View
224
Download
0
Embed Size (px)
Citation preview
1
Risk Analysis (RA) and Risk Analysis (RA) and Security Planning Security Planning
The slides are derived from John Carpenter’s notes
2
Risk Analysis (RA) andRisk Analysis (RA) and Security Planning Security Planning
Risk Analysis (RA) Risk Analysis (RA) Benefits of Risk AnalysisBenefits of Risk Analysis Some Homely ExamplesSome Homely Examples Steps to Complete a RASteps to Complete a RA Security PlanningSecurity Planning Content of a Security PlanContent of a Security Plan
Pfleeger(2ed) Ch 10.4 10.5 10.6Pfleeger(2ed) Ch 10.4 10.5 10.6Pfleeger(3ed) Ch 8.1 8.2 8.3Pfleeger(3ed) Ch 8.1 8.2 8.3
3
Computer Security and IndustriesComputer Security and Industries
Company‘s computer systemsBusiness partners
(customers, competitors,suppliers, etc.)
Hackers, investigator,reporters etc.
Government and private intelligence communities
Internal threats (dishonest employees, software failures etc.)
4
Security facts – believe it or not!Security facts – believe it or not!
Bank robbery through computersBank robbery through computers Industrial espionage on corporate Industrial espionage on corporate
information information Loss of individual privacy (files, emails, Loss of individual privacy (files, emails,
chats, video conferencing, ...)chats, video conferencing, ...) Information vandalism (destroy backup, Information vandalism (destroy backup,
delete files, vandalise web pages, …)delete files, vandalise web pages, …) Computer virusesComputer viruses (more can be found in “comp.risks” and (more can be found in “comp.risks” and
other websites)other websites)
5
Is Computer Threat Real?Is Computer Threat Real?
1997 survey of 61 large companies that had 1997 survey of 61 large companies that had firewalls – (site had > 1000 pc’s & Internet servers)firewalls – (site had > 1000 pc’s & Internet servers)44% reported probes by outsiders44% reported probes by outsiders23% IP spoofing (used to break in hosts on the 23% IP spoofing (used to break in hosts on the
Internet)Internet)10% email bombs10% email bombs8% denial of service attacks8% denial of service attacks8% sendmail probes8% sendmail probes89% reported that the firewall responded 89% reported that the firewall responded
adequatelyadequately
Internet sources
6
Computer ThreatComputer Threat
Computer Security Institute/FBI Survey
35% annual increases in data sabotage incidents from 1997 to 1999
25 % annual increases in financial fraud penetrated on-line
Abuse of network access increased over 20% resulting losses of $8 millions
Security breaches caused US$15 billions losses in 2000
Internet sources
7
Other Surveys Other Surveys
Poll of 1,400 companies with > 100 Poll of 1,400 companies with > 100 employeesemployeesAbout 90% are confident with their firm’s About 90% are confident with their firm’s
network securitynetwork securityButBut 50% failed to report break-ins 50% failed to report break-ins58% increased in spending on security58% increased in spending on security
1997-2001,fortune firms lost 1997-2001,fortune firms lost US$45 billionsUS$45 billions; ; high-tech firms most vulnerablehigh-tech firms most vulnerable
Internet sources
8
Risk AnalysisRisk Analysis
Risks
Counter Measures
VulnerabilitiesAnalysis
Management
ThreatsAssets
9
Risk Analysis (RA-1) Risk Analysis (RA-1)
A study of the risk that a business or A study of the risk that a business or system is subject to.system is subject to.
A process to determine A process to determine exposureexposure and and potential potential lossloss
RISKRISK: the probability that a specific : the probability that a specific threatthreat will successfully exploit a will successfully exploit a vulnerability cvulnerability causing a ausing a lossloss
10
Risk Analysis (RA-2)Risk Analysis (RA-2)
Suppose an event is associated with a loss -Suppose an event is associated with a loss -this loss is the this loss is the risk impact risk impact (sometime (sometime simply called simply called riskrisk), measured in $’s), measured in $’s
There is a probability (There is a probability (risk probabilityrisk probability) of ) of occurrence, a number in the range 0 (if not occurrence, a number in the range 0 (if not possible) to 1 (if certain)possible) to 1 (if certain)
Risk exposure is the $ amountRisk exposure is the $ amountRisk-exposure = Risk-impact Risk-exposure = Risk-impact xx Risk-probability Risk-probability
As things change, so can these values (!)As things change, so can these values (!)
