Copyright 1998, Countermeasures, Inc. The BUDDY SYSTEM ® Security Risk Analysis A World-class...
-
Upload
marilyn-randall -
Category
Documents
-
view
219 -
download
2
Transcript of Copyright 1998, Countermeasures, Inc. The BUDDY SYSTEM ® Security Risk Analysis A World-class...
Copyright 1998, Countermeasures, Inc.
The BUDDY SYSTEM® Security Risk Analysis
A World-class Product!A World-class Product!
Copyright 1998, Countermeasures, Inc.
The ConcernsThe Concerns
Loss of confidentiality Loss of trust Loss of availability Total loss of asset Compliance
Copyright 1998, Countermeasures, Inc.
Security Program Profile
Phase 1Phase 1
Risk AnalysisRisk Analysis
The process of The process of determining current determining current loss potentialloss potential
Phase 2Phase 2
Risk ManagementRisk Management
The process of The process of improving and improving and monitoring loss monitoring loss potentialpotential
Copyright 1998, Countermeasures, Inc.
Risk AnalysisRisk Analysis
First Diagnose...…then prescribe First Diagnose...…then prescribe (You (You must know your risks before you can must know your risks before you can manage them)manage them)
Disciplined approach to a management Disciplined approach to a management problemproblem
ProactiveProactive
A procedure for assessing the risk to important assets
Copyright 1998, Countermeasures, Inc.
Why do a Risk Analysis?Why do a Risk Analysis?
Provide Management with critical Provide Management with critical InformationInformation
Prerequisite for Prerequisite for Risk ManagementRisk Management Satisfy RequirementsSatisfy Requirements Reduce Losses due to threat activityReduce Losses due to threat activity Policy or Regulatory CompliancePolicy or Regulatory Compliance YOU do several every day!YOU do several every day!
Copyright 1998, Countermeasures, Inc.
A Risk Analysis will:A Risk Analysis will:
Discover which assets are criticalDiscover which assets are critical Discover in-place countermeasuresDiscover in-place countermeasures Identify applicable threatsIdentify applicable threats Calculate vulnerabilitiesCalculate vulnerabilities Calculate anticipated lossesCalculate anticipated losses Recommend corrective actionsRecommend corrective actions
Copyright 1998, Countermeasures, Inc.
Risk Analysis & ManagementScope Define what the task will encompass
ParticipantsIdentify what/who will be surveyed and who will be otherwise involved
DE
FIN
ITIO
N P
HA
SE Procedure Define the procedure for data
collection and risk analysis.
Collect Data
Analysis
Reporting
AN
AL
YS
IS P
HA
SE
Collect data on items included in scope. Set time frame for completion
Analyze completed surveys; “what-if” modeling; compliance measurements
Create and edit reports; submit same to management; revise as necessary
Copyright 1998, Countermeasures, Inc.
ManagementDecision
DE
CIS
ION
P
HA
SE
Obtain concurrence with analyst recommendations and trade-offs
Submit Risk Analysis Report
Advise management of analysis results and recommendations
RIS
K M
AN
AG
EM
EN
T P
HA
SE
Assign/TrackActions
Report whenactions arecomplete
ContinuouslyMonitor
Cause the approved actions to be implemented
A final report to management shows the updated security posture
Once a desirable security posture is attained, it must be monitored
Copyright 1998, Countermeasures, Inc.
Risk Analysis Task Definition
What will be included?What will be included? How will the data be collected?How will the data be collected? Who will participate?Who will participate? What reports will be required?What reports will be required? Who will receive the report?Who will receive the report? Schedule for data collectionSchedule for data collection Schedule for analysis and reportingSchedule for analysis and reporting
Copyright 1998, Countermeasures, Inc.
Step 1: Identify AssetsStep 1: Identify Assets
Assets are anything with Assets are anything with value and worth protecting value and worth protecting or preserving.or preserving.
Identify Assets
Copyright 1998, Countermeasures, Inc.
Asset DetailsAsset Details
Determine valueDetermine value If shared with other resourcesIf shared with other resources If critical to the organization or If critical to the organization or
functionfunction OwnershipOwnership Physical locationPhysical location Part of inventory?Part of inventory?
Copyright 1998, Countermeasures, Inc.
Step 2: Identify ThreatsStep 2: Identify Threats
Identify Applicable Identify Applicable Threats and their Threats and their frequency of frequency of occurrenceoccurrence
Threats are events or actions with the potential to cause an impact upon assets.
Copyright 1998, Countermeasures, Inc.
