Security Risk Management - York University · Security Risk Management . Risk Assessment:...

Security Risk Management

Risk Management

Risk Identification Risk Control

Identify & Prioritize Assets

Control

Transfer

Avoid

Accept

Cost-Benefit Analysis

Identify & Prioritize Threats

Identify Vulnerabilities between Assets and Threats

(Vulnerability Analysis)

Risk Assessment

Calculate Relative Risk of Each Vulnerability

Mitigate

Security Risk Management

Risk Assessment: ‘spotting’ the most significant vulnerabilities in the sea of potential vulnerabilities

vulnerability that carries most risk

Risk Analysis: Is a sec. risk worth a sec. control?!

Quantitative, Qualitative,

Relative Risk Analysis

Qualitative vs. Quantitative Analysis

• Quantitative Risk – predicts level of monetary loss for each threat, and monetary benefit of controlling the treat

each element is quantified and entered into equations, e.g.:

asset value

threat frequency

severity of vulnerability

damage impact

safeguard cost …

Analysis

• Qualitative Risk – scenario based approach - uses labels & relative values (high/low) rather than numbers; blends in experience & personal judgment

Analysis


Quantitative Analysis Qualitative Analysis

• Easier to automate and evaluate.

• Very useful in performance tracking - provide credible cost/benefit analysis.

• Complex calculations – may not be understood by all.

• Very detailed information about environment need to be gathered.

• Requires simple (or no) calculations.

• Considers hands-on opinions of individuals who know the process best.

• Assessment and results are subjective.

• Does not enable dollar cost/benefit discussion.

• Difficult to track performance.

pros

cons


“Quantitative risk measurement is the standard way of measuring risk in many fields, such as finance and insurance, but it is not commonly used to measure risk in information systems. Two of the reasons claimed for this are: 1) the difficulties in identifying and assigning a value to assets, and 2) the lack of statistical information that would make it possible to determine frequency. Thus, most of the risk assessment tools that are used today for information systems are measurements of qualitative risk.”

http://www.sans.org/reading_room/whitepapers/auditing/ introduction-information-system-risk-management_1204

Qualitative Analysis • Challenges of – define likelihood and impact values in a manner that would allow the same scale to be used across multiple risk assessments

Qualitative Analysis

Example: Sample ‘likelihood of threat’ definitions

Other possibilities: 1) uniform distribution – same % at/for all levels 2) 5 levels of likelihood: very low, low, moderate, very high, high

Qualitative Analysis (cont.)

Example: Sample ‘impact’ definitions

Example: Sample ‘risk determination’ matrix

http://www.sans.org/reading_room/whitepapers/auditing/introduction-information-system-risk-management_1204

Quantitative Analysis • Cost-Benefit – aka economic feasibility study - quantitative decision-making process that:

determines the loss in value if the asset remained unprotected

determines the cost of protecting an asset

helps prioritize actions and spending on security …

Analysis

Company should not spend more to protect an asset than the asset is worth!

Quantitative Analysis (cont.)

• Asset Value (AV) – includes the following:

cost of buying/developing hardware, software, service

cost of installing, maintaining, upgrading hardware, software, service

cost to train and re-train personnel

• Exposure – percentage loss that would occur from a given vulnerability being exploited by a given threat

Factor (EF)


• Single Loss – most likely loss (in value) from an attack

Expectancy (SLE)

SLE = AV * EF

Example: A Web-site’s SLE due to a DDoS Attack

Estimated value of a Web-site: AV = $ 1,000,000.

A DDoS on the site would result in 10% losses of the site value (EF=0.1).

SLE for the site: AV * EF = $ 100,000. Would it be worth investing in anti-DDoS system that costs $100,000 a year?


• Annualized Rate – indicates how often an attack is expected to successfully occur in a year

if an attack occurs once every 2 years ⇒ ARO = 0.5

of Occurrence (ARO)

• Annualized Loss – overall loss incurred by an attack (i.e. by exploiting a vulnerability) in each year

Expectancy (ALE)

ALE = ARO * SLE


Example: Determining ARO, SLE, ALE

http://www.pearsonhighered.com/assets/hip/us/hip_us_pearsonhighered/ samplechapter/078973446X.pdf

Example: Determining ALE to Occur from Risks http://www.windowsecurity.com/articles/Risk_Assessment_and_Threat_Identification.html

A widget manufacturer has installed new network servers, changing its network from P2P, to client/server-based network.

The network consists of 200 users who make an average of $20 an hour, working on 100 workstations.

Previously, none of the workstations involved in the network had an anti-virus software installed on the machines. This was because there was no connection to the Internet and the workstations did not have USB/disk drives or Internet connectivity, so the risk of viruses was deemed minimal.

One of the new servers provides a broadband connection to the Internet, which employees can now use to send and receive email, and surf the Internet.


