/B/g wireless network security risk assessment

③ Bluetooth security assessment

④, wireless input and output equipment security test

⑤ Security test of wireless handheld devices

The wireless device access or exit security test

⑦. Safety test of wireless transmission equipment

⑧, wireless communication confidentiality test

⑨, other wireless communication detection (such as RFID and infrared connection, etc.)

(6) Main assessment items of physical security risk assessment

① Assessment of physical safety status

② Security testing of physical security access control

③ Operation review of physical monitoring equipment

④ Alarm response review

⑤ Review of physical safety precautions

⑥ Physical security review around the location of the computer system

⑦. Investigation of local natural conditions and environmental factors where the computer system is located

Assessment Tasks

An assessment task is all the assessment operational tasks that are specifically performed to achieve the assessment objectives of a risk assessment project. Assessment tasks correspond to each assessment project, and the specific assessment tasks can be determined by you and your team based on actual needs. The assessment task is not comprehensive and realistic, which will directly affect whether the final result of the information system security risk assessment is consistent with the objectives of the risk assessment. Therefore, when deciding on these assessment tasks, the personnel involved in the decision should not only have rich experience, but also have sufficient effective information related to the assessment object; at the same time, they should have a full understanding of the current security threats, the weaknesses and loopholes of various systems or equipment, and various attack methods; moreover, they should be able to carefully identify the asset types and importance of the assessment object.

Because the assessment task is determined by the specific assessment object and assessment project, it is also related to the current security threat situation and development trend, and at the same time, due to the limitation of the length of the article. Therefore, in this paper, only one or two of the six evaluation objects can be given some general evaluation tasks. As for the evaluation tasks of other evaluation projects, you and your evaluation team can refer to the examples of evaluation tasks given in this article, use brainstorming methods, and make their own decisions by analyzing the various valid data collected.

(1) Assessment tasks for privacy information confidentiality review in information security risk assessment

The confidentiality review of private information is mainly to test the integrity of the private information of employees and customers in the organization in the process of use, transmission and storage. Since these privacy issues may be related to certain laws and regulations of the organization's location, the national and regional regulations of the organization's region should be fully considered when deciding on the evaluation task of this project.

In general, to conduct a comprehensive privacy confidentiality review, the following assessment tasks should be completed:

①. Compare the difference between the actual access method of private information and the method specified in the privacy access policy;

②, check the monitoring and protection of private information in accordance with local laws and regulations;

3. Identify the database type and size of the stored privacy information;

4. Identify all kinds of private information collected by the organization;

Determining the location of private information storage;

⑥, understand the current web browsing COOKIE save type and retention time;

⑦. Identify all kinds of privacy information stored in COOKIE;

⑧, verify the encryption method used by COOKIE;

Identify the location where the error may be generated by the organization's WEB server and understand the type of information returned to the browsing user when the error occurs.

(2) Assessment task of network operation trace information inspection in information security risk assessment

The inspection of network operation trace information is mainly to investigate the operation traces left by some employees within the organization after network operation, and to examine whether some confidential information related to the organization is left on the Internet. This assessment project is a very important part of information security risk assessment. To complete a comprehensive inspection of Internet operation behavior information, the following assessment tasks are indispensable:

① Check the contents of the internal staff WEB database and cache;

②. Check whether the internal employees of the organization have disclosed the organizational structure of the organization or other internal confidential information of the organization through personal homepages, blogs, forums, and the way of publishing online job resumes;

③. Investigate whether the internal employees of the organization are using private e-mail, and under the conditions permitted by law, check whether the employees send confidential information within the organization through the e-mail assigned by the organization;

④. Understand the computer technology level of the employees within the organization, as well as the departments in which the employees with higher computer technology level are located and their operating authority;

⑤. Investigate whether the internal employees of the organization use instant messaging tools during working hours, and monitor the content of instant messaging when permitted by legal conditions;

Use Internet search engines to find confidential information related to the organization on the Internet, or search in various specific newsgroups, forums and blogs;

⑦. Check whether the internal employees of the organization are using P2P software, and review the content of P2P communication under legal conditions.

(3) Assessment tasks for network vulnerability and vulnerability detection and verification in network security risk assessment

Network vulnerability and vulnerability detection and verification is to find out the security weaknesses and vulnerabilities in the network, and verify whether these weaknesses and vulnerabilities can really be exploited. The use of some network-based vulnerability scanning and penetration testing tools in the assessment process can greatly improve the efficiency of the assessment work.

