Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
CSE 4482 Computer Security Management:
Assessment and Forensics
Instructor: N. Vlajic, Fall 2013
Security Risk Management
Required reading: Management of Information Security (MIS), by Whitman & Mattord Chapter 8
Chapter 9
Learning Objectives Upon completion of this material, you should be able to:
• Define risk management and its role in an organization.
• Use risk management techniques to identify and prioritize risk factors for information assets.
• Asses risk based on the likelihood of adverse events and the effect on information assets when events occur.
• Document the results of risk identification.
A company suffered a catastrophic loss one night when its office burned to the ground.
As the employees gathered around the charred remains the next morning, the president asked the secretary if she had been performing the daily computer backups. To his relief she replied that yes, each day before she went home she backed up all of the financial information, invoices, orders ...
The president then asked the secretary to retrieve the backup so they could begin to determine their current financial status.
“Well”, the secretary said, “I guess I cannot do that. You see, I put those backups in the desk drawer next to the computer in the office.” M. Ciampa, “Security+ Guide to Network Sec. Fundamentals”, 3rd Edition, pp. 303
A true story …
Introduction
“Investing in stocks carries a risk …”
“Bad hand hygiene carries a risk …”
“Car speeding carries a risk …”
“An outdate anti-virus software carries a risk …”
• Risk Management – identification, assessment, and prioritization of risks followed by coordinated use of resources to monitor, control or minimize the impact of risk-related events or to maximize the gains.
examples: finances, industrial processes, public health and safety, insurance, etc.
one of the key responsibilities of every manager within an organization
http://en.wikipedia.org/wiki/Risk_management
• Risk – likelihood that a chosen action or activity (including the choice of inaction) will lead to a loss (un undesired outcome)
Introduction (cont.)
Risk in Information Security • Risks in Info. Security – risks which arise from an organization’s use of info. technology (IT)
related concepts: asset, vulnerability, threat
http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter7.html
• Asset – anything that needs to be protected because it has value and contributes to the successful achievement of the organization’s objectives
• Threat – any circumstance or event with the potential to cause harm to an asset and result in harm to organization
• Risk – probability of a threat acting upon a vulnerability causing harm to an asset
• Vulnerability – the weakness in an asset that can be exploited by threat
Risk in Information Security (cont.)
Risk in Information Security (cont.)
• Asset, Threat, Vulnerability & Risk in Info. Sec. http://en.wikipedia.org/wiki/File:2010-T10-ArchitectureDiagram.png
• Interplay between Risk & other Info. Sec. Concepts
Risk in Information Security (cont.)
http://blog.patriot-tech.com/
Security Risk Management • Security Risk Management – process of identifying vulnerabilities in an organization’s info. system and taking steps to protect the CIA of all of its components.
two major sub-processes:
Implement Risk Management
Actions
Re-evaluate the Risks
Identify the
Risk Areas
Assess the Risks
Develop Risk Management
Plan
Risk Management
Cycle
Risk Identification & Assessment
Risk Control (Mitigation)
11
Security Risk Management
Risk Management
Risk Identification Risk Control
Identify & Prioritize Assets
Control
Transfer
Avoid
Accept
Cost-Benefit Analysis
Identify & Prioritize Threats
Identify Vulnerabilities between Assets and Threats
(Vulnerability Analysis)
Risk Assessment
Calculate Relative Risk of Each Vulnerability
Mitigate
Risk Identification
Risk Identification • Components of Risk Identification
Whitman, Principles of Information Security, pp. 122
Risk Identification: Asset Inventory
Risk Identification (cont.)
Risk Identification: Asset Inventory • Risk identification begins with identification of information assets, including:
No prejudging of asset values should be done at this stage – values are assigned later!
Risk Identification: Asset Inventory (cont.)
• Identifying Hardware, Software and Networking Assets
Can be done automatically (using specialized software) or manually.