11
Risk Analysis (RA-3)Risk Analysis (RA-3)
For risk analysis: For risk analysis: RISK = LOSS ($) RISK = LOSS ($) xx PROBABILITY PROBABILITY
Usually measured as $ per annum. Usually measured as $ per annum. Expressed as Expressed as Annual Loss ExpectancyAnnual Loss Expectancy (ALE) (ALE)
expressed as: $ per annumexpressed as: $ per annum By By quantifyingquantifying the risk, we can justify the the risk, we can justify the benefitbenefit of of
spending money to implement spending money to implement controlscontrols
12
Benefits of Risk AnalysisBenefits of Risk Analysis
Improved awareness by users and managementImproved awareness by users and management Documentation of assets and their vulnerabilities Documentation of assets and their vulnerabilities
and possible controlsand possible controls Provides an accountable basis for decision makingProvides an accountable basis for decision making Provides accountable justification for expenditure Provides accountable justification for expenditure
on counter measureson counter measures
13
Example (1)Example (1)
Hard Disk Failure on your PCHard Disk Failure on your PCHard Disks fail about every three years;Hard Disks fail about every three years;
Probability of failure is 1/3 per yearProbability of failure is 1/3 per year Intrinsic cost say $600 – to buy a new disk Intrinsic cost say $600 – to buy a new disk But also, say 10 hours of your effort to But also, say 10 hours of your effort to
reload O/sys and software reload O/sys and software and and Say 4 hours to re-key assignments from Say 4 hours to re-key assignments from
last backup.last backup.Assume $10.00 per hour for your effort Assume $10.00 per hour for your effort Total loss = $600 + 10 x( 10 + 4) = $740Total loss = $600 + 10 x( 10 + 4) = $740
Annual loss expectancy = (740 x 1/3) $pa = Annual loss expectancy = (740 x 1/3) $pa = $246.66 pa $246.66 pa
14
Example (2)Example (2)
What about a virus attack on the same system?
You frequently swap stuff with other people, but have no ant-viral software running.
Assume an attack every 6 months; Probability is 2 per annum
No need to buy a new diskAssume the same rebuild effort = (10 + 4)hours,
Total loss = 10 x(10+4) = $140
ALE = ( 140 x 2 ) $pa = $280 pa
15
Steps to Complete a RASteps to Complete a RA
List the Assets List the Assets Determine their value, Determine their value, including costs of including costs of
recreating data files recreating data files VulnerabilitiesVulnerabilities Probability of LossProbability of Loss ComputationComputation Possible ControlsPossible Controls Cost of Applied ControlsCost of Applied Controls Cost/BenefitCost/Benefit
16
Assets and their valueAssets and their value
Asset Valuation WorksheetAsset Valuation Worksheet
AAsset: sset: (name, serial number)(name, serial number)Asset Intrinsic value: $Asset Intrinsic value: $ Which value is the intrinsic value ?Which value is the intrinsic value ?
physical, insured, depreciated, replacement, physical, insured, depreciated, replacement, value or value or
Asset Acquired value: Asset Acquired value: which includes the cost of the which includes the cost of the loss loss of:of: IntegrityIntegrity $$ AvailabilityAvailability $$ ConfidentialityConfidentiality $$
17
ValuationsValuations
Work quickly, using scale values Work quickly, using scale values (1,10,100,100 or 1, 2, 5, 10, 20, 50, 100, (1,10,100,100 or 1, 2, 5, 10, 20, 50, 100, 200, 500, 1000 etc) or use scale (1 to 5) or 200, 500, 1000 etc) or use scale (1 to 5) or low, medium or high scales.low, medium or high scales.