However, when using the vulnerability scanning tool, the results of its detection cannot be fully accepted. This is because most vulnerability scanning tools now determine whether the detection object has a vulnerability or vulnerability by comparing it with their own vulnerability and vulnerability data. Once the tool's vulnerability database cannot be updated in time, or cannot include all the vulnerabilities that have been discovered so far, its detection results may not be completely reliable. Moreover, due to the design defects and capacity limitations of these tools, there will be false positives and false negatives in the process of use. False positives will make us worry about nothing, while false negatives will make us on the verge of major safety accidents. Therefore, manual verification and penetration testing after vulnerability scanning can reduce the occurrence of false negatives and false positives.

To complete a thorough network vulnerability and vulnerability detection and verification assessment project, complete the following assessment tasks:

①, combined with the most popular vulnerability scanning and penetration tools, to test the target network segment;

②. Use the vulnerability scanning tool to scan the target network segment in two ways: from outside to inside and from inside to outside;

Identify the types of systems and applications with weaknesses or vulnerabilities;

④, determine the existence of loopholes in the service;

⑤ Determine the types of vulnerabilities in applications and services;

Identify all vulnerabilities in operating systems and applications, and identify all operating systems and applications with vulnerabilities;

Determine whether these vulnerabilities can affect other similar target networks or systems;

⑧, through the method of human penetration testing to detect whether the weakness or vulnerability found is real;

Examine the probability that these vulnerabilities can be exploited and the possible consequences after exploitation.

(4) Assessment tasks for security detection of communication equipment such as Modem in communication security risk assessment

The security detection of communication equipment such as Modem is mainly to check the login authentication method of the modem, whether it can be illegally controlled by the operation, etc. To complete a comprehensive security detection project for communication devices such as Modem, the following assessment tasks will be performed:

①, from the inside to the outside, from the inside to the way of comprehensive scanning Modem and other communication equipment;

Ensure that the login user and password of communication equipment such as Modem are not set by default or are easy to guess;

③. Ensure that routers, layer 3 switches or computers directly connected to communication equipment such as Modem have made corresponding security measures;

Check whether the communication equipment such as Modem is safe through remote maintenance;

⑤. Verify remote dial-up authentication;

⑥. Test local dial-up authentication;

(5) Assessment tasks 802.11a/B/g wireless network security risk assessment in wireless security risk assessment

As 802.11a/B/g wireless network technology matures, more and more organizations are using it. However, due to the openness of 802.11a/B/g wireless network technology, and most of the use of its default settings do not do the corresponding security modification, or the security of the settings is very small and weak, resulting in 802.11a/B/g wireless network security risks as much as its functions. Therefore, the 802.11a/B/g wireless network security risk assessment is used to identify the current security risks in wireless networks, so that better security measures can be taken to reduce the risks brought by wireless network applications.

To complete the 802.11a/B/g wireless network security risk assessment project, all of the following assessment tasks must be performed:

Check whether the organization has a good enough wireless security strategy to ensure the application of 802.11a/B/g wireless network, and evaluate the hardware and firmware of 802.11a/B/g wireless network, as well as the update status;

②. conduct a comprehensive inventory of the wireless devices connected to the target wireless network, assess access control, the specified range of wireless signal coverage, and determine whether it has the ability to prevent wireless signals from exceeding the specified range, or to interfere with the excess wireless signals;

③. Determine the access control capability of the wireless device to access the target wireless network horizontally, whether it can identify all allowed access points, and whether it can instantly identify unauthorized access points, and can locate and deny its access;

④. Evaluate the configuration, authentication and encryption methods of wireless networks;

Evaluate that the default service equipment identifier (SSID) of the wireless access point has been changed;

Verify that all wireless clients have installed security tools such as anti-virus software and firewalls;

(6) Assessment tasks for security testing of physical security access control in physical security risk assessment

The security test of physical security access control is an assessment item used to detect whether the physical means of direct contact with important information assets in the organization meet the security requirements. To complete a physical security access control security test, you must complete the assessment tasks shown below:

Enumerate all areas where physical access control is required;

Check the access control equipment and its type of all physical access control points;

③ Check whether the type of trigger alarm is consistent with the description;

④, determine the security level of physical access control equipment;

⑤ Test whether there are weaknesses and vulnerabilities in physical access control equipment;

Test whether the physical access control equipment can be artificially or otherwise lose the detection ability;

Rules to be followed in the process of 4. information system security risk assessment

In the process of risk assessment of information systems, the following factors can lead to erroneous results:

1. False positives and omissions of vulnerability scanning software;

2. The system itself is set to make a fixed defect response to certain kinds of things. When testing a system with deceptive settings, it often responds in some way to all evaluation events;

