Rass english version

Faculty of Economic Cybernetics, Statistics and Informatics (ECSI) RISK ANALYSIS IN SECURE SYSTEMS Bucharest Academy of Economic Studies Associate professor Ph. D. Emil BURTESCUUniversity of [email protected]&C Security Master

ContentsReal worldTerms and definitionsReference moments that highlight the need of securityAttacks and organization lossesRisk and companyRisk management and risk analysisThreat, Vulnerability and Risk mitigationQualitative risk analysisQuantitative risk analysisVulnerability analysis/workstation risk analysisCountermeasures - Decisional process coordinationCosts and profitability economic indicator of securitys investmentSecurity outsourcing

Question .Q: Why is that happening?

Which is the correct position of the switch ?

Does your company operate regularly for data ?There is your company control devices voltage variations? How long can "resist" the company without voltage (from outside)?

There are backup computers in your company (cold park)?How much time is lost to their start operation?What are the effects on business ? If an important server is temporarily inoperable, how long can be reinstated and fully operating?What are the effects on business ?Does your company evaluate in detail and state the profile for a new employee ?Can your company prevent, detect andrespond to an attack (from inside or outside) ?Another questions .

Security within an organization means (in many cases) managing chaos

Tips and more

Terms and definitionsGood/asset

- Anything that represents a value within an organization. Here we include the buildings, hardware and software components, data, personnel, plans and documentations etc.Threat

- Potential cause of an undesired impact over a system or organization (ISO 13335-1). - An undesired event (intentional or accidental) that can damage the assets of the organization. - The potential for a person pr thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability (NIST SP 800-3). Vulnerability

- A weakness concerning system procedures, system architecture, system implementation, internal control and other causes that can be exploited to bypass the security system and to have unauthorized access to information. - Any weakness, administrative process, act or statement that makes a piece of information about an asset likely to be exploited by a threat. - A flaw or weakness in sistem security procedures, design, implementations, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breanch or a violation of the systems security policy (NIST SP 800-3).

Terms and definitions (continuation)Impact - the overall expected loss of the business when a threat exploits a vulnerability against an asset.Exploit - a means of using vulnerability to cause a malfunction of the organization activities or a failure of information security services within the organization.Exposure - a threat action through which the senzitive information is released directly to an unauthorized entity (RFC2828).Integrity - te property through wich the data was not altered or destroyed through an unauthorized manner (ISO 7498-2).Accesibility (availability) - the property of a system to ensure it accesibility and availability for use at the request of a user or authorized process within the system.Confidentiality - the property that the information is not made available or disclosed to persons, entities or unauthorized processes(ISO 7498-2).Risk Threat that can exploit eventual system weaknesses. Combination between the probability of an event and its consequences (ISO Guide 73).

A vulnerability triggered or exploited by a threat (NIST SP 800-3).

Terms and definitions (continuation) Senzitive data - any data that can not be made public.Control - an organizational, procedural or technological means of controlling the risk; a synonimous for warranty or risk prevention measures.Reduction (risk) - a combination of planned measures and actions that are taken at the level of the organization in order to mitigate or eliminate a risk. Reduction solution - the implementation of an organizational, procedural or technological control meant to help the security risk management.Defense in depth - solution for ensuring security on multiple levels meant to protect against the failure of a single safety component.Reputation - opinions that people have about the organization. Value difficult to calculate.Risk assessment/risk analysis - the process of identifying security risk, determining their magnitude, and identifying areas needing safeguards.Risk management the total process of identifying, controling, and eliminating or minimizing uncertain events that may effect system resources.Qualitative analysis - approach or risk analysis in which relative values are assigned to goods, assets, risks, controls and impacts.Quantitative analysis - risk analysis approach in which objective (real) numerical values are assigned to goods, assets, risks, controls and impacts.

Annual Loss Expectancy (ALE) - the total amount of money that an organization will lose in a year if it will not take measures for minimizing or eliminating the risk.Annual production/occurrence (of an event) rate - value which quantifies the number of times an event may occur during one year.Cost-benefit analysis - estimation and comparison of the relative value and cost related to each proposed control. Efficiency criterion used to choose the control that will be implemented.The return on investment (the profit from investing in security) - the total amount of money that an organization expects to save in one year by implementing security measures.Terms and definitions (continuation)Annual Loss Expectancy per Asset (ALEa) - the total amount of money related to a good that the organization will lose in a year if it will not take measures fo minimizing or eliminating the risk that affects that certain good.Annual Loss Expectancy per Threat (ALEt) - the total amount of money created by a threat, the organization will lose in a year if it will not take measures for minimizing or eliminating the risk that affects the goods.UserA person who uses a computer system.User = expert / novice.End userA person/user who runs a program application.

Need of security1970Phone line piracy (phreaking/boxing)Illegal dial-up coneectionsUnauthorized Interned access19801990Stages in electronic information theft.

Reference moments that highlight the need of securityNovember 2nd, 1988Giant WormA worm (virus - according to some) launched on the Internet, infects a number of 60.000 computers from all over United States. It quickly spread from computers of Cambridge, Massachusetts and Berkeley, California, to the computers in Princeton, than to NASA Ames Research Center from Sillicon Valley, California, to the University of Pittsburgh, to Los Alamos National Laboratory and to other universities, military bases and research institutes. The costs necessary to stop the worm and to test the infected systems were estimated to be between 1.000.000 and 100.000.000 dollars. Guilty- Robert T. Morris- student at Cornell University.September 11th 2001Attacks on the World Trade Center (WTC) and the Pentagon.Attacks cause damages of over $100 billion.Due to the existence of measure plans in case of disasters, the communications are restored quickly and some companies manage to come back online within 48 hours from the attack. After these attacks, United States and other countries are reviewing their security policy.

1.Cliff Stoll, employee at Lawrence Berkeley Laboratory during 1988 has attacked a number of 450 computers in West Germany, managing to penetrate 30 of them. Initially accused of unauthorized access, after it came out that he has sold secrets to the KGB, he was charged for espionage.

2.In 1990, an australian student, who called himself Phoenix, was blamed for causing the 24-hour shutdown of NASA computers in Norfolk, Virginia. He has also altered the information from Lawrence Livemore National Laboratory in California.

3.In 1988, at a number of air transport agencies it is discovered that somebody managed to penetrate the system and print illegal plane ticket reservations. For the first time the question of whether the terrorist organizations did so in order to have access to the passengers list appeared. The question reappeared when the members of the Kuweit royal family were taken hostages on board of a plane. The same question was asked even after the attacks of September 11th, 2001.

4.In April 1986, an intruder, known as Captain Midnight manages to increase the transmission power of an HBO channel transmitting his own message to millions of viewers. This action brought the eventual use for terrorist purposes of these actions.

5. The event recorded as Constitution Loss may be the most serious human error and of implementing the security. In 1991, before the final vote for the Constitution of Columbia, a user who had to make the last changes to the online version does a mistake that has as effect loss of data. With no backup, data has been restored after a laborious work, using the drafts of the Committee members for the new Columbian Constitution.

6. In January 1988, at the Hebrew University in Jerusalem it is found that hundreds of computers are infected with a virus. The virus was active in every day of 13 every month, which was Friday, was slowing down the processes and erased the data from that day of 13th. The virus was also named Columbus Day or Datacrime.

7. A 14 year old kid from Kansas manages in 1989, using an Apple computer to penetrate the positioning system of the satellites belonging to Air Force, to speak internationally and to access confidential files.

