Information Security Threat

Assessment

The C-I-A Triad

Confidentiality (sensitivity, secrecy)Integrity (accuracy, authenticity, etc)Availability (fault tolerance, recovery, etc)

AuthenticationNon-Repudiation

Basic Overview

Value of information Threats Vulnerabilities Risk Risk Analysis

The Value of Information

Information has value May be defined or perceived Value may change Business model (way its used..) Different reasons to target information

– Value– Use– Destruction

Threats

Activity that represents possible danger Can come in different forms Can come from different places Can’t protect from all threats Protect against most likely or most worrisome

such as:– Business mission– Data (integrity, confidentiality, availability)

The Concept of Threats and Threat Agents* Threat elements

– Natural threats and accidents– Malicious threats

Malicious threat agents– Capability

Ability to mount and sustain an effective attack– Motivation

Political, secular, personal gain, religious, revenge, power, curiosity, etc.– Access

Physical or logical access to the target– Catalyst

Something that causes the threat agent to select the target– Inhibitors

Events, actions, countermeasures, etc. that prevent the threat agent from mounting an attack

– Amplifiers– Events, actions, etc. that encourage a threat agent to mount an attack

Relationships of Malicious Threats

threat agent capability

motivation

access

inhibitors amplifiers

catalysts

threat

Threat Agents

Nation-states Terrorists Pressure groups Commercial organizations Criminal groups Hacker groups Disaffected staff

Vulnerabilities

A condition, weakness, or absence of security procedures, technical controls, physical controls, or other controls that could be exploited by a threat.

Often analyzed in terms of missing safeguards Contribute to risk because they allow a threat

to harm a system

Classes of Vulnerabilities

Hard vulnerabilities - – bugs,

– misconfigurations, etc.

Soft vulnerabilities - – Systems not configured to company policy

– Lack of underlying policies, procedures or configuration/change management

– Insufficient logging

– Company policies go against best practices

Vulnerabilities

Hardware Software Infrastructure Processes

Known Vulnerabilities

Design Flaws Software Development (SDLC) Innovative Misuse Incorrect Implementation Documentation Social Engineering

Risk

A potential for loss or harm An exposure to a threat Risk is Subjective Dependent on situation and circumstances Impossible to fully measure

Concepts of Risk Generalized risk model – components of risk

– Assets– Threats– Vulnerabilities– Impacts– Countermeasures

Many types of risk analysis– Qualitative– Quantitative– Hybrid

Simple risk analysis model– ALE = VL

Annualized Loss Expectancy = Value of the Asset times Likelihood of the Threat

Too simplistic for most practical uses

Concepts of Risk - Definitions Assets –

– Things to be protected Physical, logical, human

Threats – – Events with the potential to cause unauthorized access, modification, disclosure or destruction of

an asset Vulnerabilities –

– Weaknesses in an asset or associated countermeasure that can be exploited to realize upon a threat Impacts –

– Outcome of a threat acting upon a vulnerability– Usually measured as money losses

Countermeasure (safeguards) –– Protective measures implemented to counter threats and mitigate vulnerabilities

Risk –– The probability that a threat will exploit a particular set of vulnerabilities successfully – Peltier– The likelihood that a threat agent will successfully exploit a vulnerability to create and unwanted

or adverse impact – Jones Exposure Factor (EF)

– Percentage of loss a successful threat event would have on a single specific asset Single Loss Expectancy (SLE)

– Dollar figure assigned to single event: SLE = AV ( Asset Value in $) X EF Annualized Rate of Occurrence (ARO)

– Estimated frequency in which a threat is expected to occur Annualized Loss Expectancy (ALE)

– Total computed estimated loss per year (ALE=AV X ARO)

Handling Risk

Eliminate it Minimize It Accept it Transfer it

Common Risk Analysis Fallacies Vulnerabilities = Risks

– The Truth: vulnerabilities = vulnerabilities– Vulnerability assessment or penetration testing does not, by

itself, identify or quantify risk Threats are not an element of risk

– The Truth: threats are (arguably) the most important element of risk

Tools = Countermeasures– The Truth: tools are just tools. Many countermeasures are

administrative or a combination of tools and administration– The best countermeasures are layered (defense in depth)

All risks must be mitigated– The Truth: don’t waste money protecting garbage. There is a

valid concept of “acceptable risk”.

Assessment

Takes a security “snapshot” of a computing environment at any given time.

Evaluates the information security policies and procedures

Establishes a baseline for operations Can be “Formal” or Informal” Can be “Quantitative” or “Qualitative” in

nature

The Name Game

Risk Assessments go by many names:– Security Baseline Assessment– Penetration Study (“Ethical Hacking)– Vulnerability Scan– Policy consulting– Audits

Why use a Risk Assessment?

To gauge the security posture of a given resource- Division, Department, or Organization

Help Justify cost of security controls To understand shortcomings in current

technology environment To prepare for doing business on the Internet

Quantitative Characteristics

Relies on statistical measurement for rationality

Generally used on mature environments Security posture is “rated” based on

collection of weighted data findings

Qualitative Characteristics

Subjective in Nature Generally used on Immature environments Interviews and observation key part of

assessment Recommendations based on “best practices”

Audit vs. Assessment

An audit is a formal process used to measure the high-level aspects of an infrastructure’s security from an organizational point of view.

