Upload
grazia
View
22
Download
1
Embed Size (px)
DESCRIPTION
Information Security Threat Assessment. The C-I-A Triad. Confidentiality (sensitivity, secrecy) Integrity (accuracy, authenticity, etc) Availability (fault tolerance, recovery, etc) Authentication Non-Repudiation. Basic Overview. Value of information Threats Vulnerabilities Risk - PowerPoint PPT Presentation
Citation preview
Information Security Threat
Assessment
The C-I-A Triad
Confidentiality (sensitivity, secrecy)Integrity (accuracy, authenticity, etc)Availability (fault tolerance, recovery, etc)
AuthenticationNon-Repudiation
Basic Overview
Value of information Threats Vulnerabilities Risk Risk Analysis
The Value of Information
Information has value May be defined or perceived Value may change Business model (way its used..) Different reasons to target information
– Value– Use– Destruction
Threats
Activity that represents possible danger Can come in different forms Can come from different places Can’t protect from all threats Protect against most likely or most worrisome
such as:– Business mission– Data (integrity, confidentiality, availability)
The Concept of Threats and Threat Agents* Threat elements
– Natural threats and accidents– Malicious threats
Malicious threat agents– Capability
Ability to mount and sustain an effective attack– Motivation
Political, secular, personal gain, religious, revenge, power, curiosity, etc.– Access
Physical or logical access to the target– Catalyst
Something that causes the threat agent to select the target– Inhibitors
Events, actions, countermeasures, etc. that prevent the threat agent from mounting an attack
– Amplifiers– Events, actions, etc. that encourage a threat agent to mount an attack
Relationships of Malicious Threats
threat agent capability
motivation
access
inhibitors amplifiers
catalysts
threat
Threat Agents
Nation-states Terrorists Pressure groups Commercial organizations Criminal groups Hacker groups Disaffected staff
Vulnerabilities
A condition, weakness, or absence of security procedures, technical controls, physical controls, or other controls that could be exploited by a threat.
Often analyzed in terms of missing safeguards Contribute to risk because they allow a threat
to harm a system
Classes of Vulnerabilities
Hard vulnerabilities - – bugs,
– misconfigurations, etc.
Soft vulnerabilities - – Systems not configured to company policy
– Lack of underlying policies, procedures or configuration/change management
– Insufficient logging
– Company policies go against best practices
Vulnerabilities
Hardware Software Infrastructure Processes
Known Vulnerabilities
Design Flaws Software Development (SDLC) Innovative Misuse Incorrect Implementation Documentation Social Engineering
Risk
A potential for loss or harm An exposure to a threat Risk is Subjective Dependent on situation and circumstances Impossible to fully measure
Concepts of Risk Generalized risk model – components of risk
– Assets– Threats– Vulnerabilities– Impacts– Countermeasures
Many types of risk analysis– Qualitative– Quantitative– Hybrid
Simple risk analysis model– ALE = VL
Annualized Loss Expectancy = Value of the Asset times Likelihood of the Threat
Too simplistic for most practical uses
Concepts of Risk - Definitions Assets –
– Things to be protected Physical, logical, human
Threats – – Events with the potential to cause unauthorized access, modification, disclosure or destruction of
an asset Vulnerabilities –
– Weaknesses in an asset or associated countermeasure that can be exploited to realize upon a threat Impacts –
– Outcome of a threat acting upon a vulnerability– Usually measured as money losses
Countermeasure (safeguards) –– Protective measures implemented to counter threats and mitigate vulnerabilities
Risk –– The probability that a threat will exploit a particular set of vulnerabilities successfully – Peltier– The likelihood that a threat agent will successfully exploit a vulnerability to create and unwanted
or adverse impact – Jones Exposure Factor (EF)
– Percentage of loss a successful threat event would have on a single specific asset Single Loss Expectancy (SLE)
– Dollar figure assigned to single event: SLE = AV ( Asset Value in $) X EF Annualized Rate of Occurrence (ARO)
– Estimated frequency in which a threat is expected to occur Annualized Loss Expectancy (ALE)
– Total computed estimated loss per year (ALE=AV X ARO)
Handling Risk
Eliminate it Minimize It Accept it Transfer it
Common Risk Analysis Fallacies Vulnerabilities = Risks
– The Truth: vulnerabilities = vulnerabilities– Vulnerability assessment or penetration testing does not, by
itself, identify or quantify risk Threats are not an element of risk
– The Truth: threats are (arguably) the most important element of risk
Tools = Countermeasures– The Truth: tools are just tools. Many countermeasures are
administrative or a combination of tools and administration– The best countermeasures are layered (defense in depth)
All risks must be mitigated– The Truth: don’t waste money protecting garbage. There is a
valid concept of “acceptable risk”.
Assessment
Takes a security “snapshot” of a computing environment at any given time.
Evaluates the information security policies and procedures
Establishes a baseline for operations Can be “Formal” or Informal” Can be “Quantitative” or “Qualitative” in
nature
The Name Game
Risk Assessments go by many names:– Security Baseline Assessment– Penetration Study (“Ethical Hacking)– Vulnerability Scan– Policy consulting– Audits
Why use a Risk Assessment?
To gauge the security posture of a given resource- Division, Department, or Organization
Help Justify cost of security controls To understand shortcomings in current
technology environment To prepare for doing business on the Internet
Quantitative Characteristics
Relies on statistical measurement for rationality
Generally used on mature environments Security posture is “rated” based on
collection of weighted data findings
Qualitative Characteristics
Subjective in Nature Generally used on Immature environments Interviews and observation key part of
assessment Recommendations based on “best practices”
Audit vs. Assessment
An audit is a formal process used to measure the high-level aspects of an infrastructure’s security from an organizational point of view.
