Embed Size (px)
Citation preview
Risk Assessment
Richard Newman
Six Phases of Security Process1. Identify assets
2. Analyze risk of attack
3. Establish security policy
4. Implement defenses
5. Monitor defenses
6. Recover from attacks
Continuous Improvement Model – use 5 and 6 to update, revise, improve all phases
Systems Engineering Process
1. Planning – – requirements, resources, expectations
2. Trade-off analysis - – Solution development– Solution analysis– Solution comparisons– Solution selection
3. Development and implementation– Realize selected solution
4. Verification– Formal verification, validation, testing
5. Iteration– Use feedback from each stage and from deployment to improve
Deming Cycle (PDCA)
1. Plan – – Objectives, processes
2. Do - – Implement process
3. Check - – Measure results vs. expected results
4. Act -– Analyze differences, find causes, revise processes
ISO 27002, used with ISO 27001 for ITA.k.a. Shewhart Cycle (father of statistical quality control)Motorola “Six Sigma”Boyd's OODA Cycle (Observe, Orient, Decide, Act) - Military
Threats
Potential source of harm– Knowledge– Resources– Motive
Threat classes– Script kiddies/ankle biters– Cracker– Phone phreak– Hacker – Black hat/white hat– Organized crime– Corporate crime– Government group
Risk Level
Risk level changes over time– Asset visibility– Asset owner visibility– Resource availability– Access to assets– Motivation changes– Knowledge of vulnerabilities
Requires continuous re-evaluation
Must also consider consequences of breach
Identifying Assets1. Hardware
– Off-the shelf replacement cost/customization
2. Purchased software– Cost/installation/customization
4. Developed software
5. Statutorily protected data– Health/Financial/Academic/...
6. Organizational data– Work products (designs/analyses/reports/...)– Planning (marketing/engineering/financial/...)– Contacts (customers/vendors/associates/etc.)
7. Activities– Production/communication/...
Implementing Protection
Controls - – Hardware– Software– Processes
Costs -– Up front cost to buy/develop/train/install/configure– On-going operational costs –
inconvenience/monitoring/reconfiguration– Performance costs – CPU slowdown/human delay
Cost vs. Effectiveness
Risk Assessment
Identify Risks - – Identify assets– Identify threat agents– Identify attacks
Prioritize Risks -– Estimate likelihood of attacks– Estimate impact of attacks– Calculate relative significance of attacks
Threat agents revisitedOutsiders
– Property thieves– Vandals– Identity thieves– Botnet operators– Con artists– Competitors
Insiders– Embezzlers– Housemates/coworkers– Malicious acquaintances– Maintenance crews– Administrators
“Natural” threats– Hurricane/tornado/earthquake/hail/rain/flooding/terrorism/war/...
Security Properties/GoalsConfidentiality
– All disclosures only reveal information to authorized recipients in accordance with policy
Integrity– All changes are are performed by authorized entities, and are
consistent with integrity policy
Availability– Assets available to authorized users when needed with
performance required
Security ServicesConfidentiality
– Restrict access to information to authorized recipients in accordance with policy
Integrity– Only allow changes that are are performed by authorized entities,
and are consistent with integrity policy
Availability– Ensure assets are available to authorized users when needed with
performance required
Authentication– Establish that entity that sent message/made access is correctly
identified
Non-repudiation– Ensure that an entity that performs action/makes statement cannot
deny it later
Information AttacksPhysical theft
– Computing resource physically removed
Denial of Service– Use of computing resource is lost
Subversion/Modification– Asset modified to act on behalf of attacker (trojan horse)– Authentic artifact modified to suit attacker
Masquerade/spoofing– Attacker takes on identity of another when accessing resources
Disclosure– Information revealed contrary to policy (passive attack)
Forgery/Replay– Attacker produces artifact that appears authentic – Attacker repeats authentic message
NIST Recommendations1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Documentation
http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf
SEI OCTAVE ProcessPhase 1 – Build Asset-based Threat Profiles
– Identify assets, threats, organizational risks
Phase 2 – Identify Infrastructure Vulnerabilities– Analyze infrastructure resources for vulnerabilities
Phase 3 – Develop Security Strategy and Plans– Recommend and implement controls
http://www.cert.org/octave/
OCTAVE Allegro1. Establish risk measurement criteria
2. Develop information asset profile
3. Identify information asset containers
4. Identify areas of concern
5. Identify threat scenarios
6. Identify risks
7. Analyze risks
8. Select mitigation approach
http://www.cert.org/octave/allegro.html
