Stephen S. Yau CSE465-591, Fall 2006 1 Risk Management.

Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 11

Risk Risk ManagementManagement


What is a risk?What is a risk?

Information SystemAt Risk

Threat (attacker)

Vulnerability

Concepts revisitConcepts revisit– A A threatthreat is a potential occurrence that can have an is a potential occurrence that can have an

undesirable effect on the system assets or resourcesundesirable effect on the system assets or resources– A A vulnerabilityvulnerability is a weakness that makes a threat to is a weakness that makes a threat to

possibly occurpossibly occurA A riskrisk is a possible future negative event that may is a possible future negative event that may affect the successful operations of a systemaffect the successful operations of a system– A risk is not necessarily an ongoing problem, but it may A risk is not necessarily an ongoing problem, but it may

become onebecome one


Threat CategoryThreat Category

Unauthorized access threatsUnauthorized access threatsInformation compromise threatsInformation compromise threatsInformation corruption threatsInformation corruption threatsDenial of service threatsDenial of service threatsSoftware corruption threatsSoftware corruption threatsHardware corruption threatsHardware corruption threatsHardware/software distribution Hardware/software distribution threatsthreatsNetwork-based threatsNetwork-based threats


Vulnerability CategoryVulnerability Category

Probabilistic vulnerabilitiesProbabilistic vulnerabilities– Caused by hardware failures, human Caused by hardware failures, human

actions and information problems in the actions and information problems in the operational environment operational environment

Algorithmic vulnerabilities Algorithmic vulnerabilities – Caused by design and implementation Caused by design and implementation

errors, which are introduced during errors, which are introduced during system development [including both system development [including both software and hardware] software and hardware]


Identify Possible RisksIdentify Possible RisksWhat is at risk?What is at risk?– Product design documentsProduct design documents– Customer informationCustomer information– Company’s future planCompany’s future plan– ……

What is the threat and where does the threat What is the threat and where does the threat come from?come from?– Who? (competitors, foreign agents, hackers)Who? (competitors, foreign agents, hackers)– Motivation (national security, money, fame, “fun”)Motivation (national security, money, fame, “fun”)– Target (access confidential data, change data, deface…)Target (access confidential data, change data, deface…)– Capabilities (intellect, equipment, money)Capabilities (intellect, equipment, money)

What vulnerabilities can be exploited?What vulnerabilities can be exploited?– TechnologyTechnology– ProcessProcess– NetworkNetwork– PeoplePeople


Cost/Benefit AnalysisCost/Benefit AnalysisAfter identifying possible risks, cost/benefit After identifying possible risks, cost/benefit analysis needs to be performed for the following analysis needs to be performed for the following reasons:reasons:

Infeasible or sometimes impossible to implement a Infeasible or sometimes impossible to implement a perfect secure systemsperfect secure systems

Cost/benefit analysis helps identify risks which will Cost/benefit analysis helps identify risks which will most likely occur, and which will cause severe most likely occur, and which will cause severe damages if occurdamages if occur

Some risks always there (Some risks always there (residual riskresidual risk), but highly ), but highly unlikely to become a problem; or even if they unlikely to become a problem; or even if they become problems, they can easily be contained and become problems, they can easily be contained and solved. These risks are treated as acceptable risks solved. These risks are treated as acceptable risks in a system.in a system.

Results of cost/benefit analysis can help allocate Results of cost/benefit analysis can help allocate limited system resources to most needed areaslimited system resources to most needed areas


Risk AnalysisRisk AnalysisA process to systematically identify assets, A process to systematically identify assets, threats, and (potential) vulnerabilities in a threats, and (potential) vulnerabilities in a system, and address the following:system, and address the following:– What to be protectedWhat to be protected– What are threatening the systemWhat are threatening the system– Time, effort, and money willing to be spentTime, effort, and money willing to be spent

Should be a continuous process over the life Should be a continuous process over the life cycle of a system (design, implementation, cycle of a system (design, implementation, testing, deployment, update and testing, deployment, update and termination)termination)

Two basic types of risk analysis:Two basic types of risk analysis:– Quantitative and qualitative Quantitative and qualitative


Quantitative Risk AnalysisQuantitative Risk AnalysisAttempts to establish and maintain an Attempts to establish and maintain an independent set of risk metrics and independent set of risk metrics and statistics, includingstatistics, including– Annualized loss expectancy (ALE)Annualized loss expectancy (ALE): single : single

loss expectancy multiplied by annualized loss expectancy multiplied by annualized rate of occurrence.rate of occurrence.