8. Flamble virus can be included in a special category of viruses. It acts also on the hardware equipment by increasing the horizontal scanning frequency of the monitors electron beam beyond the admitted limits. As effect, the monitor is set on fire. This virus has affected in 1988 a consulting company in San Jose, California.Reference moments that highlight the need of security (continuation)

9. In 1988, a researcher working for a commission that investigated the business with Iran discovers on a computer used by Oliver North stolen secret data referring to NSC. These were transferred and then deleted from a computer, that was considered safe, belonging to the White House.10.A manager of a company has managed in 1984, manipulating a computer, to transfer $ 25 million funds trying to fool the audit.11. In march 1999, the Melissa virus manages to block e-mail services from all over the world. The damages produced are estimated at $80 million. The culprit is found in the person of David Smith, programmer, who has given the name of the virus after a topless dancer. Being sentenced, he is executing several years of imprisonment in the state and federal prisons in the United States.12.Love Letter Worm manages to infect, in only a single day of year 2000, 45 million computers.13.In February 2000, the activity of many e-commerce sites, including Yahoo!, e-Bay and e-Trade, was affected by a new DoS type attack, called Distributed Denial of Service (DDoS). The attack was using the client-server technology to focus its attack on certain points. The culprit was found, after months of searching, in the person of a young hacker. 14.In October the same year, Microsoft has reported that a young hacker has gained access at a portion of its own LAN network.15.The website of US State Department was attacked in october 2002 and filled with obscenities. Therefore, its operation had to be interrupted.16.After the attack in Bali in october 2002 when Australia has imposed pressure on terrorist groups in Indonesia allegedly responsible for attack, over 200 australian websites have been attacked by Indonesian hackers.17.The Internet structure itself has been attacked in october 2002. 13 root servers have been affected by DDoS and many users found themselves unable to make connections.18.A conference against theft of information has been sabotaged in May 2003. The hackers managed to steal about 1000 names and e-mail adresses of the persons participating at the conference.Reference moments that highlight the need of security (continuation)

Sursa: Computer Security Institute, CSI/FBI 2008 Computer Crime and Security SurveyTypes of attacks or reported abuses2008: 433 respondents

Attack20042005200620072008

Denial of service39%32%25%25%21%Laptop theft49%48%47%50%42%Telecom fraud10%10%8%5%5%Unauthorized access37%32%32%25%29%Virus78%74%65%52%50%Financial fraud8%7%9%12%12%Insider abuse59%48%42%59%44%System penetration17%14%15%13%13%Sabotage5%2%3%4%2%Theft/loss of proprietary info10%9%9%8%9%from mobile devices4%from all other sources5%Abuse of wireless network15%16%14%17%14%Web site defacement7%5%6%10%6%Misuse of Web application10%5%6%9%11%Bots21%20%DNS attacks6%8%Instant messaging abuse25%21%Password sniffing10%9%Theft/loss of customer data17%1700%from mobile devices8%from all other sources8%

Sursa: Computer Security Institute, CSI/FBI 2008 Computer Crime and Security SurveyTypes of attacks or reported abuses2008: 433 respondents

Chart4

0.490.370.780.080.5920042004

0.480.320.740.070.4820052005

0.470.320.650.090.4220062006

0.50.250.520.120.590.210.06

0.420.290.50.120.440.20.08

Laptop theft

Unauthorized access

Virus

Financial fraud

Insider abuse

Bots

DNS attacks

Procentages by Incident

Attack20042005200620072008

Denial of service39%32%25%25%21%

Laptop theft49%48%47%50%42%

Telecom fraud10%10%8%5%5%

Unauthorized access37%32%32%25%29%

Virus78%74%65%52%50%

Financial fraud8%7%9%12%12%

Insider abuse59%48%42%59%44%

System penetration17%14%15%13%13%

Sabotage5%2%3%4%2%

Theft/loss of proprietary info10%9%9%8%9%

from mobile devices4%

from all other sources5%

Abuse of wireless network15%16%14%17%14%

Web site defacement7%5%6%10%6%

Misuse of Web application10%5%6%9%11%

Bots21%20%

DNS attacks6%8%

Instant messaging abuse25%21%

Password sniffing10%9%

Theft/loss of customer data17%1700%

from mobile devices8%

from all other sources8%


Laptop theft

Unauthorized access

Virus

Financial fraud

Insider abuse

Bots

DNS attacks

Average Losses

YearValue

1999764

2000983

20013149

20022063

2003804

2004526

2005204

2006168

2007345

2008289

144 respondents 2008

Average Losses

Thousands of $

Year

Value (thousands of $)

Average losses per respondent

Technologies Used

Other33%

Biometrics2323%

Specialized wireless security systems2727%

Virtualization-specific tools2929%

Endpoint security client software / NAC3434%

Public Key Infrastructure systems3636%

Smart cards and other one-time tokens3636%

Data loss prevention / content monitoring3838%

Forensics tools4141%

Static account / login passwords4646%

Server-based access control lists5050%

Log management software5151%

Application-level firewalls5353%

Encryption of data at rest (in storage)5353%

Intrusion prevention systems5454%

Web / URL filtering6161%

Vulnerability / patch management tools6565%

Intrusion detection systems6969%

Encryption of data in transit7171%

Anti-spyware software8080%

Virtual Private Network (VPN)8585%

Firewalls9494%

Anti-virus software9797%

Technologies Used

Sursa: Computer Security Institute, CSI/FBI 2008 Computer Crime and Security Survey2008: 144 respondentsLosses due to attacks within the organization

Chart2

764

983

3149

2063

804

526

204

168

345

289

Thousands of $

Year




Attack20042005200620072008

Denial of service3932252521

Laptop theft4948475042

Telecom fraud1010855

Unauthorized access3732322529

Virus7874655250

Financial fraud8791212

Insider abuse5948425944

System penetration1714151313

Sabotage52342

Theft/loss of proprietary info109989

from mobile devices4

from all other sources5

Abuse of wireless network1516141714

Web site defacement756106

Misuse of Web application1056911

Bots2120

DNS attacks68

Instant messaging abuse2521

Password sniffing109

Theft/loss of customer data1717




Laptop theft

Unauthorized access

Virus

Financial fraud

Insider abuse

Bots

DNS attacks

Average Losses

YearValue

1999764

2000983

20013149

20022063

2003804

2004526

2005204

2006168

2007345

2008289


Average Losses

Thousands of $

Year



Technologies Used

Security tehnologies used (year 2008)Sursa: Computer Security Institute, CSI/FBI 2005 Computer Crime and Security Survey 521 respondeni

Chart3

0.03

0.23

0.27

0.29

0.34

0.36

0.36

0.38

0.41

0.46

0.5

0.51

0.53

0.53

0.54

0.61

0.65

0.69

0.71

0.8

0.85

0.94

0.97


Attack20042005200620072008

Denial of service3932252521

Laptop theft4948475042

Telecom fraud1010855

Unauthorized access3732322529

Virus7874655250

Financial fraud8791212

Insider abuse5948425944

System penetration1714151313

Sabotage52342

Theft/loss of proprietary info109989



Abuse of wireless network1516141714

Web site defacement756106

Misuse of Web application1056911

Bots2120

DNS attacks68

Instant messaging abuse2521

Password sniffing109

Theft/loss of customer data1717




0000000

0000000

0000000

0000000

0000000

Laptop theft

Unauthorized access

Virus

Financial fraud

Insider abuse

Bots

DNS attacks

Average Losses

YearValue

1999764

2000983

20013149

20022063

2003804

2004526

2005204

2006168

2007345

2008289


Average Losses

0

0

0

0

0

0

0

0

0

0

Thousands of $

Year



Technologies Used

Other33%

Biometrics2323%

Specialized wireless security systems2727%

Virtualization-specific tools2929%

Endpoint security client software / NAC3434%

Public Key Infrastructure systems3636%

Smart cards and other one-time tokens3636%

Data loss prevention / content monitoring3838%

Forensics tools4141%

Static account / login passwords4646%

Server-based access control lists5050%

Log management software5151%

Application-level firewalls5353%

Encryption of data at rest (in storage)5353%

Intrusion prevention systems5454%

Web / URL filtering6161%

Vulnerability / patch management tools6565%

Intrusion detection systems6969%

Encryption of data in transit7171%

Anti-spyware software8080%

Virtual Private Network (VPN)8585%

Firewalls9494%

Anti-virus software9797%

Technologies Used

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

Main attack sources!!

Sursa: Computer Security Institute, CSI/FBI 2008 Computer Crime and Security Survey 2008: 496 respondeni Techniques used for the evaluation of security

Sursa: Computer Security Institute, CSI/FBI 2008 Computer Crime and Security Survey 2008: 295 respondeni Actions taken after an incident

Sursa: Computer Security Institute, CSI/FBI 2008 Computer Crime and Security Survey 2008: 233 respondeni Why arent the incidents reported?

2008 CSI Computer Crime and Security SurveyNew Questions

The last CSI/FBI revealSursa: Computer Security Institute, CSI/FBI 2010 Computer Crime and Security Survey

The last CSI/FBI reveal (continuation)Sursa: Computer Security Institute, CSI/FBI 2010 Computer Crime and Security Survey

BasementWhat do we want to obtain through risk management and/or risk analysis?

What can the company do?

What can the company count on?