Needs certain planning – e.g. which attributes of each asset should be tracked, such as:
name – tip: naming should not convey critical info to potential attackers
asset tag – unique number assigned during acquisition process
IP address
MAC address
software version
serial number
manufacturer name
manufacturer model or part number
Risk Identification: Asset Inventory (cont.) Example: Network Asset Tracker
http://www.misutilities.com/
http://www.misutilities.com/network-asset-tracker/howtouse.html
Risk Identification: Asset Inventory (cont.) • Identifying People, Procedures and Data Assets
Not as readily identifiable as other assets – require that experience and judgment be used.
Possible attributes:
people – avoid personal names, as they may change, use: ∗ position name ∗ position number/ID ∗ computer/network access privileges
procedures ∗ description ∗ intended purpose ∗ software/hardware/networking elements to which it is tied ∗ location of reference-document, …
data ∗ owner ∗ creator ∗ manager ∗ location, …
Risk Identification: Asset Ranking / Prioritization
Risk Identification: Asset Ranking • Assets should be ranked so that most valuable assets get highest priority when managing risks
Questions to consider when determining asset value / rank:
1) Which info. asset is most critical to overall success of organization?
Example: Amazon’s ranking assets Amazon’s network consists of regular desktops and web servers.
Web servers that advertise company’s products and receive orders 24/7 - critical.
Desktops used by customer service department – not so critical.
Risk Identification: Asset Ranking (cont.)
3) Which info. asset generates highest profitability?
Example: Amazon’s ranking assets At Amazon.com, some servers support book sales (resulting in highest revenue), while others support sales of beauty products (resulting in highest profit).
4) Which info. asset is most expensive to replace?
5) Which info. asset’s loss or compromise would be most embarrassing or cause greatest liability?
2) Which info. asset generates most revenue?
Risk Identification: Asset Ranking (cont.)
Example: Weighted asset ranking (NIST SP 800-30)
Not all asset ranking questions/categories may be equally important to the company. A weighting scheme could be used to account for this …
Data asset / information transmitted: Each criteria is assigned a weight (0 – 100), must total 100!
Each asset is assigned a
score (0.1-1.0) for each critical
factor.
Risk Identification: Threat Identification
& Prioritization
Risk Identification: Threat Identification • Any organization faces a wide variety of threats. • To keep risk management ‘manageable’ …
realistic threats must be identified and further investigated, while unimportant threats should be set aside
Example: CSI/FBI survey of types of threats/attacks
Risk Identification: Threat Identification (cont.)
• Threat Modeling/Assessment – practice of building an abstract model of how an attack may proceed and cause damage
Attacker-centric – starts from attackers, evaluates their motivations and goals, and how they might achieve them through attack tree.
http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
• Threat Modeling/Assessment
System-centric – starts from model of system, and attempts to follow model dynamics and logic, looking for types of attacks against each element of the model.
Risk Identification: Threat Identification (cont.)
http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
• Threat Modeling/Assessment
Asset-centric – starts from assets entrusted to a system, such as a collection of sensitive personal information, and attempts to identify how CIA security breaches can happen.
Risk Identification: Threat Identification (cont.)
• Questions used to prioritize threats:
Which threats present a danger to organization’s assets in its current environment? ( ‘pre-step’ )
Goal: reduce the risk management’s scope and cost.
Examine each category from CSI/FBI list, or as identified through threat assessment process, and eliminate any that do not apply to your organization.
Which threats represent the most danger … ?
Goal: provide a rough assessment of each threat’s potential impact given current level of organization’s preparedness.
‘Danger’ might be a measured of: 1) severity, i.e. overall damage that the threat could create 2) probability of the threat attacking this particular organization
Risk Identification: Threat Prioritization
• Other questions used to assess/prioritize threats:
How much would it cost to recover from a successful attack?
Which threats would require greatest expenditure to prevent?
Risk Identification: Threat Prioritization (cont.)
• Once threats are prioritized, each asset should be reviewed against each threat to create a specific list of vulnerabilities.
• Threat ranking can be quantitative or qualitative.