Threat ExamplesThreat Examples
Natural hazardsNatural hazards Human errorHuman error FireFire TheftTheft
Unstable power Hardware failure Software failure Masquerading as
authorized employee
Copyright 1998, Countermeasures, Inc.
Threat DetailsThreat Details JustificationJustification
Why applicableWhy applicable Why the frequencyWhy the frequency
Frequency of occurrenceFrequency of occurrence historical recordshistorical records empirical knowledgeempirical knowledge
Copyright 1998, Countermeasures, Inc.
Step 3: In-place CountermeasuresStep 3: In-place Countermeasures
Identify In-Place Identify In-Place CountermeasuresCountermeasures
Countermeasures are Countermeasures are devices, processes, devices, processes, actions and/or actions and/or procedures which have procedures which have the propensity to reduce the propensity to reduce vulnerabilityvulnerability
They only count if they’re in-place!
Copyright 1998, Countermeasures, Inc.
Countermeasure ExamplesCountermeasure Examples
ProceduresProcedures
Management supportManagement support
Contingency planContingency plan
Metal DetectorMetal Detector
Virus softwareVirus software
Perimeter FencesPerimeter Fences
Training
Power conditioning
Backup procedures
Access controls
CCTV
Guards
Copyright 1998, Countermeasures, Inc.
Step 4: VulnerabilitiesStep 4: Vulnerabilities
Determine Vulnerabilities
Vulnerabilities are a condition of weakness.
A weakness might allow threats
to have an impact on assets.
Copyright 1998, Countermeasures, Inc.
Vulnerability ExamplesVulnerability Examples
Unauthorized accessUnauthorized access Natural hazardsNatural hazards Unstable powerUnstable power Terrorist ActivityTerrorist Activity
Key person dependencyUser or operator errorsFireTheft of Resources
Susceptibility to:
Copyright 1998, Countermeasures, Inc.
Quantify VulnerabilitiesQuantify Vulnerabilities
A risk analysis process must identify areas of A risk analysis process must identify areas of vulnerabilities and their levels.vulnerabilities and their levels.
Vulnerability levels are calculated Based on in-place countermeasures
Copyright 1998, Countermeasures, Inc.
Step 5: Calculate LossStep 5: Calculate Loss
Calculate Estimated Loss:(VL*Asset Cost * TV) = SLE And, SLE * Threat Multiplier = ALE
Where:
VL= Vulnerability level
Tv= Threat Value
SLE= Single Loss Expectancy
ALE= Annual Loss Expectancy
Loss is a measure of the impact upon assets by one or more manifested threats.
Impact is a calculated value.
Copyright 1998, Countermeasures, Inc.
Impact?Impact?
Manifested Manifested ThreatsThreats
+ + VulnerabilityVulnerability
= IMPACT
This is called risk.
Copyright 1998, Countermeasures, Inc.
Impact CategoriesImpact Categories
Disclosure (Confidentiality lost)Disclosure (Confidentiality lost)
Destruction (Complete loss)Destruction (Complete loss)
Distrust (Available but questionable)Distrust (Available but questionable)
Denial of Service (Not available)Denial of Service (Not available)
Which category(ies) should be avoided?
Copyright 1998, Countermeasures, Inc.
How Does it all Fit
Together?
How Does it all Fit
Together?COUNTERMEASURES
VULNERABILITY
ASSET
THREAT THREAT
THREAT THREATTHREAT
IMPACT
MODIFICATION
DISTRUST
DENIAL OF SERVICEDESTRUCTION
Copyright 1998, Countermeasures, Inc.
Step 6: RecommendationsStep 6: Recommendations
Recommend Corrective Action
There are many ways to reduce expected loss from threat activity.
Each corrective action is a countermeasure.
Copyright 1998, Countermeasures, Inc.
Types of ActionTypes of Action
Operational trade-offOperational trade-off Some countermeasures Some countermeasures requiredrequired by regulation by regulation
contingency plancontingency plan security trainingsecurity training
DiscretionaryDiscretionary countermeasures countermeasures
Copyright 1998, Countermeasures, Inc.
Reports Should...Reports Should...
Show procedures usedShow procedures used Be management orientedBe management oriented Be concise Be concise Contain no jargon Contain no jargon Show conclusions Show conclusions Include recommendationsInclude recommendations Show appropriate references Show appropriate references Provide trade-off justificationProvide trade-off justification
Copyright 1998, Countermeasures, Inc.