COMPANY

Risk analysisDetermination of needsPolicy implementationControl implementationAssistanceAwarenessMonitoringEvaluationConvergence pointRisk management cycle (variant)

Risk management cycle (variant)Source http://www.noweco.com/At http://www.noweco.com/downe.htm one can find material referring to risk management (Trial software, brochures, presentations)

Risk management cycle (Microsoft variant)Assesing risk/Risk evaluationConducting decision supportImplementing controlsMeasuring program effectiveness1234http://technet.microsoft.com/en-us/library/cc163143.aspx

Risk management cycle (Microsoft)Risk evaluation Identifying and classifying the risks that can affect the business.Conducting decision support Identifying and evaluating the control measures and solutions taking into account the cost-benefits report.Control implementation Implementing and running control measures meant to reduce or to eliminate the risksMeasuring the programs efficiency Analyzing the efficiency of the adopted control measures and checking if the applied controls ensure the established protection level.http://technet.microsoft.com/en-us/library/cc163143.aspx

Effort level (Microsoft)Data gatteringSummary risk analysisDetailed risk analysisDecision supportImplement controlsOperate controlsProcess stagesEffort levelEffort curveRelative Level of Effort During the Microsoft Security Risk Management Processhttp://technet.microsoft.com/en-us/library/cc163143.aspx

The levels of security risk management (Microsoft)http://technet.microsoft.com/en-us/library/cc163143.aspx

LevelStatusDescription0Non- ExistentThe company does not have the security policy well documented1Ad-hocThe company is aware of the risk. The risk management efforts are done in a hurry and chaotic. Policies and processes are not well documented. Risk management projects are chaotic and non- coordinated, and the results can not be measured and evaluated.2RepeatableThe company has knowledge about risk management. The risk management process is repeatable but immature. The risk management processes are not sufficiently documented, but the company is taking actions in this sense. There is no formal training or communication regarding risk management, the responsibility being to the choice of the employee.3DefinedThe company adopts a formal decision for implementing the risk management. The objectives and the ways of measuring the results are clearly defined. The employees are formally trained at a base level.4ManagedRisk management is well understood in all compartments and levels of the company. There are well defined procedures of control and risk reduction. Efficiency can be measured. The personnel is trained. The allocated resources are enough. The benefits are visible. The risk management team work to permanently improve the processes and the instruments they use. A great deal of the risk evaluation processes, of control identification, of cost-benefits anlaysis are non-automatic (manual).5OptimizedThe organization has committed significant resources to security risk management, and staff members are looking toward the future trying to ascertain what the issues and solutions will be in the months and years ahead. The risk management process is well understood and significantly automated through the use of tools (either developed in-house or acquired from independent software vendors).

ScoreOrganizational Risk Management Maturity Level Self Assessment (Microsoft)Questionshttp://technet.microsoft.com/en-us/library/cc163143.aspx

http://technet.microsoft.com/en-us/library/cc163143.aspx

0 ... 85Final scorehttp://technet.microsoft.com/en-us/library/cc163143.aspx

Score obtainedStagehttp://technet.microsoft.com/en-us/library/cc163143.aspx

NISTNational Institute of Standatds and Technology Security Self-Assessment Guide for Information Technology Systems Other questions that will define the security level of your organization and will guide you to the subsequent actions are available at: http://csrc.nist.gov/ Security Guideline 800 series

http://csrc.nist.gov/ publications/nistpub/index.html fiierul Mapping-of-800-53v1.doc

Rules and responsibilities during the security risk management (Microsoft)

TitleResponsibility Executive directorManages all activities that represent a risk on the business- development, fund allocation, licensing and support for the risk management team. Responsibility assured by the chief of security or the chief of information security. The last level at which an acceptable risk for the business is defined.Business ownerIs responsible for the material assets (tangible) and non-material (intangible) of the business (company).Responsible for establishing the business goods that have priority and for defining the level of impact on these assets.Defining the acceptable risk level.Information security groupOwns the larger process of risk control.Risk analysis stages evaluation and risk prioritization for the businessThe team is minimally composed of an assistant for risk evaluation and a secretary.IT groupResponsible with architecture, engineering and operations.

Reguli i responsabiliti pe parcursul procesului de Management al riscului de securitate (Microsoft)continuare

TitleResponsibility Security risk management teamResponsible for leading the risk control programResponsible for the risk evaluation stageEstablishes the priority risks.Risk evaluation assistant -Leads the discussions for data collection-Can lead the whole risk management process.SecretaryRecords detailed information from the data collection discussions.Risk reduction teamResponsible for implementing and maintaining control solutions for bringing the risk at an acceptable level.Security leading committee Is composed of members of the risk control team, IT group representatives and shareholders of the business. The executive director is the chief of committee. He is responsible with selecting the risk reduction strategies and defining an acceptable risk for the company.StakeholdersDefines the direct or indirect participants at the risk management process. It can include groups and persons from outside the IT.

Determine acceptable riskAssess risk/Risk evaluationDefining security requirementsMeasure security solutionsDesign and build security solutionsOperate & support security solutionReguli i responsabiliti pe parcursul procesului de Management al riscului de securitate (Microsoft)schematichttp://technet.microsoft.com/en-us/library/cc163143.aspx

Assesing risk/Risk evaluationConducting decision supportImplementing controlsMeasuring program effectiveness1234Establishing the data collection plan - discussing the solutions for data collection effectiveness.Data collection - collecting, grouping an data analysis.Prioritizing/ranking risks - establishing solutions for classifying and quantifying risks.Defining functional requirements - defining functional requirements for reducing the riskSelection of possible control solutions - the summary of possible solutions that will reduce the riskSolutions review - evaluation of control solutions compared with the imposed requirements.Estimation of risk mitigation - estimation of exposure reduction or the risk likelihood.Estimation of solutions costs - evaluation of direct and indirect costs of risk mitigationSelection of cost reduction strategy - complete cost-benefits analysis for determining the optimum.Defining the functional requirements - defining the functional requirements for risk reduction.Selecting the possible control solutions- possible control solutions summary that will reduce the risk.Looking for an integrated approach - correlation between people, processes and technologies for risk attenuation.Organizing control solutions - organizing the solutions of risk reduction on the companys activities.

Developing a risk level evolution diagram- Undrstanding the risk level and its evolutionsMeasuring the effectiveness of the program- periodic evaluation of the risk management program for its periodic improvement.Continuous review of the adopted control measures.

Risk management vs risk analysisComparisons

Risk managementRisk analysis/assessmentObjectivesManages risk, in the sense of its reduction to an acceptable level for the needs of the company.Identifies and prioritize risks within the company.Process typePermanent process on all phases. Works only on one phase, when risk evaluation is needed.

1. PlanningAlignmentPurposeAcceptance2. Data collection facilitationDetermining the companys goodsIdentifying the threatsIdentifying the vulnerabilitiesExposure estimationOccurance probability estimationSummary3. Risk prioritizing Coordinating a summary prioritization of the risk level Summary of the risk level prioritization Review together with the owner Detail analysis of the risk level prioritization Detailing the risk level prioritizationRisk evaluation1

The reasons for which risk analysis is done?Identifying the companys goods/assetsIdentifying the (security) controls Warns the companys management on the terms that can produce risksWarns on the necessity for adopting control measures.Guides in resource allocation Relates the control program to the companys mission.Offers criteria for designing and evaluating the damage plans.Offers criteria for designing and evaluating the recovery plansImprove overall awareness

Risk analysis approachesQuantitative analysis

Work with statistical data in the field.Qualitative analysis

Works with less complex data.Vulnerability analysis/workstation risk analysis

Put the employee in the front and quantify the specific working conditions.

Risk analysis assumes a security risk identification process, determining the amplitude and also identifying the areas with a high degree of risk that need to be secured. Risk analysis is a part of the assembly of measures that are called Risk Management. Risk evaluation is a result of a risk analysis process.Risk management can be defined as the total system of identification, control, elimination or minimization method of the events that can affect the systems resources.

This includes:risk analysis;the benefits cost analysis;mechanism selection;evaluating the adopted measures securityrisk analysis in general.

RiskRisk is an event that is waiting to happen.Risk Threat that can exploit eventual system weaknesses. Combination between the probability of an event and its consequences (ISO Guide 73).

A vulnerability triggered or exploited by a threat (NIST SP 800-3).