– ProbabilityProbability: chance, in a finite sample, that : chance, in a finite sample, that an event will occur or that a specific loss an event will occur or that a specific loss value may be attained should the event value may be attained should the event occurs.occurs.

– ControlControl: risk-reducing measure that acts to : risk-reducing measure that acts to detect, prevent, or minimize loss detect, prevent, or minimize loss associated with occurrence of a specified associated with occurrence of a specified threat or category of threats.threat or category of threats.


Quantitative Risk Quantitative Risk Analysis Analysis (cont.)(cont.)

Pros:Pros:– Objective, independent processObjective, independent process– Solid bases for cost/benefit analysisSolid bases for cost/benefit analysis– Credibility for audit, managementCredibility for audit, management– Useful for many kinds of reliability-Useful for many kinds of reliability-

related design questions (e. g., related design questions (e. g., redundant servers), where threats redundant servers), where threats and likelihood of “events” can be and likelihood of “events” can be easily measuredeasily measured


Quantitative Risk Quantitative Risk Analysis Analysis (cont.)(cont.)

Cons:Cons:– Problems associated with Problems associated with

unreliability and inaccuracy of dataunreliability and inaccuracy of data– Probability can rarely be precise Probability can rarely be precise

and, in some cases, promote and, in some cases, promote complacencycomplacency

– Very time consuming, and costly to Very time consuming, and costly to do correctlydo correctly


Qualitative Risk AnalysisQualitative Risk AnalysisMost widely used approach to risk analysisMost widely used approach to risk analysis– Probability data not requiredProbability data not required– Only estimated potential loss usedOnly estimated potential loss used

Establishing classes of loss values (Establishing classes of loss values (impactimpact))– Insignificant, minor, moderate, major, Insignificant, minor, moderate, major,

catastrophiccatastrophic– Under $10K, between $10K and $100K, between Under $10K, between $10K and $100K, between

$100K and $1M, between $1M and $50M, over $100K and $1M, between $1M and $50M, over $50M$50M

– Type of loss (e. g. compromise of credit card #, Type of loss (e. g. compromise of credit card #, compromise of SSN, compromise of highly compromise of SSN, compromise of highly personal data)personal data)


Qualitative Risk Analysis Qualitative Risk Analysis (cont.)(cont.)

Establishing classes of likelihood of Establishing classes of likelihood of compromisecompromise– Almost certain, likely, moderate, unlikely, Almost certain, likely, moderate, unlikely,

rarerare

Levels of risksLevels of risks– ExtremeExtreme– HighHigh– ModerateModerate– LowLow

Focusing effort on high loss itemsFocusing effort on high loss items


Determine Risk LevelsDetermine Risk Levels

LikelihoLikelihoodod

ImpactImpactInsignificInsignificantant

MinorMinor ModerModerateate

MajoMajorr

CatastropCatastrophichic

Almost Almost CertainCertain

HighHigh HighHigh ExtremeExtreme ExtreExtrememe

ExtremeExtreme

LikelyLikely ModerateModerate HighHigh HighHigh ExtreExtrememe

ExtremeExtreme

ModeraModeratete

LowLow ModerModerateate

HighHigh ExtreExtrememe

ExtremeExtreme

UnlikelUnlikelyy

LowLow LowLow ModeratModeratee

HighHigh ExtremeExtreme

RareRare LowLow LowLow ModeratModeratee

HighHigh ExtremeExtreme


Qualitative Risk Analysis Qualitative Risk Analysis (cont.)(cont.)