The Risk Management ProcessThe Risk Management Process
Understand current risk postureUnderstand current risk posture Determine actions needed to adjustDetermine actions needed to adjust Assign and track actionsAssign and track actions MonitorMonitor MaintainMaintain
Risk management is the process of establishing and maintaining an appropriate security posture
Copyright 1998, Countermeasures, Inc.
Common Processes
Resources must be appliedResources must be applied Time must be spentTime must be spentAnd, with either process,And, with either process, management must management must decide... decide...
Whether manual or automated, the same steps must be accomplished in risk analysis and risk management...
Copyright 1998, Countermeasures, Inc.
The Automated Paradigm
Less in-house resourcesLess in-house resources A more consistent procedureA more consistent procedure Repeatable resultsRepeatable results More acceptable resultsMore acceptable results Less resources and timeLess resources and time Less costLess cost
Lets you accomplish all of the steps with:
Copyright 1998, Countermeasures, Inc.
About the BUDDY SYSTEM®
Data collectionData collection Vulnerability analysisVulnerability analysis ““What-if” modelingWhat-if” modeling Risk analysis and reportingRisk analysis and reporting Risk managementRisk management Special functionsSpecial functions
A fully automated risk analysis and management tool for:
Copyright 1998, Countermeasures, Inc.
The Methodology
Based on years of actual risk analysis Based on years of actual risk analysis experience experience
Proven through 10 years of useProven through 10 years of use Tested and accepted world-wideTested and accepted world-wide Fully documented in our Technical ManualFully documented in our Technical Manual Based on 5 published axiomsBased on 5 published axioms
Copyright 1998, Countermeasures, Inc.
Axiom 1
The same population of threats exist for all.The same population of threats exist for all.
Postulation: The population of threats is infinite in number and variety. Any given threat in the population will manifest itself at an undetermined and uncontrolled frequency. The same threat population exists for all systems and all locations. Only the likelihood of threat occurrence varies.
Copyright 1998, Countermeasures, Inc.
Axiom 2
The frequency of occurrence of a threat The frequency of occurrence of a threat cannot be altered.cannot be altered.
Postulation: Apparent alteration to the frequency of occurrence of threats are, in reality, countermeasures. These countermeasures reduce the level of vulnerability to the manifested threat, not how often the threat occurs.
Copyright 1998, Countermeasures, Inc.
Axiom 3 (Primary)
As the level of in-place countermeasures As the level of in-place countermeasures increases, vulnerability decreases.increases, vulnerability decreases.
Postulation: The level of vulnerability to threats is reduced by the implementation of countermeasures. Some countermeasures have a greater propensity to offset vulnerability than others. The level of vulnerability and the relative value of each countermeasure said to reduce it can be expressed numerically.
Copyright 1998, Countermeasures, Inc.
As Countermeasures increase (vertical axis), vulnerability level
decreases (horizontal axis)
Copyright 1998, Countermeasures, Inc.
Axiom 4
All countermeasures have vulnerabilities.All countermeasures have vulnerabilities.
Postulation: A vulnerability level of ZERO can never be obtained since all countermeasures have vulnerabilities themselves. One or more vulnerabilities can be identified for any given countermeasure.
Copyright 1998, Countermeasures, Inc.
Axiom 5
An acceptable level of vulnerability can be An acceptable level of vulnerability can be obtained by the implementation of counter-obtained by the implementation of counter-measures.measures.
Postulation: There exists a mix of countermeasures that can achieve any arbitrary level of vulnerability. By adding countermeasures, the vulnerability level can be adjusted to a level commensurate with the importance, sensitivity or classification level of the information being processed.
Copyright 1998, Countermeasures, Inc.
Three Main Modules SurveySurvey
Used for data collectionUsed for data collection Fully automaticFully automatic
AnalysisAnalysis Vulnerability analysisVulnerability analysis Risk analysis and managementRisk analysis and management
MaintenanceMaintenance Dataset engineDataset engine
Copyright 1998, Countermeasures, Inc.
Installation
Registered VersionRegistered Version Trial VersionTrial Version Stand Alone (Survey Only)Stand Alone (Survey Only) Install on a network or standalone computerInstall on a network or standalone computer Windows 95, 98, or NTWindows 95, 98, or NT
Copyright 1998, Countermeasures, Inc.
Implementation Process
Configure dataset(s)Configure dataset(s) Distribute datasets/surveysDistribute datasets/surveys Interface with usersInterface with users Collect completed surveysCollect completed surveys Analyze completed surveys Analyze completed surveys Prepare and submit reportsPrepare and submit reports Manage approved actionsManage approved actions
Copyright 1998, Countermeasures, Inc.