Completeness is most important.Completeness is most important.ALL the assets and ALL the acquired ALL the assets and ALL the acquired values, and cost of loss of acquired values, and cost of loss of acquired valuesvalues
Let others argue over the detail and Let others argue over the detail and accuracy. accuracy.
18
DSTO ModelDSTO Model
This DSTO paper provides guidelines for This DSTO paper provides guidelines for assessing information security risk within a assessing information security risk within a computer system. This risk is primarily a computer system. This risk is primarily a function of:function of: the sensitivity of the information to be the sensitivity of the information to be
processed;processed; the architecture of the computer system; the architecture of the computer system; and the clearance levels of the system’s users.and the clearance levels of the system’s users.
19
DSTO ModelDSTO Model
The DSTO Risk Analysis model is primarily directed at accidental and deliberate actions by authorised users. It is also possible to include deliberate acts by unauthorised users, however in a number of Defence installations, physical and administrative security safeguards are used to counter these threats.
20
VulnerabilitiesVulnerabilities
A vulnerability is a weakness. A vulnerability is a weakness. The way things work indicate the ways they The way things work indicate the ways they
are likely to fail are likely to fail Computers need electricity - so they are Computers need electricity - so they are
vulnerable to power failuresvulnerable to power failuresHard disks are easy to overwrite, so they Hard disks are easy to overwrite, so they
are vulnerable to been are vulnerable to been inappropriately inappropriately overwrittenoverwritten
21
Probability of LossProbability of Loss
Directly not computable, but eitherDirectly not computable, but eitherapply frequency probability by using apply frequency probability by using
observed data for a specific systemobserved data for a specific systemEstimate (by an expert based on his Estimate (by an expert based on his
knowledge) the number of occurrences of knowledge) the number of occurrences of each security breaches in a given time each security breaches in a given time period.period.
22
Compute the expected lossCompute the expected loss
For each asset, For each asset,
(total) risk = (total) risk = (risks) = Sum(risks) (risks) = Sum(risks)=Sum( Loss =Sum( Loss x x Probability per annum) $pa Probability per annum) $pa
For ALL assetsFor ALL assets we can derive a we can derive a total total sum,sum,the the Annual Loss Expectancy, $ per annumAnnual Loss Expectancy, $ per annum
Price-Waterhouse study: For Australian Price-Waterhouse study: For Australian organisations with no security plan in place, organisations with no security plan in place, 8% of turnover is lost each year8% of turnover is lost each year (!) (!)
23
Making sense ?Making sense ?
REALITY CHECK: REALITY CHECK: If a company is still in business, the If a company is still in business, the Annual Annual
Loss ExpectancyLoss Expectancy ( (ALE) has to be a ALE) has to be a lotlot less less than the annual turnover than the annual turnover
24
Possible ControlsPossible Controls
Match each vulnerability with at least one Match each vulnerability with at least one appropriate security techniqueappropriate security technique
Use the expected loss estimate to decide which Use the expected loss estimate to decide which controls, alone or in concert with others are the controls, alone or in concert with others are the most effective for a given situationmost effective for a given situation
Example: Risk of losing dataExample: Risk of losing data several controls – such as periodic backups, several controls – such as periodic backups,
redundant data storage, access control to prevent redundant data storage, access control to prevent unauthorised deletion, physical security from unauthorised deletion, physical security from stealing disks, program development standards stealing disks, program development standards to limit the effect of programs on the data.to limit the effect of programs on the data. Probably periodic backup may override redundant data Probably periodic backup may override redundant data
storage on cost and operational considerations.storage on cost and operational considerations.