Quantitative Analysis (cont.) Example: Determining ALE to Occur from Risks (cont.)

One of the managers read in a trade magazine that other widget companies have reported an annual 75% chance of viruses infecting their network after installing T1 lines, and it may take up to 3 hours to restore the system.

A vendor will sell licensed copies of antivirus software for all servers and the 100 workstations at a cost of $4,700 per year. The company has asked you to determine the annual loss that can be expected from viruses, and determine if it is beneficial in terms of cost to purchase licensed copies of anti-virus software.

• 200 employees • 100 workstations • $20 hour

Quantitative Analysis (cont.) Example: Determining ALE to Occur from Risks (cont.) Based on the provided data: ARO = 0.8 SLE = 200 user * ($ 20 / user-hour) * 3 hours = $ 12,000 ALE = SLE * ARO = $ 9,000 Because the ALE is $9,000, and the cost of the software that will minimize this risk is $4,700 per year, this means the company would save $4,300 per year by purchasing the software ($9,000 - $4,700 = $4,300).


• Cost-Benefit Analysis – expresses cost benefit of a safeguard – i.e., determines whether a particular control is worth its cost

ALE(prior) – ALE before implementing control

ALE(post) – ALE after implementing control

ACS – annual cost of safeguard

Formula

NRRB = [ALE(prior) - ALE(post)] – ACS

GROSS risk reduction benefit

NET risk reduction benefit


Example: Cost-Benefit Analysis

Time

ALE

ALE(prior) before

safeguards

GRRB gross risk reduction

benefit

ALE(post) after

safeguards

ACS annual. cost of safeguards

NRRB net risk reduction benefit

Only NRRB>0 justifies the use of safeguard(s)!

Example: Determining NRRB Your organization has decide to centralize anti-virus support on a server which automatically updates virus signatures on user’s PCs .

When calculating risk due to viruses, the annualized loss expect. (ALE) is $145,000. The cost of this anti-virus countermeasure in a year is estimated to be $24,000, but it will lower the ALE to $65,000.

Is this a cost-effective countermeasure? Why or why not?

ALE (prior) = $145 k ALE (post) = $65 k ACS = $24 k NRRB = ALE (prior) – ALE (post) – ACS = $145 k - $65 k - $24 k = $56 k, so there are positive benefits of this solution



Example: Cert. Info. Sys. Sec. Prof. (CISSP) Exam

ALE (prior) = AV*EF*ARO = $106 *0.1*0.2 = $20,000

ALE (post) = $0 (best case scenario - safeguard 100% eff.)

ACS = ?

For NRRB ≥ 0, safeguard of up to $20,000 acceptable.

Time

ALE

ALE(prior) before

safeguards

ALE(post) after

safeguards

ACS annual. cost of safeguards

NRRB net risk reduction benefit


Example: Cost-benefit analysis in case of 100% effective safeguard

Other Feasibility Measures • Cost-benefit analysis determines whether a security control measure is feasible economically.

• Other ‘measures of feasibility’, when evaluating a security control, include:

• Organizational – examines how well a proposed security control will contribute to organization’s strategic objectives

e.g. a firewall might be a good security safeguard, but may prevent effective flow of multimedia data

Feasibility

Other Feasibility Measures (cont.)

• Behavioral – examines user’s and management’s acceptance and support of a proposed security control

e.g. if users do not accept a new policy / technology / program, it will inevitably fail

most common methods for obtaining user acceptance are:

communication – affected parties must know the purpose and benefits of the proposed change

education – affected parties must be educated on how to work under the new constraints

involvement – affected parties must be given a chance to express what they want and what they will tolerate from the system

Feasibility

Other Feasibility Measures (cont.)

• Technical – determine whether organization has or can acquire technology and/or necessary technical expertise to implement and support a control

e.g. a firewall may require special software hardware support / installation on all computers

Feasibility

• Political – determines what can and cannot be done based on consensus and relationships between different departments …

IT and Info. Sec. department might have to compete for same resources

Feasibility

Relative Analysis • Rather than using quantitative or qualitative risk analysis measures, an organization may resort to relative risk analysis of a control, including:

• Benchmarking – study practices used in other organizations that obtain results you would like to duplicate

• Due Care or – implement a minimum level of security

failure to maintain a standard of due care can open an organization to legal liability – especially important if dealing with customer data

Due Diligence

Relative Assessment (cont.)