Pros:Pros:– Easy to understand and carry outEasy to understand and carry out– Not depend on possibly inaccurate dataNot depend on possibly inaccurate data

Cons:Cons:– More subjective to person defining More subjective to person defining

classes of impacts and likelihood of classes of impacts and likelihood of compromisecompromise

– Depends on history experience and Depends on history experience and expertiseexpertise


ControlsControlsCountermeasures for vulnerabilitiesCountermeasures for vulnerabilities– Deterrent controlsDeterrent controls reduce likelihood of reduce likelihood of

deliberate attackdeliberate attack– Preventative controlsPreventative controls protect vulnerabilities protect vulnerabilities

and make an attack unsuccessful or reduce its and make an attack unsuccessful or reduce its impactimpact

– Corrective controlsCorrective controls reduce the effect of an reduce the effect of an attackattack

– Detective controlsDetective controls discover attacks and discover attacks and trigger preventative or corrective controlstrigger preventative or corrective controls

– Recovery controlsRecovery controls restore lost computer restore lost computer resources or capabilities from security resources or capabilities from security violationsviolations


A Model of Risk Analysis A Model of Risk Analysis ProcessProcess

ATTACK

ThreatDeterrent Control

DetectiveControl

PreventativeControl

Impact

Vulnerability

CorrectiveControl

Reduce likelihood of

Discovers

Triggers Protects

Reduces

Results in

Decreases

Creates

Exploits


Risk ManagementRisk ManagementConcerned with preventing risks Concerned with preventing risks from becoming problemsfrom becoming problems

How to deal with risks identified in How to deal with risks identified in the risk analysisthe risk analysis– Old philosophy: risk avoidanceOld philosophy: risk avoidance

Do whatever you can to avoid risksDo whatever you can to avoid risks

– New philosophy: risk managementNew philosophy: risk managementUnderstand risksUnderstand risks

Deal with them in an appropriate, cost Deal with them in an appropriate, cost effective mannereffective manner


Risk Management (cont.)Risk Management (cont.)

Choices for each riskChoices for each risk– Risk acceptance: tolerate those risks with Risk acceptance: tolerate those risks with

low impact or rare occurrencelow impact or rare occurrence– Risk reduction (also called risk mitigation)Risk reduction (also called risk mitigation)– Risk transfer (to another entity): let Risk transfer (to another entity): let

others handle the riskothers handle the risk

Typically use a combination of Typically use a combination of acceptance, reduction, and transfer acceptance, reduction, and transfer for different risksfor different risks


ExamplesExamplesChoices for Choices for

riskrisk Car theft riskCar theft risk Hacker break-Hacker break-

in riskin risk

Risk Risk acceptanceacceptance

Deductibles on Deductibles on car insurancecar insurance

Minimal Minimal securitysecurity

(delete all the (delete all the spam emails)spam emails)

Risk reductionRisk reduction Locks, alarms, Locks, alarms, GPS locatorGPS locator

Strong security Strong security mechanisms mechanisms (firewall, (firewall, encryption, etc.)encryption, etc.)

Risk transferRisk transfer Car insurance Car insurance covering theftcovering theft

Rely on Internet Rely on Internet Service Service Provider (ISP) Provider (ISP) to provide to provide security security guaranteesguarantees


Risk Management ProcessRisk Management Process

Step 1: System characterizationStep 1: System characterization– Input: hardware, software, system Input: hardware, software, system

interfaces, system mission, people, data interfaces, system mission, people, data informationinformation

– Output: system boundary, system Output: system boundary, system functions, system and data criticality functions, system and data criticality and sensitivityand sensitivity

Step 2: Threat identificationStep 2: Threat identification– Input: attack history, data from Input: attack history, data from

intelligence agencies or mass mediaintelligence agencies or mass media– Output: threat statementOutput: threat statement


Risk Management Risk Management Process (cont.)Process (cont.)