Data Collection Methods
Over the network (best)Over the network (best) Distribution on floppy disks or CDDistribution on floppy disks or CD Install on a notebookInstall on a notebook Interviews by an expertInterviews by an expert
Copyright 1998, Countermeasures, Inc.
Survey Execution
On a network workstation:Multi-userNo distribution/recovery
From CD or DisksOn a notebook
Copyright 1998, Countermeasures, Inc.
The Automated Survey
Environment definitionEnvironment definition
In-place countermeasures (effectiveness can In-place countermeasures (effectiveness can also be measured)also be measured)
Applicable threats and their frequencyApplicable threats and their frequency
The survey does the first 4 steps in the analysis The survey does the first 4 steps in the analysis process:process:
AssetsAssets
Copyright 1998, Countermeasures, Inc.
Data CollectionData Collection
Interface with usersInterface with users Collect and document detailsCollect and document details The best wayThe best way
Copyright 1998, Countermeasures, Inc.
Example survey screenExample survey screen
User followsUser follows the tree - topthe tree - top
to bottomto bottom
Copyright 1998, Countermeasures, Inc.
The Survey is Unique
Pre-loading of common informationPre-loading of common information User selections are immediately analyzed User selections are immediately analyzed Re-configures to fit the environmentRe-configures to fit the environment 30 minutes to complete30 minutes to complete No data volume limitationsNo data volume limitations
Automatic help screensDrop-down selection listsDrop-down selection lists
Copyright 1998, Countermeasures, Inc.
Analysis and Reporting
Determine vulnerabilitiesDetermine vulnerabilities Calculate estimated lossCalculate estimated loss Recommend corrective actionsRecommend corrective actions
TheThe next 3 steps in the risk analysis process:next 3 steps in the risk analysis process:
Copyright 1998, Countermeasures, Inc.
Analyst ActionsAnalyst Actions
Analyst recommends corrective actionsAnalyst recommends corrective actions What level of impact is acceptable?What level of impact is acceptable?
((residual riskresidual risk)) Management decidesManagement decides
Copyright 1998, Countermeasures, Inc.
Automatic Analysis
Vulnerability summaryVulnerability summary““What-if” vulnerability modelingWhat-if” vulnerability modeling
Copyright 1998, Countermeasures, Inc.
Special Functions
Instant compliance measurementInstant compliance measurement ““Closed-loop” risk managementClosed-loop” risk management Access control, with audit logsAccess control, with audit logs Automatic countermeasure effectiveness Automatic countermeasure effectiveness
measurementmeasurement Built-in awareness training for end usersBuilt-in awareness training for end users
Copyright 1998, Countermeasures, Inc.
AdaptabilityAdaptability
Information securityInformation security Physical securityPhysical security ManufacturingManufacturing MedicalMedical User can customize for ANY User can customize for ANY
use environment or applicationuse environment or application
Custom datasets:
Copyright 1998, Countermeasures, Inc.
Database Engine (Maintenance)
Add, edit, delete without limitationAdd, edit, delete without limitation
EstablishEstablish data item data item relations relations
Copyright 1998, Countermeasures, Inc.
Just Some of the Reports...Just Some of the Reports...
Survey informationSurvey information Data set configurationData set configuration Compliance informationCompliance information Security test & evaluationSecurity test & evaluation Risk analysis report - output to MSWordRisk analysis report - output to MSWord Risk management Risk management
Copyright 1998, Countermeasures, Inc.
Standard FeaturesStandard Features
Windows platforms: NT and 95, and 98Windows platforms: NT and 95, and 98 Network or stand aloneNetwork or stand alone Unlimited data sets and surveysUnlimited data sets and surveys Access control, user control, audit logsAccess control, user control, audit logs User’s group annual meetingsUser’s group annual meetings NewsletterNewsletter
Copyright 1998, Countermeasures, Inc.
Coming SoonComing Soon
WEB-based execution of the surveyWEB-based execution of the survey Internet access to upgrades and new data sets Internet access to upgrades and new data sets Multi-language capabilityMulti-language capability Cascading effect analysisCascading effect analysis Additional report templatesAdditional report templates
Copyright 1998, Countermeasures, Inc.
Our Offerings...Our Offerings...
One year of free supportOne year of free support One year of free upgradesOne year of free upgrades 2 days of training2 days of training Multiple copy discountsMultiple copy discounts Dataset customization servicesDataset customization services Specialized consulting servicesSpecialized consulting services
Countermeasures, Inc. and its distributors offer...Countermeasures, Inc. and its distributors offer...