Limited in scope No low-level technical details Check-list style methodology
Risk Based Audit Approach
Audit risk can be defined as the risk that the information / financial report may contain material error or that the IS Auditor may not detect an error that has occurred.– Inherent Risk– Control Risk– Detection Risk– Overall Audit Risk
Audit vs. Assessment
Security Assessments are attempts to measure as many technical details of an infrastructure’s security posture as possible.
Less formal More detailed / broader in scope Considered an “Art form”
Why use Quantitative?
If your organization has implemented basic security countermeasures, and wants to improve its posture
If upper management respond well to presentations of findings based on numerical representation
If statistically-based facts will help “Sell” security to executives
Why use Qualitative?
If your security policy is brand new If your culture works well with “consulting”
type approaches If “best practices” can be used to sell upper
management on the proper security controls If your expectations involve a shorter
assessment cycle
Do Not use an Assessment…
If your organization does not have a security policy defined
If your organization is experiencing high turn-over
If upper management does not “sponsor” security expenditures
Network Security Assessment
Expected results: Identify security vulnerabilities Provide corrective action knowledge base Recommend corrective action Continuous “realtime” monitoring Repeatable and measurable Used to justify security controls to upper
management
Basic Formula
Threat x VulnerabilityRisk = -------------------------------- x Value Countermeasures Asset Value x exposure factor = Single Loss Expectancy (SLE) SLE x annualized rate of occurrence (ARO) = Annualized Loss Expectancy (ALE)
RA methodology Examples
Qualitative: CRAMM RAM-X IAM OSG
Quantitative:
• Courtney
• RAM-X
Representative Risk Analysis Methods
Courtney – quantitative– L=annualized loss expectancy– i= impact rating– f= Threat frequency
CRAMM – qualitative– “CCTA Risk Analysis and
Management Methodology”– Not mathematical – subjective– Attempts to take a holistic view– Gathers information through
structured interviews
L = 10(i+f-3)
3
Stage 1: Establish boundaries of the review (assets)
Stage 2: Establish threat context
Stage 3: Establish necessary countermeasures
Risk Management Cycle
Assess Riskand Determine Needs
Monitorand
Evaluate
PromoteAwareness
Implement Policiesand Controls
CentralFocalPoint
InitialEntry Point
Basic Risk Analysis Steps
Estimate potential losses to assets by determining their value(s)
Analyze potential threats to the assets Define the Annualized Loss Expectancy
(ALE)
10-Step Qualitative Risk Analysis Approach
Develop scope Assemble team Identify threats Prioritize threats Estimate impact priority Calculate total threat impact Identify safeguards Cost-benefit analysis Rank safeguards by priority Write the report
The CRAMM Qualitative Method
CRAMM analysis may be done using a packaged software application
cost is about $4,200 plus about $1,200 per year maintenance
Interview format tool with large databases of questions, threats, vulnerabilities and impacts
A qualitative approach that is useful both for risk analysis and risk management
The CRAMM Qualitative Method – Risk Model
Assets Threats Vulnerabilities Impacts
– Information disclosure– Accidental or intentional destruction of data– Data modification– Denial of service
Countermeasures– Reduction of threat– Reduction of vulnerability– Reduction of impact– Detection– Recovery
Risks– A risk arises when a threat is able to exploit a vulnerability in an
important asset to cause an unacceptable impact
The CRAMM Qualitative Method - Stages
Three stages– Establish scope – asset based– Establish threat context and vulnerabilities for
assets identified in stage 1 Identifies security requirements for each relevant group of
assets
– Establish countermeasures Output is a security plan Good idea to perform a cost-benefit analysis in this stage
although this is not part of the formal CRAMM method
Baseline review approach curtails CRAMM activities in unimportant areas
Courtney Quantitative Method
Asset based Uses loss expectancy formula: Impact categories
– Disclosure– Modification– Destruction– Lack of availability
Impact $ (i) taken from an impact rating table Threat frequency (f) taken from a threat frequency
table
L = 10(i+f-3)
3
Courtney Impact Rating Table (i)
Impact ($) Rating
10100
1,00010,000
100,0001,000,000
123456
Courtney Threat Frequency Table (f)
Frequency Frequency RatingOnce in:
300 years 30 years 3 years 100 days 10 days 1 day10 times per day100 times per day
12345678
Typical Courtney Collection Form
Accidental Disclosure Modification DestructionDeliberate Disclosure Modification DestructionExposure if unable toProcess for: 2 hours 4 hours 8 hours 12 hours 18 hours
Asset Under Review: i f L
4 3 L = 10(4+3-3)
3
L = 104
3
L = 10,0003
L = $3,333
$3,333
NSA IAM
Qualitative project management framework
PreAssessment
Contact
Project Coordination
DataCollection
AnalysisRecommendations
Final Report
Post-AssessmentOn-SitePre-Assessment
RAM-X
Put together by Sandia Labs, along with the FBI, Military, Corps of Engineers, and others
Designed to be a quantitative measurement of risks associated with Critical Infrastructure
RAM-X Formula
PA * C * (1-PE) = R
PA= Analyze Threat
C = Critical Assets
PE = System Effectiveness
PE < 1
C < 1
OSG
Developed a way to utilize Qualitative and quantitative methods through its “Thessaly” framework
Current State Desired State Gap Analysis Solution recommendations Security Maturity Grid