Risk Identification: Vulnerability Analysis
Vulnerability Analysis • Vulnerability – flaw or weakness in an info. asset, its design, control or security procedure that can be exploited accidentally or deliberately
sheer existence of a vulnerability does not mean harm WILL be caused – threat agent is required vulnerabilities are characterized by the level of tech. skill required to exploit them
vulnerability that is easy to exploit is often a high-danger vulnerability
Threat Vulnerability
Asset
Vulnerability Analysis (cont.)
Example: Vulnerability assessment of critical files
Deliberate Software Attack –
Virus Attack
Asset Threat Vulnerability
people open suspicious e-mail
attachments
[procedural / control weakness]
antivirus software not up-to-date &
file copying off USBs allowed
[procedural / control weakness]
desktop (files)
Vulnerability Analysis (cont.)
Example: Vulnerability assessment of critical files
DDoS Attack
Asset Threat Vulnerability
NIC can support data-rates of up to 50 Mbps
[design weakness]
server
CPU ‘freezes’ at 10,000 packets/sec
[design/implementation flaw]
Vulnerability Analysis (cont.)
Example: Vulnerability assessment of a router
Act of Human Error or Failure
Asset Threat Vulnerability
temperature control in router/server room is not adequate ⇒ router
overheats and shuts downs
[control weakness, design flaw]
net. administrator allows access to unauthor. user ⇒
unauthor. user uploads a virus, router crashes
[control / procedural weakness]
router
Vulnerability Analysis (cont.)
Example: Vulnerability assessment of a DMZ router Asset !!!
http://technet.microsoft.com/en-us/library/cc723507.aspx#XSLTsection123121120120
• TVA Worksheet – at the end of risk identification procedure, organization should derive threats-vulnerabilities- assets (TVA) worksheet
this worksheet is a starting point for risk assessment phase
TVA worksheet combines prioritized lists of assets and threats
prioritized list of assets is placed along x-axis, with most important assets on the left
prioritized list of threats is placed along y-axis, with most dangerous threats at the top
resulting grid enables a simplistic vulnerability assessment
Vulnerability Analysis (cont.)
If one or more vulnerabilities exist between T1 and A1, they can be categorized as: T1V1A1 – Vulnerability 1 that exists between Threat 1 and Asset 1 T1V2A1 – Vulnerability 2 that exists between Threat 1 and Asset 1, …
If intersection between T2 and
A2 has no vulnerability,
the risk assessment team
simply crosses out that box.
Vulnerability Analysis (cont.)
Risk Assessment
Threat
Vulnerability
Asset
People Procedure Data Software Hardware Networking
Act of human error or failure Deliberate act of trespass Deliberate act of extortion Deliberate act of sabotage Deliberate software attacks Technical software failures Technical hardware failures Forces of nature Etc.
flaw or weakness in asset’s design, implementation, control or security procedure
exploit
cause damage (loss)
Risk Assessment • Summary of Vulnerability Analysis
• (Security) Risk – quantifies: 1) possibility that a threat successfully acts upon a vulnerability and 2) how severe the consequences would be
P = probability of risk-event occurrence
V = value lost / cost to organization
• Risk Assessment – provides relative numerical risk ratings (scores) to each specific vulnerability
in risk management, it is not the presence of a vulnerability that really matters, but the associated risk!
R = P * V
Risk Assessment (cont.)
Risk Assessment (cont.)
Weighted score indicating the
relative importance (associated loss) of the given asset.
Should be used if concrete
$ amounts are not available.
Risk Assessment (cont.)
• Extended Risk Formula v.1.
Pa = probability that an attack/threat (against a vulnerability) takes place
Ps = probability that the attack successfully exploits the vulnerability
V = value lost by exploiting the vulnerability
R = Pa ⋅ Ps ⋅ V
Threat
Vulnerability
Asset
P
Risk Assessment (cont.)
• Extended Risk Formula v.2.