3. There is a setting in the system to be evaluated that has been specified to react safely to all events.

4. Received a response from a certain target during the risk assessment process, but this response does not really come from the actual assessment target, and some inexperienced risk assessor cannot correctly identify such an illusion, resulting in wrong results;

5. If there is a problem with the risk assessment tool and equipment itself, there may be a wrong response. And when the Ethernet path of the risk assessment has high noise, or there is a device that interferes with the target wireless network signal, the wrong result will occur;

6. When an environment in the process of risk assessment gets the wrong result, but it is not identified and re-evaluated in time, and the subsequent evaluation work uses the wrong result as the evaluation condition, in this way, the error will be inherited, resulting in a wrong final risk assessment result;

7. Risk assessment must be carried out by people. Due to the technical level of risk assessment personnel, the level of experience, their attitude towards risk assessment, different understanding of risk assessment and other factors, wrong risk assessment results may be caused.

The results of the security risk assessment of the wrong information system, once accepted, will bring new security risks to the security of the information system, and the consequences are unimaginable. Therefore, we must comply with the following risk assessment rules in the process of risk assessment of information systems, which can effectively reduce the occurrence of the above error factors:

1. Understand that any detail is equally important when conducting a risk assessment and understand the purpose of each assessment project;

Pay attention to every little detail of the risk assessment process. The validity of risk assessment results is often reflected in some details, because some major safety accidents are caused by some small safety weaknesses. In addition, a single small detail may not bring a certain type of security risks, but many small details accumulated, a careless, will bring major information security incidents to the information system;

3. Don't think that doing more with less is good. Many agencies now have inherently small budgets for security, thus requiring security risk assessment to be more efficient in less time. However, if you decide to use an inefficient risk assessment strategy that you think will save you a lot of money, it is possible that this inefficient risk assessment strategy will not detect all security risks. Therefore, while using your medicine to spend time and money on risk assessment, you can't get any benefits of risk assessment, which increases the safety cost and the possibility of business interruption.

Obviously, risk assessment requires a certain amount of cost input, so when you start a risk assessment, you have to consider how to balance the efficiency of the assessment and the cost of the input, only if the two sides reach a satisfactory balance, can the best risk assessment efficiency and effectiveness;

4. For risk assessment processes involving multiple risk assessment objects, there should be a risk assessment strategy that is realistic, comprehensive and can be fully implemented. At any time, we should not ignore the importance of strategy in security work. The risk assessment strategy is used to indicate the main purpose of a risk assessment, as well as the specific tasks to be completed, and some operational details, etc. The risk assessment strategy plays a guiding role in the risk assessment process and controls the entire assessment process;

5, to know how to calculate the economic account of risk assessment. The purpose of risk assessment is usually to achieve the safety of a certain procedure, and the results of the assessment will propose corresponding solutions to the weaknesses found. In this way, it will involve the problem of increasing security cost input. A good risk assessment project manager will know whether the organization has sufficient financial capacity to solve the identified vulnerabilities, calculate how much it will cost to achieve a security risk level acceptable to the organization's leaders, what kind of budget will be accepted by the organization's decision makers, and so on. If you don't consider these issues, then not managing how comprehensive and accurate your risk assessment results are, but not accepted by institutional decision makers, is still an unsuccessful risk assessment. This will only waste a lot of time and money on risk assessment. Therefore, knowing the economic account of risk assessment is also an important aspect;

6. Understand the reference standards for risk assessment. The key point of whether the risk assessment result is authoritative is that you should indicate in the assessment result which risk assessment standard is followed, such as the information security risk assessment guide of our country mentioned above. You can also use some international standards, such as ISO/IEC 17799/27001 International Information Security Management System Risk Assessment Standard, which can provide you with a reference standard on how to give the final security and risk level;

7. Risk assessment personnel must complete the specified assessment tasks within the specified scope of authority, and cannot go out of the specified physical scope at will during the assessment process. If the mission is in doubt during the assessment, it should be stopped immediately and reported to the person in charge of the assessment team. Until the question is clearly resolved, you cannot proceed with the next assessment alone. The appraiser's exit from the appraisal site should be recorded, indicating the specific time of entry and exit. Each assessor should wear a work document showing co-identification on a visible part of his or her body. Each risk assessor should use the specified assessment tools and should not bring unspecified tools into the assessment site. The scope of authority and physical location of each risk assessor shall be clearly defined, and no assessor shall exceed the authority or physical scope of these provisions.

After having a systematic understanding of the basics of the above information system security risk assessment, we will know how to effectively complete a security risk assessment. The next task is to master how to do the security risk assessment of information systems.

Key words: