Risk Assessment for Security Economics

Similar documents
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two

RISK ASSESSMENT GUIDELINES

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments

A Practical Approach to Threat Modeling

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

Project Risk Management

Guide to Vulnerability Management for Small Companies

Chapter 6: Fundamental Cloud Security

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

IT - General Controls Questionnaire

S 2 ERC Project: A Review of Return on Investment for Cybersecurity. Author: Joe Stuntz, MBA EP 14, McDonough School of Business.

Information Security Training for SysAdmins. Center for Education and Research in Information Assurance and Security, Purdue University

Penetration Testing Service. By Comsec Information Security Consulting

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Cybersecurity and internal audit. August 15, 2014

A Risk Assessment Methodology (RAM) for Physical Security

UF IT Risk Assessment Standard

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Cisco Advanced Services for Network Security

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Security Controls for the Autodesk 360 Managed Services

System Security Plan University of Texas Health Science Center School of Public Health

The Second National HIPAA Summit

SECURITY RISK MANAGEMENT

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

INTRUSION DETECTION SYSTEMS and Network Security

Measuring the Return on IT Security Investments. White Paper Intel Information Technology Computer Manufacturing Information Security

Regulations on Information Systems Security. I. General Provisions

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

Domain 5 Information Security Governance and Risk Management

Network Security and the Small Business

Supplier Security Assessment Questionnaire

Nuclear Security Requires Cyber Security

Microsoft Services Premier Support. Security Services Catalogue

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

APPLICATION THREAT MODELING

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

HIPAA Security. assistance with implementation of the. security standards. This series aims to

An Information Security and Privacy Perspective for Procurement Services Projects

IBM Managed Security Services Vulnerability Scanning:

Security Risk Assessment

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Managed Security Services

HIPAA Security Alert

Information Technology Branch Access Control Technical Standard

SCP - Strategic Infrastructure Security

Advanced Endpoint Protection Overview

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Information Security for Modern Enterprises

Security Standards Workshop: An Overview From Risk Assessment to Proposed Policies

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

Security Defense Strategy Basics

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

Attack Graph Techniques

Negative Risk. Risk Can Be Positive. The Importance of Project Risk Management

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Lab 1: Security Audit

A REVIEW OF METHODS FOR SECURING LINUX OPERATING SYSTEM

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Four Top Emagined Security Services

The Business Case for Security Information Management

Risk Management Handbook

Oil and Gas Industry A Comprehensive Security Risk Management Approach.

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

THE TOP 4 CONTROLS.

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

Cyber Security Risk Mitigation Checklist

VMware vcloud Air HIPAA Matrix

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

Procedure Title: TennDent HIPAA Security Awareness and Training

CONTENTS. PCI DSS Compliance Guide

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

State of Vermont. Physical Security for Computer Protection Policy

How to Build a Security Dashboard

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Computer Security: Principles and Practice

Quick Reference Guide Interactive PDF Project Management Processes for a Project

This means that any user from the testing domain can now logon to Cognos 8 (and therefore Controller 8 etc.).

Transcription:

Daniele Spagnulo Risk Assessment for Security Economics Workshop on Security Frameworks "Security Assurance 16th December 2005 Dipartimento di Matematica ed Informatica Università di Catania

What is IT? IT : Short for Information Technology, and pronounced as separate letters,, the broad subject concerned with all aspects of managing and processing information, especially within a large organization or company. Because computers are central to information management, computer departments within companies and universities are often called IT departments. Business requirements: preserve IT Systems Data from damages involved in 1. Integrity = Unauthorized People cannot modifiy System s Information; 2. Availability = System is always operative and functional; 3. Privacy = Unauthorized People cannot approach System s Information; Security Frameworks 2005 2

We could reach this aim through Security Risk Analysis: a process to ensure that the security controls for an IT system are fully commensurate with its risks. Security Risk Analysis Risk Management (Business) Information Security Risk Management Security Frameworks 2005 3

Today s Main Topics Information Security Risk Management; Risk Management Methodologies; Attack Trees, Vulnerability Trees,, Fault Trees and Event Trees; Attack Scenery Analysis through Attack Trees ; Security Frameworks 2005 4

Information Security Risk Management Aim: watching over business in order to identify IT risks and trying to managing them in order to cut down impact s consequences. Risk Assessment Information Security Risk Management Risk Mitigation Evaluation and Assessment Security Frameworks 2005 5