Pe = probability that the system’s security measures effectively protect against the attack
(reflection of system’s security effectiveness)
R = Pa ⋅ (1-Pe) ⋅ V
Ps
Ps = probability that the attack is successfully
executed
Pe = probability that the attack
is NOT successfully executed, i.e.
system defences are effective
Risk Assessment (cont.)
• Extended Whitman’s Risk Formula *
P = probability that certain vulnerability (affecting a particular asset) get successfully exploited
V = value of information asset ∈ [1, 100]
CC = current control = percentage of risk already mitigated by current control
UK = uncertainty of knowledge = uncertainty of current knowledge of the vulnerability (i.e. overall risk)
R = P ⋅ V – CC [%] + UK [%] LE = Loss Expectancy
(i.e. Potential Loss)
* One of many risk models. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.211.7952
• Extended Whitman’s Risk Formula (cont.)
CC = current control = fraction of risk already mitigated by current control
UK = uncertainty of knowledge = fraction of risk that is not fully known
Risk Assessment (cont.)
R = P ⋅ V – CC ⋅ (P ⋅ V) + UK ⋅ (P ⋅ V) =
= P ⋅ V ⋅ [ 1 – CC + UK ]
Mathematically more sound expression!
• Extended Whitman’s Risk Formula (cont.)
Risk Assessment (cont.)
R = P * V – CC [%] + UK [%]
If a vulnerability is fully managed by an existing control, it can be set aside.
(In this case, R≤0.)
It is not possible to know everything about a vulnerability, respective threat, or how great an impact a successful attack
would have. A factor that accounts for uncertainty of estimating the given
risk should always be added to the equation.
For many vulnerabilities respective probabilities are known. E.g. the likelihood that any given email will contain a virus or worm and those get ‘activated’ by the user.
Risk Assessment (cont.)
Example: Risk determination Asset A Has a value of 50. Has one vulnerability, with a likelihood of 1.0. No current control for this vulnerability. Your assumptions and data are 90% accurate.
Asset B Has a value of 100. Has two vulnerabilities: * vulnerability #2 with a likelihood of 0.5, and a current control that addresses 50% of its risk; * vulnerability #3 with a likelihood of 0.1 and no current controls. Your assumptions and data are 80% accurate. Which asset/vulnerability should be dealt with first ?!
A
B
V = 50
P = 1
P = 0.5 P = 0.1
V = 100
Risk Assessment (cont.)
Example: Risk determination (cont.) The resulting ranked list of risk ratings for the three vulnerabilities is as follows: Asset A: Vulnerability 1 rated as 55 = (50×1.0) – 50*0 + 50*0.1 Asset B: Vulnerability 2 rated as 35 = (100×0.5) – 50*0.5 + 50*0.2 Asset B: Vulnerability 3 rated as 12 = (100×0.1) – 10*0 + 10*0.2
Risk Assessment (cont.)
• Documenting Results – 5 types of documents ideally created
1) Information asset classification worksheet
2) Weighted asset worksheet
3) Weighted threat worksheet
4) TVA worksheet
5) Ranked vulnerability risk worksheet
extension of TVA worksheet, showing only the assets and relevant vulnerabilities
assigns a risk-rating ranked value for each uncontrolled asset-vulnerability pair
Of Risk Assessment
Risk Assessment (cont.) A: vulnerable
assets AI: weighted asset value
V: each asset’s vulnerability
VL: likelihood of vulnerability
realization AI x VL
Customer service email has relatively low value
but represents most pressing issue due to
high vulnerability likelihood.
Risk Assessment (cont.)
• At the end of risk assessment process, the TVA and/or ranked-vulnerability worksheets should be used to develop a prioritized list of tasks.
Risk Assessment (cont.)