Limited in scope No low-level technical details Check-list style methodology

Risk Based Audit Approach

Audit risk can be defined as the risk that the information / financial report may contain material error or that the IS Auditor may not detect an error that has occurred.– Inherent Risk– Control Risk– Detection Risk– Overall Audit Risk

Audit vs. Assessment

Security Assessments are attempts to measure as many technical details of an infrastructure’s security posture as possible.

Less formal More detailed / broader in scope Considered an “Art form”

Why use Quantitative?

If your organization has implemented basic security countermeasures, and wants to improve its posture

If upper management respond well to presentations of findings based on numerical representation

If statistically-based facts will help “Sell” security to executives

Why use Qualitative?

If your security policy is brand new If your culture works well with “consulting”

type approaches If “best practices” can be used to sell upper

management on the proper security controls If your expectations involve a shorter

assessment cycle

Do Not use an Assessment…

If your organization does not have a security policy defined

If your organization is experiencing high turn-over

If upper management does not “sponsor” security expenditures

Network Security Assessment

Expected results: Identify security vulnerabilities Provide corrective action knowledge base Recommend corrective action Continuous “realtime” monitoring Repeatable and measurable Used to justify security controls to upper

management

Basic Formula

Threat x VulnerabilityRisk = -------------------------------- x Value Countermeasures  Asset Value x exposure factor = Single Loss Expectancy (SLE) SLE x annualized rate of occurrence (ARO) = Annualized Loss Expectancy (ALE)

RA methodology Examples

Qualitative: CRAMM RAM-X IAM OSG

Quantitative:

• Courtney

• RAM-X

Representative Risk Analysis Methods

Courtney – quantitative– L=annualized loss expectancy– i= impact rating– f= Threat frequency

CRAMM – qualitative– “CCTA Risk Analysis and

Management Methodology”– Not mathematical – subjective– Attempts to take a holistic view– Gathers information through

structured interviews

L = 10(i+f-3)

3

Stage 1: Establish boundaries of the review (assets)

Stage 2: Establish threat context

Stage 3: Establish necessary countermeasures

Risk Management Cycle

Assess Riskand Determine Needs

Monitorand

Evaluate

PromoteAwareness

Implement Policiesand Controls

CentralFocalPoint

InitialEntry Point

Basic Risk Analysis Steps

Estimate potential losses to assets by determining their value(s)

Analyze potential threats to the assets Define the Annualized Loss Expectancy

(ALE)

10-Step Qualitative Risk Analysis Approach

Develop scope Assemble team Identify threats Prioritize threats Estimate impact priority Calculate total threat impact Identify safeguards Cost-benefit analysis Rank safeguards by priority Write the report

The CRAMM Qualitative Method

CRAMM analysis may be done using a packaged software application

cost is about $4,200 plus about $1,200 per year maintenance

Interview format tool with large databases of questions, threats, vulnerabilities and impacts

A qualitative approach that is useful both for risk analysis and risk management

The CRAMM Qualitative Method – Risk Model

Assets Threats Vulnerabilities Impacts

– Information disclosure– Accidental or intentional destruction of data– Data modification– Denial of service

Countermeasures– Reduction of threat– Reduction of vulnerability– Reduction of impact– Detection– Recovery

Risks– A risk arises when a threat is able to exploit a vulnerability in an

important asset to cause an unacceptable impact

The CRAMM Qualitative Method - Stages

Three stages– Establish scope – asset based– Establish threat context and vulnerabilities for

assets identified in stage 1 Identifies security requirements for each relevant group of

assets

– Establish countermeasures Output is a security plan Good idea to perform a cost-benefit analysis in this stage

although this is not part of the formal CRAMM method

Baseline review approach curtails CRAMM activities in unimportant areas

Courtney Quantitative Method

Asset based Uses loss expectancy formula: Impact categories

– Disclosure– Modification– Destruction– Lack of availability

Impact $ (i) taken from an impact rating table Threat frequency (f) taken from a threat frequency

table

L = 10(i+f-3)

3

Courtney Impact Rating Table (i)

Impact ($) Rating

10100

1,00010,000

100,0001,000,000

123456

Courtney Threat Frequency Table (f)

Frequency Frequency RatingOnce in:

300 years 30 years 3 years 100 days 10 days 1 day10 times per day100 times per day

12345678

Typical Courtney Collection Form

Accidental Disclosure Modification DestructionDeliberate Disclosure Modification DestructionExposure if unable toProcess for: 2 hours 4 hours 8 hours 12 hours 18 hours

Asset Under Review: i f L

4 3 L = 10(4+3-3)

3

L = 104

3

L = 10,0003

L = $3,333

$3,333

NSA IAM

Qualitative project management framework

PreAssessment

Contact

Project Coordination

DataCollection

AnalysisRecommendations

Final Report

Post-AssessmentOn-SitePre-Assessment

RAM-X

Put together by Sandia Labs, along with the FBI, Military, Corps of Engineers, and others

Designed to be a quantitative measurement of risks associated with Critical Infrastructure

RAM-X Formula

PA * C * (1-PE) = R

PA= Analyze Threat

C = Critical Assets

PE = System Effectiveness

PE < 1

C < 1

OSG

Developed a way to utilize Qualitative and quantitative methods through its “Thessaly” framework

Current State Desired State Gap Analysis Solution recommendations Security Maturity Grid