AssetWhat do we want to protect?ThreatWhat are we afraid of happening?VulnerabilityHow could the threat occur?MitigationWhat is the currently reducing the risk ?ImpactWhat is the impact to the business?ProbabilityHow likely is the threat given the control?Defining the risk levelDefining the risk level (Microsoft)http://technet.microsoft.com/en-us/library/cc163143.aspx

Risk categories 1/2

The standards in the field offer the following risk categorization:

Risk categories 2/2

No.CategoryExamples/ Description 1DiseasesAffect people, animals and plants. 2EconomicCurrency fluctuations, interest rates fluctuations, market shares. 3EnvironmentNoises, pollution, contamination. 4FinancialContractual risks, insufficient funds, fraud, fines. 5HumanRevolte, lovituri, sabotaje, erori. Riots, strikes, sabotages, errors. 6Natural disastersClimatic conditions, earthquakes, storms, volcanic eruptions. 7Safety measuresInadequate safety measures, improper safety management. 8ProductivityDesign error, under the standard quality control, inadequate testing. 9ProfessionalPoor and insufficient training, negligence, design errors.10Property damageFire, floods, earthquakes, contaminations, human errors.11PublicPublic relations.12SecurityAttacks, intrusions, storms, vandalism.13TechnologicalNew technologies (not tested), old technologies, dependent technologies.

Events !!!!!!

Risk categories Summary Natural threatHuman threatEnvironment threat

Applying countermeasuresImplementing controlsWhat can we do to mitigate the risk ? that means

Really ?Is it so easy ?

Risk level = 0 (zero)The basic ideea is This is perfect but

Risk level > 0 (zero)In real life Residual risk

Vulnerability- ThreatFactors that determine vulnerability:physical;natural;hardware;software;hard drives;radiation;communication;human.Intentional threats are the most frequent ones. These threats can be categorized in: internal; external.

The internal threats come from its own employees.

The external threats come from more categories, which are the following:

foreign espionage agencies;terrorists and terrorist organizations;criminal organizations;raiders; hackers and crackers. Vulnerability

- A weakness concerning system procedures, system architecture, system implementation, internal control and other causes that can be exploited to bypass the security system and to have unauthorized access to information. - Any weakness, administrative process, act or statement that makes a piece of information about an asset likely to be exploited by a threat. - A flaw or weakness in sistem security procedures, design, implementations, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breanch or a violation of the systems security policy (NIST SP 800-3).

Threat(types and examples) 1/2

Type of threatExampleType of threatExampleCatastrophicFireAccidentNon-standard voltageFloodHardware flawEarthquakeMechanical disconnectionsLandslideControl devices flawAvalancheConstruction accidentStorm/ hurricaneNon- intentional actsNon- informed employee/collaboratorTerrorist attackNon-trained employee/ collaboratorRiotsNegligent employee/ collaboratorExplosion (industrial)

Threat(types and examples) 2/2

Type of threatExampleIntentional actsHacker, crackerEspionage (business partners, competition)Espionage (foreign governments)Criminal PCSocial engineeringDisgruntled employeeDisgruntled ex-employeeTerroristBlack-mailed employeeFake employee

Vulnerability(Types and examples) 1/7

Vulnerability typeVulnerabilityPhysicalUnlocked/unsecured roomsUnlocked/unsecured windowsBuilding design flawsBuilding construction flawsInsufficient anti-fire systemsInappropriately stored flammable materials

Vulnerability(types and examples) 2/7

Type of vulnerabilityVulnerabilityNaturalConstruction in flood-danger areasConstruction in unsuitable areasConstruction in avalanche-danger areasConstruction in areas with unstable ground


Type of vulnerabilityVulnerabilityHardwareInappropriate configurationPhysically uninsured computer systemMissing patchesOld equipment Inadequate protocols


Type of vulnerabilityVulnerabilitySoftwareNon-updated antivirus softwareNon-updated firewall softwareMissing patches/fixes.Non-professional applicationsBackdoor-written applicationsImproper software configuration


Type of vulnerabilityVulnerabilityHard drivesDefective storage boxesImproper hard drivesVulnerable hard drives


Type of vulnerabilityVulnerabilityCommunicationsRadio interferenceElectrical interferenceUnencrypted communicationsUnencrypted protocols within the networkConnections between more networksActive protocols without useNon- filtering the communication between subnets.


Type of vulnerabilityVulnerabilityHumanFailure to report attacksWeak response to attacksLack of recovery plans in case of disastersInsufficient procedure testing

Defense in dept model (Microsoft)http://technet.microsoft.com/en-us/library/cc163143.aspx

Data collectionDividing into groups. Each group has specific attributions.No level discussing not interrogatingThe discussion that take place and the questions that are adressed must not be annoying or interrogatory.Involving the owner.The owner knows the best what are the goods in the organization, what their values are and what impact the undesired events have on themCommunication between departments.The involvement and communication with the IT departments is essentialResponsibility and awareness. Both the responsibility in the process of data collection (and afterwards) and the awareness of the importance of every phase will be reflected in the final data.

How certain you can be.Precision.Margin of error.Number of posts/ computers that must be tested.Number of posts/ computers I am testing.Testing sample.Data collectionTesting is done on the sample but the data must then be extended to the total number of posts/ computers.http://www.macorr.com/ss_calculator.htm

Data collection (Microsoft) Identifying the goods for which your group is responsible with development, management and maintenance.For each good the following table will be filled in:http://technet.microsoft.com/en-us/library/cc163143.aspx

GoodGood classification (from the point of view of impact) ( H, M, L )DB serverHLAN printerM

Level(from the Defense in dept model)What are we afraid of?(Threat)How is may happen?(Vulnerabilities)Exposure level (H, M, L)Current control descriptionProbability(H, M, L)Potential controlsPhysicalNetworkHostApplicationsData

Data collection (Microsoft)Information collected through the process of data collection.http://technet.microsoft.com/en-us/library/cc163143.aspx

Asset/goodsExposureIdentified dataAsset/ descriptionAsset classApplicability levelThreat descriptionVulnerability descriptionExposure rate(H, M, L)Impact rate(H, M, L)

DataClient dataMHostUnauthorized accessTheft or password guessLMDataClient dataMHostAlteration Viruses. Improper configuration.HM

Social approach for the riskEmployerEmployeesInterrogationsDiscussionsSecurity grouphttp://technet.microsoft.com/en-us/library/cc163143.aspx

Approaches for risk analysisQuantitative analysis

Works with statistical data in the fieldQualitative analysis

Works with less complex dataVulnerability analysis/workstation risk analysis


This method is more often used than the quantitative method, this referring mainly to small companies.

This method does not use statistical data. Instead it uses the loss potential as input.

The method operates with terms such as:

Often/ high, medium, seldom/reduced- referring to the possibility of risk occurrence and their impact.Vital, critic, important, general and informational - referring to the type and classification of information. numbers, 1, 2, 3.

This has as immediate effect reducing the amount of work and of consumed time.

This method also has disadvantages:

Hard to quantify certain terms (important - is a hard term to define in management)Numbers are this time even more subjective. If on the previous method the data were statistical, now the data is subjective.Security risk analysisQualitative security risk analysis

3. Prioritizing riskscoordinating a short prioritization of the risk levelsummary of the risk level prioritizationanalysis together with the ownerdetail analysis of the risk level prioritizationdetailing the risk level prioritization.For coordinating a short prioritization of the risk level the following steps are followed:

1.Determining the impact value for goods2.Estimating the probability for an event to occur3.Establishing a short list or risk level by combining the impact and the occurrence probability for every goodQualitative analysis

coordinating a short prioritization of the risk levelanalysis together with the ownerdetail analysis of the risk level prioritizationsummary of the risk level prioritizationdetailing the risk level prioritization. Determining the value of impact Estimating the probability of impact from the short list of levels Filling in the short list of risk level by combining the impact and the occurrence probability

Determining the impact and exposure Identifying the current control methods Determining the impact probability Detail determination of the risk level

Qualitative analysis

Class of impact: L- low, M - medium, H - highEstablishing the level of losses and the Class/ Level of impactQualitative analysishttp://technet.microsoft.com/en-us/library/cc163143.aspx

Losses (USD)*PointsClass/ level of impactValue of class/ level of impact (V)< 2.5001L22.501 8.0002L8.001 10.000.0003L10.000.001 15.000.0004M515.000.001 20.000.0005M20.000.001 25.000.0006M25.000.001 37.500.0007H1037.500.001 50.000.0008H> 50.000.0009H

Types of companies according to their size Qualitative analysis

1. Determining the impact value for assetsQualitative analysishttp://technet.microsoft.com/en-us/library/cc163143.aspx

2. Estimating the probability for an event to occurQualitative analysishttp://technet.microsoft.com/en-us/library/cc163143.aspx

Probability of occurrence(Probability rate)DescriptionHighCertain. It occurs one or more times per yearMediumProbable. Event that can occur at least one, two or three times per year.LowUnlikely. Event that can not occur in the following three years.