• Best Practices – implement entire set of security controls as recommended for your industry / general public

‘best practices’ according to Microsoft:

use antivirus software

use strong passwords

verify your software security setting

update product security

build personal firewalls

back up early and often

protect against power surges and losses

• Gold Standard – implement controls beyond best practices – for those that strive to be ‘the best of the best’

Risk Assessment Methodologies • Risk Assessment – set of procedures & activities that structure risk assessment process

each methodology may be suitable (only) for certain situations and industries

because of various needs and various situations, a variety of risk assessment methodologies (tools) have been developed:

OCTAVE

FAIR

Microsoft Risk Management Approach

ISO Standard for Sec. Risk Management

Methodology

Risk Assessment Methodologies (cont.)

• OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation - developed by a research team from Carnegie Mellon

suite of tools, techniques and methods

uses a 3-phase approach to assemble a comprehensive picture of information security needs of an enterprise

Phase 1: Build Asset-Based Threat Profile Key areas of expertise within organization are examined, through a set of workshops with staff, to identify:

* important information assets

* threats to those assets

* security requirements of assets

* current protection strategies

* weaknesses in organizational policies and practice


• OCTAVE (cont.)

Phase 2: Identify Infrastructure Vulnerabilities Key operational components of IT infrastructure are examined for technical vulnerabilities.

Possible types of vulnerabilities:

* design vulnerabilities

* implementation vulnerability

* configuration vulnerability

Tools that can be used during this phase:

* file integrity checkers

* virus scanners

* system scanners

* network scanners / mappers

Network/system should assessed from outside enterprise, inside enterprise, and from individual subsystems within enterprise


• OCTAVE (cont.)

Phase 3: Develop Security Strategy and Plans Information generated in Phases 1 & 2 are analyzed to: 1) identify and evaluate risks based on their impact 2) develop protection strategy and mitigation plans

OCTAVE uses qualitative approach to evaluate risks as well as to evaluate their impact.

http://www.proceedings2006.imcsit.org/pliks/160.pdf

• OCTAVE (cont.)

Characteristics of OCTAVE:

Self-directed. A small team of organization’s personnel (analyst team) manages the process and analyzes all information.

Multidisciplinary Analyst Team. OCTAVE requires that analyst team comprises representatives from both the mission-related and IT areas of organization.

Workshop-Based Approach. Workshop-based approach for gathering information and making decisions is used. Analyst team members are primary workshop facilitators.

Catalogs of Information. In all three phases, OCTAVE benchmarks organization against catalogs of information: catalog of practices, threat profile, catalog of vulnerabilities.



• FAIR – Factor Analysis of Information Risk, by J. Jones

framework that aims to help organizations understand, analyze & measure information risk (the why and the how)

key components of FAIR framework:

Taxonomy of factors that make up information risk. (provides precise def. of asset, threat, vulnerability, risk)

Methods for measuring factors that derive info. risk. (measures of threat event frequency, vulnerability, loss)

Computational model for math. calculation of risk.

Simulation model that combines the above to build and analyze risk scenarios of any size or complexity.

can be used to strengthen risk analysis processes like OCTAVE


• FAIR Analysis Steps:

Identify Scenario Components

1. identify the asset in risk 2. identify the threat to community under consideration

Evaluate Loss Event Frequency (LEF)

3. estimate the probable threat event frequency (TEF) 4. estimate the threat capability (TCap) 5. estimate control strength 6. derive vulnerability (Vuln) 7. derive loss event frequency (LEF)

Evaluate Probable Loss Magnitude (PLM)

8. estimate worst-case loss 9. estimate probable loss

Derive and Articulate Risk

10. derive and articulate risk


• FAIR Analysis Characteristics:

Quantitative – risk expressed in quantitative terms

Probabilistic – accounts for uncertainty

Intuitive – clear and ‘easy to follow’ logic/approach

Flexible – can be applied to any level of abstraction

Compatible with widely used security standards

Agnostic – can be applied to other (non-information) security disciplines

Familiar to Management – communicates in terms that are familiar and meaningful to management

Approved and reviewed by experts

Sophisticated – applies sophisticated scientific principles


Example: FAIR Risk Factoring

The probable frequency, within a given timeframe, that a treat agent

will act against an asset.

The probable frequency, within a

given timeframe, that a treat agent will come into contact

with an asset.

The probability that a treat agent will act

against an asset once contact occurs.

= X

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore! Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore! Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore! Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more! Law #5: Weak passwords trump strong security.

Microsoft’s 10 Immutable Laws of Security

http://technet.microsoft.com/en-us/library/cc722487.aspx

Law #6: A computer is only as secure as the administrator is trustworthy. Law #7: Encrypted data is only as secure as the decryption key. Law #8: An out of date virus scanner is only marginally better than no virus scanner at all. Law #9: Absolute anonymity isn't practical, in real life or on the Web. Law #10: Technology is not a panacea.

Microsoft’s 10 Immutable Laws of Security (cont.)

Security Risk Management - York University · Security Risk Management . Risk Assessment:...

Documents

Transcript of Security Risk Management - York University · Security Risk Management . Risk Assessment:...