25
Cost of Applying ControlsCost of Applying Controls
Actual cost of control includeActual cost of control include software purchase pricesoftware purchase price Installation costInstallation cost training costtraining cost
Effective cost of a controlEffective cost of a control = actual cost – any = actual cost – any expected loss from using the control (such as expected loss from using the control (such as admin or maintenance costs)admin or maintenance costs)
e.g: Cost to reconstruct data: $1M at 10% probability of loss e.g: Cost to reconstruct data: $1M at 10% probability of loss = $100K= $100K Effectiveness of access control software: (say) 60% Effectiveness of access control software: (say) 60% = $60K= $60K Cost of the access control software Cost of the access control software = $25K= $25K Expected annual cost due to loss and controls = (40+25) Expected annual cost due to loss and controls = (40+25) = $65K= $65K Effective cost the control (100-65) Effective cost the control (100-65) = = -$35K-$35K
Note that the effective cost of a control can be positive (when the control is expensive to Note that the effective cost of a control can be positive (when the control is expensive to administer or introduces new risks in another area) or negative (when the reduction in administer or introduces new risks in another area) or negative (when the reduction in risk is greater than the cost of the control)risk is greater than the cost of the control)
26
ButBut
Convenience (services) = -------------------------------------
1
Security controls
Control are not inherently desirable;most of them either cost money,
impair function, reduce performance.degrade useability or maintainability or
some combination of both
27
Some Criticisms of Risk AnalysisSome Criticisms of Risk Analysis
Although many large organisations use RA, there Although many large organisations use RA, there are some criticisms of both the idea and the are some criticisms of both the idea and the methods of RAmethods of RA
It may not appear sensible to talk of a It may not appear sensible to talk of a probable probable loss loss of a specific number of dollars,of a specific number of dollars, only when the loss occurs will we know how only when the loss occurs will we know how
much it costs to fix, and bringing that cost to a much it costs to fix, and bringing that cost to a one-year base is artificial.one-year base is artificial.
There is so much uncertainty in the method of There is so much uncertainty in the method of calculation, that any numerical figure is meaninglesscalculation, that any numerical figure is meaningless
However, Risk Management is seen as a valid However, Risk Management is seen as a valid undertaking, and using figures to attempt to quantify undertaking, and using figures to attempt to quantify risk does give us an accountable basis for spending risk does give us an accountable basis for spending resources on controls resources on controls
28
Security PlanningSecurity Planning
29
Security PlanSecurity Plan
A document that describes how an organisation will A document that describes how an organisation will address its security needs.address its security needs.
As the needs of the organisation evolve, ongoing As the needs of the organisation evolve, ongoing review and revision of the security plan is review and revision of the security plan is important.important.
Everything we see is transient (Buddha)Everything we see is transient (Buddha) Mission, Strategy, Tactics, Personnel, EnvironmentMission, Strategy, Tactics, Personnel, Environment
can all changecan all change An effective security plan is a living document.An effective security plan is a living document.
30
Content of a Security Plan (1)Content of a Security Plan (1)
PolicyPolicy Current Situation Current Situation RequirementsRequirements RecommendationsRecommendations Accountable PersonnelAccountable Personnel Plans and SchedulesPlans and Schedules Evaluation and ReviewEvaluation and Review
31
PolicyPolicy
Policy (what are we on about)Policy (what are we on about)State goalsState goalsState responsibilities - who is State responsibilities - who is
responsible for whatresponsible for whatState resources to be committed State resources to be committed
To answer the question To answer the question ““Who Who can access can access What resources What resources in in What mannerWhat manner””
32
Current SituationCurrent Situation
Present the Risk Analysis and Present the Risk Analysis and assumptionsassumptions
May need the ‘latest’ status, May need the ‘latest’ status, including who is responsible for including who is responsible for whatwhat
Comment on the status of current Comment on the status of current controls controls
33
RequirementsRequirements
What should be accomplished, not How to What should be accomplished, not How to do it?do it?
We seek:We seek:Completeness Completeness ConsistencyConsistencyCorrectnessCorrectness
(as for all types of Requirement analysis) (as for all types of Requirement analysis)
34
RecommendationsRecommendations
From the Risk Analysis, at least consider: From the Risk Analysis, at least consider: greatest riskgreatest risk largest potential losslargest potential loss loss of greatest frequencyloss of greatest frequency
Identify controlsIdentify controls Comment on status of existing controlsComment on status of existing controls which to maintain?which to maintain? which to enhance?which to enhance?