3.Establishing a short list or risk level by combining the impact and the occurrence probability for every assetQualitative analysishttp://technet.microsoft.com/en-us/library/cc163143.aspx

3. Prioritizing riskscoordinating a short prioritization of the risk levelsummary of the risk level prioritizationanalysis together with the ownerdetail analysis of the risk level prioritizationdetailing the risk level prioritizationFor detailing the risk level the following steps are to be followed

1.Determining the value of impact and exposure for goods2.Identifying current controls3.Determining the impact probability4.Detailed determination of risk levelQualitative analysis

1. Determining the value of impact and exposure for assets Determining the exposureQualitative analysis

Determining the impactDetermining the value of the impact is done by multiplying the impact class value (V) by the corresponding exposure factor (EF).xImpact rate

The values are between 0 and 10Qualitative analysishttp://technet.microsoft.com/en-us/library/cc163143.aspx

Impact classImpact class value(V)Impact H(igh)10Impact M(edium)5Impact L(ow)2

Exposure rateExposure factor(EF)5100%480%360%240%120%

Values of the impact rateLevel7- 10High4 - 6Medium0 - 3Low

2. Identifying the current controlsInventory of the current controls (physical).Inventory of the current controls.Establishing their efficiency (eventually).Identifying inactive controlsQualitative analysis

3. Determining the impact probability.Assumes determining the existence of a certain vulnerability and the possibility of exploiting it.Assumes determining the probability of a certain vulnerability to be diminished by using controlsThe vulnerability level mainly depends on a few attributes:

Number of attackers.

The vulnerability will grow if the number of persons who produce an attack is increasing.Vulnerability will grow if the training level of the attackers is high.2. Local or remote attack.

Vulnerability will grow if certain security flaws can be remotely exploited.

3. Knowledge

Vulnerability will grow if a certain type of attack is known and documented.

4. Automation

Vulnerability will grow if a certain type of attack can be automated in such way that it would find and exploit the security flaws by itself.Qualitative analysis

3. Determining the impact probability (continuation)Qualitative analysis

Vulnerability levelConditions GradeHighGreat number of attackers - script-kiddie/hobbyistRemote attackanonymous privilege very well known and documented exploiting methodsAutomation 5

if at least one of the conditions is satisfied Medium-medium number of specialists - expert-specialist-local attack-requires access rightsUndocumented methods of attackNon- automation3

if at least one of the conditions is satisfied

RedusaLow number of attackers internal architecture knowledgeLocal attackRequires Administrator privilegesUndocumented attack methodsNon- automation1

if at least one of the conditions is satisfied

3. Determining the impact probability (continuation)

Qualitative analysis

QuestionsNote0 - Yes, 1 - NoAre the responsibilities defined and effectively applied?Are the warnings communicated and their executions supervised?Are the processes and procedures well defined and learned?Does the existent technology or the existent control reduce the threat?Are the current audit practices enough for detecting abuses or for controlling deficiencies?

3. Determining the impact probability (continuation) - exampleNetwork (LAN) and remote hostQualitative analysishttp://technet.microsoft.com/en-us/library/cc163143.aspx

Questions referring to the controls effectivenessNote0 - Yes, 1 - NoAre the responsibilities defined and effectively applied?0Are the warnings communicated and their executions supervised?0Are the processes and procedures well defined and learned?0Does the existent technology or the existent control reduce the threat?1Are the current audit practices enough for detecting abuses or for controlling deficiencies?12

Vulnerability level5

Total probability rate for LAN and remote host =7

4. Detalied determination of the risk levelRisk level = Impact rate * Probability rate Qualitative analysishttp://technet.microsoft.com/en-us/library/cc163143.aspx

Impact rateXProbability rateResult (product)Risk level10 7High10 741 100High6 4Medium6 420 40Medium3 0Low3 00 19Low

ImpactHigh100102030405060708090100909182736455663728190808162432404856647280707142128354249566370606121824303642485460Medium505101520253035404550404812162024283236403036912151821242730202468101214161820Low1012345678910012345678910LowMediumHighProbability

We establish the probability of disaster occurrence Qualitative analysis of the Security risk (simplified version)Qualitative analysis

We establish the consequences of disasters Qualitative analysis of the Security risk (simplified version)Qualitative analysis

Qualitative analysis of the Security risk (simplified version)E - Extreme risk. Immediate actions are imposed for its diminishing. A detail review on goods and risk reduction management plans is imposed. Strategies must be imposed.H - High risk. The manager must take them immediately into consideration. Management strategies will be identified. As the previous case, risk must be minimized.M - Moderate risk. The manager must take them into consideration L - Low risk. Actions specified in the routine procedures. The tables used in qualitative analysis of risk must be custom for the specific activities and places.We establish the qualitative analysis of risk matrix. Qualitative analysis

ConsecineOccurrence probabilityInsignificantMinorModerateMajorCatastrophic12345A (almost certain)HHEEEB (likely)MHHEEC (moderate)LMHEED (unlikely)LLMHEE (rare)LLMHH

Approaches for risk analysisQuantitative Analysis




For the quantitative analysis of risk he following steps are to be followed:

Security risk analysisQuantitative analysis of the security risk1. Identifying and evaluating the assets (goods)2. Determining the vulnerabilities3. Estimating the occurrence probability4. Computing the annual estimated losses5. Analiza msurilor de control Control measures analysis6. Computing the Investment Return (IR)Quantitative analysis

It assumes the identification of software and hardware components, the data, the personnel involved in processes, the afferent documentation, support etc.1. a. Identifying goodsQuantitative analysis

When we evaluate goods it is preferred to use a scale of goods values.

1. b. Goods evaluation Quantitative analysis

Determining the value of impact for goodsCase 1Case 2Replacement costsRecovery costs

Regarding the hardware components the following questions must be asked:- What is the replacement cost for the good at the present prices?- How long does it last until the destroyed good/component is replaced?- If the operation/operations can be done manually, how many people do we need? How much additional time is needed.- What are the losses in the customer relations in case of non- functionality?Regarding the software component the following questions must be asked:- How long will it take the programmer to find the problem in case of program malfunction?- How long will it take to upload and test the debugged program?- How long will it take to reinstall the operating system in case of disaster?For data:- Can data be restored?- How much time is lost while restoring the data in case of losing it?- Is the disaster caused by a deliberate action or by a random action?

It assumes the establishment of replacement costs for the cases when a certain good is destroyed.For this we have to ask ourselves some questions that would help us evaluate these goods. Some of these questions might be found in the following lines.1. b. Good evaluationFor personnel:- How many people do we need to work for disaster recovery?- How much does it cost to train a new personnel?- What are the psychological effects of disasters?

Quantitative analysis

Example:

We consider a file which stores the personal data of 200 employees of one company. After an undesired event (intentionally, unintentionally, accident, natural phenomena), both the data from the file and also its structure are lost. There is no backup copy for them. Restoring the files structure can be done by a qualified person, working 4 hours for restoration (during the schedule). The salary is 2,5 USD/ hour. Restoring the data will be done outside the schedule by the same person or by a different person. This operation lasts 5 hours and its paid with 3 USD/ hour (work is done outside the schedule - overtime).Losing the secret, not knowing the nature of the disaster causes losses estimated at 5. 000 USD, this being the area with the highest impact regarding restoration costs.4 (hours) x 2,5 (USD/hour) + 5(hours) x 3 (USD/hour supplementary) = 25 USD.In this case, Value b = 5.000 + 0 + 25 = 5.025 USD.Estimating the impact value on an areaEvery good has in case of its loss or malfunction, an impact on three necessary elements in assuring security:- Secrecy- Integrity Availability Non-repudiationQuantitative analysis

. Assumes establishing the threats to goods and the frequency with which these threats can occur.The possible threats to the companys goods are exemplified in the following lines:2. Determining vulnerabilitiesQuantitative analysis

The probability of occurrence of an incident in a period of time is established. In the following table we have exemplified the incidents occurrence frequency:

The incident occurrence frequency.3. Estimating the occurrence probabilityQuantitative analysis

Quantitative analysis

Calculate the Annual Loss Expectancy per Threat:

where ALE t = Annual Loss Expectancy per threat t,

Va = Value of asset a (0 to n assets), Ot = Estimating the number of occurrences of threat t (0 to m threats).4. Calculating the estimated annual lossQuantitative analysis

4. Calculating the estimated annual lossCalculate the Annual Loss Expectancy per Asset:

where ALE a = Annual Loss Expectancy per asset a,

Va = Value of asset a (0 to n assets),

Ot = Estimating the number of occurrences of threat t (0 to m threats).Quantitative analysis

Determinate Total ALE by summing over Threat Categories:

where ALE t = Annual Loss Expectancy per threat t.