• Automated Risk Assessment Tools: SKYBOX
http://www.skyboxsecurity.com/resources/product-demos/product-demo-skybox-risk-control-vulnerability-management
Risk Control
Risk Control Strategies
Computer Security, Stallings, pp. 487
Once all vulnerabilities/risks are evaluated, the company has to decide on the ‘course of action’ – often influenced by $$$ …
risk low, cost high
risk high, cost low
• Basic Strategies to Control Risks
Avoidance
do not proceed with the activity or system that creates this risk
Reduced Likelihood (Control)
by implementing suitable controls, lower the chances of the vulnerability being exploited
Transference
share responsibility for the risk with a third party
Mitigation
reduce impact should an attack still exploit the vulnerability
Acceptance
understand consequences and acknowledge risks without any attempt to control or mitigate
Risk Control Strategies (cont.)
Risk Control Strategies (cont.)
• Avoidance – strategy that results in complete abandonment of activities or systems due to overly excessive risk
usually results in loss of convenience or ability to preform some function that is useful to the organization
the loss of this capacity is traded off against the reduced risk profile
Recommended for vulnerabilities with very high risk factor
that are very costly to fix.
Risk Control Strategies (cont.) • Reduced – risk control strategy that attempts to prevent exploitation of vulnerability by means of following techniques:
application of technology
implementation of security controls and safeguards, such as: anti-virus software, firewall, secure HTTP and FTP servers, etc.
policy
e.g. insisting on safe procedures
training and education
change in technology and policy must be coupled with employee’s training and education
Likelihood
Recommended for vulnerabilities with high risk factor that are moderately costly to fix.
Risk Control Strategies (cont.)
• Transference – risk control strategy that attempts to shift risk to other assets, other processes or other organizations
if organization does not have adequate security experience, hire individuals or firms that provide expertise
‘stick to your knitting’!
e.g., by hiring a Web consulting firm, risk associated with domain name registration, Web presence, Web service, … are passed onto organization with more experience
Recommended for vulnerabilities with high risk factor that are moderately costly to fix
if employing outside require expertise.
Risk Control Strategies (cont.)
• Mitigation – risk control strategy that attempts to reduce the likelihood or impact caused by a vulnerability – includes 3 plans:
(1)
(2)
(3)
Risk Control Strategies (cont.)
• Acceptance – strategy that assumes NO action towards protecting an information asset – instead, accept outcome …
should be used only after doing all of the following
assess the probability of attack and likelihood of successful exploitation of a vulnerability
approximate annual occurrence of such an attack
estimate potential loss that could result from attacks
perform a thorough cost-benefit analysis assuming various protection techniques
determine that particular asset did not justify the cost of protection!
steps to be
discussed
How do we know whether risk control techniques gave worked / are sufficient?!
Risk Control Strategies (cont.)
Example: Risk tolerance vs. residual risk
Time
Risk
vulnerability risk before controls
Company’s Risk Tolerance
vulnerability risk after controls
Residual Risk
• Residual Risk – risk that has not been completely removed, reduced or planned for, after (initial) risk-mitigation controls have been employed
goal of information security is not to bring residual risk to 0, but to bring it in line with companies risk tolerance
risk-mitigation controls may (have to) be reinforced until residual risk falls within tolerance
• Risk Tolerance – risk that organization is willing to accept after implementing risk-mitigation controls
Risk Control Strategies (cont.)
• Risk Handling – helps choose one among four risk control strategies Decision Process
Is system Is vulnerability
risk tolerance
Attacker not likely to attack.
Initial estimated risk below risk tolerance.
acceptance
Risk Control Strategies (cont.)
• Risk Control – after control has been selected & implemented, control should be monitored and (if needed) adjusted on an on-going basis
Cycle
Risk Control Strategies (cont.)
Risk Control Strategies (cont.)
• Four groups that bear responsibility for effective management of security risks, each with unique roles:
Information Security Management – group with leadership role – most knowledgeable about causes of security risks (security threats and attacks)
IT Community / Management – group that helps build secure systems and ensure their safe operation
General Management – must ensure that sufficient resources (money & personnel) are allocated to IT and info. security groups to meet organizational security needs
Users – (when properly trained) group that plays critical part in prevention, detection and defence against security threats/attacks