Step 3: Vulnerability identificationStep 3: Vulnerability identification– Input: prior risk assessment reports, Input: prior risk assessment reports,

audit comments, security requirements, audit comments, security requirements, security test resultssecurity test results

– Output: list of potential vulnerabilitiesOutput: list of potential vulnerabilities

Step 4: Control analysisStep 4: Control analysis– Input: current controls, planned controlsInput: current controls, planned controls– Output: evaluation results of current Output: evaluation results of current

and planned controlsand planned controls


Risk Management Risk Management Process Process (cont.)(cont.)

Step 5: Likelihood determinationStep 5: Likelihood determination– Input: threat-source motivation, threat capacity, Input: threat-source motivation, threat capacity,

nature of vulnerability, current controlsnature of vulnerability, current controls– Output: likelihood ratingOutput: likelihood rating

Step 6: Impact analysisStep 6: Impact analysis– Input: mission impact analysis, asset criticality Input: mission impact analysis, asset criticality

assessment, data criticality and sensitivityassessment, data criticality and sensitivity– Output: impact ratingOutput: impact rating

Step 7: Risk determinationStep 7: Risk determination– Input: likelihood of threat exploitation, magnitude Input: likelihood of threat exploitation, magnitude

of impact, adequacy of planned or current of impact, adequacy of planned or current controlscontrols

– Output: risks and associated risk levelsOutput: risks and associated risk levels


Risk Management Process Risk Management Process (cont.)(cont.)

Step 8: Control recommendationsStep 8: Control recommendations– Output: recommended controlsOutput: recommended controls

Step 9: Results documentationsStep 9: Results documentations– Output: A set of documents including risk Output: A set of documents including risk

identification, assessment, cost-effective identification, assessment, cost-effective evaluation, suggested control list, etc.evaluation, suggested control list, etc.

– A well documented risk management A well documented risk management process at one phase, which is also the process at one phase, which is also the starting point for the analysis at the next starting point for the analysis at the next phasephase


Risk Management Risk Management Process Process (cont.)(cont.)

Step 10: System monitoring:Step 10: System monitoring:– Whether system configuration has changed: new Whether system configuration has changed: new

hardware installed, software updates, mission goal hardware installed, software updates, mission goal changed, etc.changed, etc.

– Performance of controls: how many possible Performance of controls: how many possible attacks have been prevented by controls; any attacks have been prevented by controls; any failures or unwanted outcome, etc.failures or unwanted outcome, etc.

Restart the whole process from Step 1 again:Restart the whole process from Step 1 again:– Periodically as part of system maintenance Periodically as part of system maintenance

procedureprocedure– When system configuration changed, it may When system configuration changed, it may

generate some new risks not been covered during generate some new risks not been covered during the last risk management processthe last risk management process

– When some controls fail to prevent the risk from When some controls fail to prevent the risk from turning into attacksturning into attacks


Risk Management Process Risk Management Process (Cont.)(Cont.)

1. System Characteriza

tion

2. Threat Identificati

on

4. Control Analysis 8. Control

Recommendation

6. Impact Analysis

3. Vulnerabilit

y Identificatio

n

9. Results Documentat

ion

10. System Monitorin

g

7. Risk Determinat

ion

5. Likelihood

Determination


ReferenceReference

M. Merkow, J. Breithaupt, M. Merkow, J. Breithaupt, Information Information Security: Principles and PracticesSecurity: Principles and Practices,, Prentice Prentice Hall, August 2005, 448 pages, ISBN Hall, August 2005, 448 pages, ISBN 0131547291 0131547291 J. G. Boyce, D. W. Jennings, J. G. Boyce, D. W. Jennings, Information Information AssuranceAssurance:: Managing Organizational IT Managing Organizational IT Security RisksSecurity Risks. Butterworth Heineman, 2002, . Butterworth Heineman, 2002, ISBN 0-7506-7327-3ISBN 0-7506-7327-3Risk Management Guide for Information Risk Management Guide for Information Technology Systems, July 2002. Available at:Technology Systems, July 2002. Available at:

http://csrc.nist.gov/publications/nistpubs/800-http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf30/sp800-30.pdf

Stephen S. Yau CSE465-591, Fall 2006 1 Risk Management.

Documents

Transcript of Stephen S. Yau CSE465-591, Fall 2006 1 Risk Management.