Determinate Total ALE by summing over all Assets:

where ALE a = Annual Loss Expectancy per asset a. Calculate Total Annual Loss ExpectancyQuantitative analysis

ALE = Total Annual Loss Expectancy for all asset/threat pairs.SumSumQuantitative analysisCalculate Total Annual Loss ExpectancyCheck for Correctness !Both calculation of ALE should produce the same value.

MAXALE = Total Annual Loss Expectancy for all asset/threat pairs.Quantitative analysisCalculate Total Annual Loss ExpectancySurvey new controlsObserve which threats produce the great ALEt (ALE per threat).Identify possible controls which may reduce vulnerability (some may apply several vulnerabilities).

The threat that produces the highest values of estimated annual loss will be identified. The measures that can lead to reducing vulnerability will be identified.5. Control measures analysisQuantitative analysis

The quantitative method of calculating the risk analysis is mainly used in medium or/and large companies.The shown quantitative method has some drawbacks. Among these we can mention:- The difficulty in finding a number that would quantify as exactly as possible the occurrence frequency of an event.- The difficulty in quantifying certain values. For example the availability of information and the calculus of losses are very hard to define when this characteristic is missing.- The method does not distinguish between rare threats that produce great disasters as value (fire, earthquakes, tornado etc.) and the frequent threats that produce small disasters as value (operating errors), in both cases the financial effects being almost the same.- Choosing the used numbers can be considered as being subjective, laborious work that takes time and resources.

Security risk analysis

Comparisons between the quantitative and qualitative security risk analysisQuantitative analysisQualitative analysisBenefits AdvantagesRisks are prioritized because of the financial impact; goods are prioritized because of their financial valueResults help risk management through security investments.The values of the results get tangible values (financial values, percentages etc)Accuracy tends to increase over time due to the fact that the company creates a database with the events history, in the same time the company gaining experience.Allows a better and clearer hierarchy of risk value.Allows the faster gaining of a consensus due to the used values.Threat frequency quantification is not necessary.The financial value of goods is not necessary to be determined.

Comparisons between the quantitative and qualitative security risk analysisQuantitative analysisQualitative analysisDrawbacksThe value of impact on every risk is based on the subjective opinions of the ones who do the analysis. The processes through which one obtains credible results take a long time. The calculus is very complex and takes a long time.The results have monetary value and are hard to be interpreted by the non-technical personnel.Doesnt differentiate the risks enough.It is hard to justify an investment in security measures/ controls when it is not based on a cost-benefits analysis.The results are subjective. These are dependent on the quality and the components of the risk analysis team. The processes require experienced personnel that cant be easily trained.

Decisional process coordinationDefining the functional demandsReview of the proposed control solutions according to the functional demandsIdentifying the control solutionsEstimating the risk reduction degree.Estimating the cost for every solutionSelecting the risk attenuation strategy2http://technet.microsoft.com/en-us/library/cc163143.aspx

Defining the functional requirementsReview of the proposed control solutions according to the functional requirementsSelecting the risk mitigation/attenuation strategyEstimating the risk reduction degreeEstimating the cost for eaech solutionPhases of decisional process coordination (Microsoft)http://technet.microsoft.com/en-us/library/cc163143.aspx

Participant in the phase of decisional process coordination

ParticipantsResponsibilitiesBusiness operatorsIdentifies the available control procedures for risk control.Business ownerAnalyses the cost- benefits report for risks.Financial groupAssist the cost- benefits analysis. Defines the resource allocation.Human resources office (HRO)Identifies the personnel training demands according to the adopted measures.IT architecture Identific i evalueaz soluiile posibile de control. Identifies and evaluates the possible control solutions.IT - engineeringDetermines the control solutions cost and their method of implementation.IT performersEffective implementation of control solutions.Internal auditorIdentifies the degree of conformity with the demands and does evaluations on control effectiveness.Jurist Identifies the legality of controls according to the companys policy and the contractual aspects.Public relations (PR)Estimates the impact values created by the adopted control solutions on the market.Security coordination committee Selects the control solutions based on the recommendations of the risk management team.Risk management team Defines the functional demands for the control of each category of risk. It informs the shareholders about the stage of the control application projects and the personnel affected.

Necessary information in the phase of decisional process coordination

Information needed to be collected DescriptionDecision on the method of solving every risk.At what level has the risk to be done for every major risk. All major risks must be accepted. Certain major risks can be avoided.Functional demandsDeclarations in which the elements necessary for risk attenuation must be written.Potential control solutionsLists with possible control elements identified by the risk management team, that can be efficient in attenuating every risk.The degree of risk reduction for every control solutionEvaluation of every proposed control measure to determine how much it reduces the risk level for goods.The estimated cost for every control solution.Total costs associated to the purchase, implementation, support and effectiveness measurement for every proposed control.List of control solutions that are to be implemented.The choice is done based on a cost- benefits analysis.

In the phase of decisional process coordination, certain questions must be asked in order to choose the controls meant to reduce the risks:How long will the control be effective ?How many person hours per year will be required to monitor and maintain the control ?How much inconvenience will the control impose on users ?How much training will be needed for those responsible for implementing, monitoring, and maintaining the control ?Is the cost of the control reasonable, relative to the value of the asset ?

Defining the functional requirements:Defining some functional requirements necessary for ensuring security represents in fact declarations/ exposure regarding the description of the necessary controls for risk attenuation.Controls must be expressed more as a functional demand and less as a functional status.Functional controls must be defined for each of the risks.The functional demands define WHAT we assume must be done for identifying and reducing the risk but doesnt specify HOW the risk can be attenuated or to indicate the specific controls. HOW can the risk be attenuated by identifying the control solutions is a task for the risk control/ /mitigation/attenuation group.

Identifying the control solutions.Identifying the control measures assumes that the team which has this task to have experience in the field. If the personnel is not specialized in this purpose then one can appeal to specialists or consultants from outside the company (outsourcing). These can take all the tasks or to assure assistance in the field.Methods/ approaches in identifying control solutionsInformal BrainstormingClassifying and organizing controlshttp://technet.microsoft.com/en-us/library/cc163143.aspx

Informal BrainstormingCoordinatorRisk evaluation team ? ?Answer(= proposed control)Risk evaluation team =

Proposed control(= UPS)Secretary Questions:What are the stages which the company has to go through for preventing a risk or to control it ?A. Implementarea autentificrii multi-factor pentru reducerea riscului de compromitere a parolelor. Implementing the multi- factor authentication for reducing the risk of password compromise.What can the company do for recovery (disaster recovery) when the event triggered ?A. Backup, backup, backup.A. Teams and action procedures in case of disasters.A. Auxiliary systems.What measures can the company take for detecting a risk ?A. Video surveillance systems.A. Intrusion detection systems at the level of host and workstations. How can the company check that a control is placed where it is supposed to, that it works and can be monitored ?A. Expert in field.How can the company declare the effectiveness of an adopted control as being correct ?A. Specialization and periodical training of internal personnel or collaboration with a specialized company (person).Are there other measures that can be taken for risk control ?A. Insurances (in the case of inventory objects)http://technet.microsoft.com/en-us/library/cc163143.aspx

Classifying and organizing controlsThe method classifies the possible controls in three categories: organizational, operational and technological.Each category is split in three subcategories with the following purposes: prevention, detection and answer (management).http://technet.microsoft.com/en-us/library/cc163143.aspx

Type of controlDescriptionSubcategoriesOrganizational Procedures and processes that establish the mode of action of the personnel in case of events.PreventionDetectionAnswer (management)Operational(Processes)Define the modes of working with data, of software and hardware components by the personnel. The general and specific protection elements are included.PreventionDetectionTehnologicalThe infrastructure, architecture, engineering, hardware, software and firmware elements are includedAll the technological components used for building the companys informational system are included. PreventionDetectionAnswer (management)

Clear roles and responsibilities. Their clear defining and documenting will make the managers and employees understand the responsibilities on each work station.

Separating the duties and less privileges. This will ensure the fact that every work station is permitted only the operations that would ensure the development of the working tasks.

Well documented plans and security procedures. These are developed to explain how the control systems were implemented and how they must be maintained.

Training and information campaigns. Training is necessary so that the personnel to be always up to date with the technology and the information campaigns are necessary to warn the personnel on the changes that were made.

Systems and processes of user activation/ deactivation. These are necessary in order for a new personnel, when its hired to become productive as fast s possible, and the one that is not working in the company anymore to immediately lose its rights. The same principles must be stipulated at the personnel transfer between two different departments. The classification change for a post or department must also be taken into consideration.

Establishing the processes for providing access to business partners. All business partners are included: suppliers, clients, distributors, subcontractors etc. The principles are similar to the ones mentioned before.

Classifying and organizing controls

Continuous risk control programs for evaluating and controlling the risk in the key departments of the company.

Recurrent reviews of the control systems to verify their efficiency.

Periodical system audit for assuring that the control systems were not compromised or poorly configured.

References security and records for new employers.

Establishing a work rotation system. This will allow the discovery of dishonest activities amongst the IT teams and amongst the employees who have access to sensitive data.


Plans of response to incidents. These plans will include fast reaction measures for recovery in case of security violation and minimization of impact for preventing the spreading to other systems. The plans of response to incidents must allow the gathering of evidence that would eventually allow the prosecution of the guilty person.

Plan of business continuation. Contains plans meant to maintain the company in function, total or partial, in the case of catastrophic events that affect the greatest part of the IT infrastructure.


System protection through physical means. Protection perimeters, room dividers, electronic locks, biometric identifiers etc are included.

Physical protection for end-user systems (workstation). Systems of computer and mobile systems blocking in case of theft, encrypting the files stocked on mobile hard drives are included..

Providing electricity when needed. These will provide electricity necessary for computer functioning when the primary energy source is not available. Also, they will ensure the normal shutdown of the applications and operating systems that run on the system, in this way avoiding gata loss.

Anti- fire systems. Include the automatic fire warning systems, fire fighting and also the extinguishers.

Systems of temperature and humidity control. These systems are meant to assure the functioning of systems within the parameters indicated by the manufacturer, extending their life.

Procedures of access to data stocked on external hard drives. These will facilitate only the access of authorized personnel to these data.

Backup systems. These will allow the immediate recovery of lost data. In some cases it is imposed that the backup files are kept outside the company in order to be used on case of major disasters.Classifying and organizing controls

Physical security. Systems that will protect the company from persons who want to break into it. Sensors, alarms, surveillance cameras, perimeter and movements sensors are included.

Security from the environment. Systems that will protect the company from the threats that come from the environment. Smoke and fire detectors, flood detectors, atmospheric overload detectors, spark gaps etc are included.Classifying and organizing controls

Authentication/ Identification. Process of validation of a persons, computer, process or device identification elements. Authentication assumes that one of the elements that has requested authentication to be the one that it pretends it is. The form for authentication are: username and password, Kerberos, tokens, biometric, certificates.

Authorization. The process of granting access to certain information, services or function to a person, computer or device. After granting the authentication the authorization is obtained.

Access (access control). The process of limiting access to certain information, process which is based on users identity and on belonging to certain groups.

Non-repudiation. It is a technique used to make sure that a person who has performed an action on a computer can not deny that action.

Communication protection. For protecting communication at the level of networks, encryption is used- to ensure the integrity and confidentiality of the transmitted data.Classifying and organizing controls

Audit systems. These system make possible the monitoring and following the evolution of a system in order to see if it works within the configured parameters. The audit systems represent a basic instrument for detecting, understanding and recovering in case of events.

Antivirus programs. Antivirus programs are built to detect and respond to a series of malicious programs (viruses, worms, trojan horses etc). The answer consists in blocking the users access to the infected files, cleaning the infected files and systems and also informing the user about the infected components.

Instruments for maintaining the systems integrity. These instruments help the IT personnel which is responsible with security to determine where has an unauthorized modification been done. (Ex. File Chechsum).Classifying and organizing controls

Tools for security administration. These instruments are included in the operating systems, programs and devices meant to ensure security on a certain segment.

Cryptography. Creating, stocking and distributing the cryptographic keys in safe conditions gave birth to technologies such as Virtual Private Network (VPN), authentication in safe conditions and also data encryption on certain hard drives.

Identification. Allows the facility to identify in a unique way a certain entity. With the help of this facility some others can also be created: accounting, discretionary access control, role- based access control and mandatory access control.

Inherent protections in the system. These are facilities implemented in systems that ensure the security of the information which is subject to processing or which is stored in that system. Amongst these we have: object reuse, the use of NX memory zone (Non-Execute) and process separation.Classifying and organizing controls

Reviewing the proposed solutions according to the demandsThe security risk management team must approve the proposed control solutions taking into account the definition of functional demands.Estimating the reduction degree of riskQuestions that must be asked:Does the proposed control prevent a specific attack or a specific category of attacks?Does the proposed control reduce/ minimize the risk for a certain class of attacks?Is the proposed control capable of recognizing an attack/ exploit when it is happening at the moment? If the proposed control recognizes an attack/ exploit which is happening at the moment, is it capable of resisting and following the attack?Can the proposed control help at the recovery of goods (data) after an attack?Proposed control can help to data restore ?Does the proposed control offer any other benefits?What is the value of the proposed control related to the value of the good?

Estimating the cost for each solutionAcquisition costsImplementation costsSubsequent costsCommunication costsIT personnel training costsUser training costsProductivity costsAudit and verification costsContain software and hardware costs or services necessary for the acquisition of a control.Contain costs necessary for the development and the update of the existent ones.ContainsContain costs necessary for the own teams or consultants to install and configurethe proposed controls.These are costs difficult to estimate. We include here the costs associated to the new controls on a certain period of time. These are management, monitoring and maintenance costs. Sometimes they are 24/7 (24/7/365) costs.Contain the necessary costs for informing the personnel about the new policies and procedures of ensuring the implemented security within the company.Contain the necessary costs for training the IT personnel for implementing, managing, monitoring and maintaining the new controls.Contain the necessary costs for training the personnel in order to incorporate the new controls in the usual procedures.They actually contain the productivity losses (initial) until the use of the new controls becomes routine. In many cases these losses are due to the lack of communication and personnel training.Contain costs the company will periodically support for auditing and verifying the effectiveness of the adopted controls. In some cases these costs go to specialized companies.

Selecting the risk reduction solutionIn this stage the risk level achieved after adopting the new controls will be compared with the control solution costs.Both the risks (risk level) and the costs of adopted solution contain subjective values that make a financial quantification rather difficult.

The following items are aimed to be protected: memory; files or data that are stored on an auxiliary hard drive; the executable program in the memory; structure of directories/ folders; an electronic device; data structure; operating system; instructions; passwords; protection system in itself.A standard is formed from a set of system or procedural demands that must be known and implemented. A standard will describe for example how the security of a Windows Server 2003 which is placed in an unsecured area can be increased. The guideline represents a set of specific system or procedural suggestions necessary for the best practical implementation. These are not compulsory to be known but are highly recommended.Policies and security modelsThe security policy is made from a set of measures accepted by the leading staff, which provides clear but flexible rules for determining the standard operations and technologies necessary for ensuring security.A security policy represents a document that emphasizes the main demands or rules that must be known and applied for ensuring security. A security policy will seize the security demands in a company and will describe the steps to ensuring security.

Controls implementationSearching for an integrated approachOrganizing the control solutions3http://technet.microsoft.com/en-us/library/cc163143.aspx

Participants in the phase of Controls implementation

ParticipantResponsibilitiesIT engineersDetermines the way of implementing control solutionsIT architecture designersDefine the way if implementing control solutions in such way that they are according to the existent systemsIT operatorsImplement the technical control solutionsPersonnel responsible for information securityHelp in solving the problems that appeared in the testing and development phases.Financial personnelThey make sure that the level of expenses regarding implementation is at the established level

Measuring the effectiveness of the program41. Developing the security risk evolution diagram2. Measuring the effectiveness of controls3. Reevaluation (continuous evaluation) of the control measures, of the changes occurred on the goods and risks.http://technet.microsoft.com/en-us/library/cc163143.aspx

Participants in the phase of Measuring the effectiveness of the program

ParticipantResponsibilitiesPersonnel responsible for information security

Creates a report for the Committee of Security Coordination regarding the effectiveness of the adopted controls and the changes occurred in the risk level. In addition, it will create and maintain a risk level evolution diagram.Internal auditorValideaz eficacitatea soluiilor de control implementate. Validates the effectiveness of the implemented control solutions.IT engineersInform the security risk management team about the imminent changes.IT architecture designersInform the security risk management team about the planned changes.IT operatorsInforms the security risk management team about the details referring to the security events.

NetworkHostApplicationsDataPhysicalLegend:High riskMedium riskLow riskRisk evolution diagram

Data Mining

This has to represent the first priority.In certain situations, the systems have an important role in protecting the peoples lives. Their malfunction or non- function can lead to human losses. The systems that have a direct incidence on peoples lives must be considered carefully. Assume taken measures regarding the limitation of the aftermath of an attack or an event. In many situation it must be decided very quickly between down the infected server or stay on and present on the market.In the case of an attack the actions of the attacker and the limitation of the damages must be monitored. Keeping evidence for a malicious action and find a culprit.Limiting the damages provoked by physical events.After the damage limitation has been done a damage evaluation is imposed. Damage evaluation will offer a measure of the attacks success and also its virulence. In the case of natural disasters a measure of their intensity will be offered through the value of the created damages.Determining the causes concerns mainly establishing the source of disasters. A disaster can be provoked by an accident or can be a willed act. Disasters provoked by natural phenomena or accidents are easy to determine. Difficulties arise at determining the causes when these are provoked by an attack of a malicious person (cracker, hacker). Reviewing all the configurations is absolutely necessary.It is absolutely necessary that repairing the damages is done as fast as possible so that the company resumes its activity and come back on the market. The plans and procedures at the level of the company must contain restoration strategies. The teams specialized in this purpose must provide assistance and guidance. In some cases repairing the damages must be done with very much attention (ex. Reinfecting with viruses from another system.It is established what stages and actions were successful and which were the ones that were not successful in the previous stages. The approach and action mistakes are established. The processes will be modified, were needed, so that in the future they will offer a higher effectiveness. Impovements and updates are done. The news/ publications in the field are reviewed.Way of response to incidents (Microsoft)http://technet.microsoft.com/en-us/library/cc163143.aspx

Methods of approach for risk analysisQuantitative analysis




This method analyses risks starting from the work station and its characteristics.

The following facts are analyzed:Security risk analysisVulnerability/ post analysis The working conditions specific to each group of posts. The level of professional training of the occupant of that certain post. The access level for that certain post. The features specific to each post in the posts group. Asset/Goods/ category of asset/goods the post/ person is in contact with.The method follows the analysis of vulnerabilities in a department prioritizing the human element as a main factor of vulnerability.Vulnerability/workstation analysis

1. Identifying the goods and the threats to which they are exposed to.2. Estimating the probability and the impact on vulnerability.3. Emphasizing the vulnerable points.4. Identifying the control methods.Metoda implic parcurgerea urmtorilor pai: The method implies following the next steps:Vulnerability/workstation analysis

Vulnerability/workstation analysis

ProbabilityExposureLowMediumHighLow136Medium258High479

Working station/ goodThreatRisk levelVoltage drop9Shocks/ voltage disturbances8Personnel errors7........................Unauthorized use2Floods1

The impact of informatic systems component on securityVulnerability/workstation analysis

Impact on data security and losses caused by the employee trainingVulnerability/workstation analysis

Social engineering attack typesCompany employeePhonee-mailIM/IRCHoax applicationsVulnerability/workstation analysis

Another category of actions that have as effect productivity losses are represented by unsolicited e-mails, the so- called spam e-mails. According to Yankee Group (www.yankeegroup.com), spam messages create annually productivity losses estimated at 4 billion USD.In 2003 (feb.) 42% of the e-mails were spam.In 2004 (feb.) 62% of the e-mails were spam.

? What can be done in this case?A study made in 1999 by Net-Partners Internet Solutions showed that at the level of the United States, the employers have had productivity losses estimated at 500. 000. 000 USD due to the fact that almost 13.500.000 employees have read or downloaded at work the Starr report. The Starr report contains data referring to the scandal in which the US President Bill Clinton and the employee of White House Monica Lewinsky were involved.? How can this type of losses be eliminated? Vulnerability/workstation analysis

Professional trainingIT trainingConductReferencesWorkstation customizationWorkstation customization detailing General good he is in contact withSpecific goods he is in contact withQuantificationProcessing(+/- 05/010)....HighMediumLowData collectionRisk levelSoftware qualityVulnerability/workstation analysis

Risk analysis at the level of network M. Kaeo, Designing Network Security, Cisco Press, Indianapolis, Indiana 46290 USA, 1999.Other methods

ValuesExplanationOccurrence rate1Unlikely2Likely3Most likely

ValuesExplanationVolume of losses1Low losses2Moderate losses3Critical losses

Occurrence rateVolume of lossesRisk valueExplanation111Low risk122Low risk133Medium risk212Low risk224Medium risk236High risk313Low risk326High risk339High risk

ValuesExplanationRisk level1, 2Low risk3, 4Medium risk6, 9High risk

Risk analysis at the level of network (continuation)IR = D * I * C

RR = IR * [ (1 PI) * (1- PD) ]RR Administrative = 6 * [ (1 - 0,1) * ( 1 - 0,3 ) ] = 6 * 0,9 * 0,7 = 3,78

RR Tehnical = 12 * [ (1 - 0,5) * ( 1 - 0,5 ) ] = 12 * 0,5 * 0,5 = 3,00

RR Financial = 18 * [ (1 - 0,3) * ( 1 - 0,3 ) ] = 18 * 0,7 * 0,7 = 8,82Other methods

LANAvailable

[D]Availability

[I]Confidentiality

[C]Network importance[NI]Incident prevention[IP]Damage prevention[DP]Relative risk[RR]Administrative23160,10,33,78Technical232120,50,53,00Financial233180,30,38,82

PI

PDVery low0,1Low0,3Moderate0,5High0,7Very high0,9

CostsRisks0?What is the acceptable level of risk?How much shall be invested in security??Questions referring to security investments

Raportul cost beneficii n asigurarea securitii Cost benefits report in ensuring security.How much shall be invested in security?

This risk analysis is done esepcially within large companies and eventually within medium companies. Small companies have no specialised personnel and no money to pay for such evaluation. Nevertheless a minimum of security measures must be taken. The fact that company managers are hard to be convinced to invest in something that doesn;t bring immediate profit is very well known. And when they are convinced about the necessity of the sums for ensuring security, the alloted sums are under the imposed ones. In these conditions a security whose expenses should not exceed a certain limit must be ensured. We can talk about a financial imposed security. The alternatives of solving this situation are in number of two:

covering the most probable threats by keeping the initial control methods; covering all threats and reducing the costs for control measures.

The first measure will allow a maximum of security for certain threats but will leave partially or totally uncovered other threats.Aceast a doua msur este de preferat primei, deoarece nu las vulnerabiliti neacoperite de msuri de control. The second measure will impose reducing the expenses necessary for ensuring controls in order to cover all the possible threats. This could reflect in the modification and configuration of the control measures. For example, two uninterruptible sources APC UPS of 350VA will not be bought for the price of 95$ a piece for two computers, but a single APC UPS source of 650 VA at 140$ a piece. The saving is of 50$ (95 x 2 140 = 50). In this case though, the two computers will have to be powered from the same uninterruptible by extending the power cables or by placing them very close.Imposed security (financial)

Security risk analysisCalculated sum (Cs)Allocated sum (As)Cs>AsNOYESCovering the most probable threats with keeping the initial control methods s.t. Cc

Security is hard to be quantified. We will never be able to say within the company that we have a security of a certain grade. We can only estimate it as being at a certain level- high, medium, low or non-existent. Nevertheless we can do a quantifica

Documents

Rass english version