Risk Assessment Asset (def.): Any real or personal property, tangible or intangible, that a company or individual owns that can be given or assigned a monetary value. Intangible property includes things such as goodwill, proprietary information, and related property. Security Frameworks 2005 6

Risk Assessment Phase 1 System Features Analysis Phase 2 Phase 3 Threats Vulnerabilities Identification Identification Phase 6 Phase 5 Impact Threat Impact Analysis Analysis Phase 4 Controls Analysis Phase 7 Risks Determination Phase 8 Phase 9 Controls Final Recommendation Documentation Security Frameworks 2005 7

Risk Assessment: Sources of Threats Security Frameworks 2005 8

Risk Mitigation (def.): the process of evaluating and implementing recommended controls as a result of the previuous phase of Risk Assessment, giving necessary support to Management planning the budget and executing controls Risk mitigation possible strategies: 1. Risk Assumption; 2. Risk Elimination; 3. Risk Restriction; 4. Risk Planning; 5. Research And Comprehension; 6. Risk Transfer; Security Frameworks 2005 9

Risk Mitigation Phase 1 Actions Prioriting Phase 2 Phase 3 Recommended Controls Evaluation CBA Analysis Phase 6 Phase 5 Safeguard Plan Responsibilities Developing Assignment Phase 4 Controls Selection Phase 7 Selected Controls Implementation Security Frameworks 2005 10

Risk Mitigation: Most used Countermeasures Security Frameworks 2005 11

Risk Evaluation and Assessment IT Systems are often modified; System Conditions are changed; We need another Risk Assessment Process?... NO! We have just to evaluate periodically system risks in order to adapt necessary changes to applied countermeasures Security Frameworks 2005 12

Risk Management Methodologies Three kind of approach: Qualitative ; Quantitative; Hybrid; Security Frameworks 2005 13

Qualitative Approach Simple and Flexible; No Technical Knowledge required; Use of Interviews to define value and risk run for each asset; Risk/Value High,Medium,Low ; Useful tools: Risks Matrix Final aim? Outline possible attack sceneries Security Frameworks 2005 14

Quantitative Approach Numeric evaluation of assets; Technical Knowledge required; Use of indexes to define correct forecast inherent the system; Risk/Value EF,SLE,ARO,ALE,ROSI,ROA, Cost/Benefits Analysis; Final aim? Outline possible attack sceneries Security Frameworks 2005 15

Quantitative Approach Exposure Factor (EF): (EF): The proportion of an asset's valuethatislikelytobedestroyedbya particularrisk, expressed as a percentage. Single Loss Expectancy (SLE): (SLE): The Single Loss Expectancy (SLE) is the expected monetary loss every time a risk occurs. The Single Loss Expectancy, Asset Value (AV), and exposure factor (EF) are related by the formula: SLE = AV * EF Security Frameworks 2005 16

Quantitative Approach Annualized Rate of Occurence (ARO): The probability that a risk will occur in a particular year. Annualized Loss Expectancy (ALE): (ALE): The Annualized Loss Expectancy (ALE) is the expected monetary loss that can be expected for an asset due to a risk over a one year period. It is defined as: ALE = SLE * ARO where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence. Security Frameworks 2005 17

Quantitative Approach Security Frameworks 2005 18

Quantitative Approach Costs/Benefits Analysis: It could be executed using three indexes 1. ALE (prior) : ALE before applying countermeasures; 2. ALE (post) : ALE with in force countermeasures; 3. Annualized Cost of Safeguard (ACS) : countermeasures total cost; CBA = ALE (prior) ALE (post) - ACS Security Frameworks 2005 19

Quantitative Approach Return on Security Investment (ROI/ROSI): It s a gauge used to evaluate investment rendering and to compare other alternatives ROI = CBA/ACS ROSI = (Risk Exposure * % Risk Mitigated) SC/SC Return on Attack (ROA): It s a gauge used from attackers to evaluate attacks profit ROA= gain from successful attack / cost before S + loss caused by S Security Frameworks 2005 20

Fault Tree Analysis fault tree analysis (a.k.a. fault analysis) offers the ability to focus on an event of importance, such as a highly critical safety issue, and work to minimize its occurrence or consequence. Fault tree analyses are performed using a top-down approach. The resulting fault tree diagram is a graphical representation of the chain of events in your system or process, built using events and logical gate configurations. Aid Squad Failed Workers Cannot Escape Workers Trapped Into flames Flames near workers Alarm Failed Security Frameworks 2005 21

Event Trees An event tree is a visual representation of all the events which can occur in a system. Event trees can be used to analyze systems in which all components are continuously operating, or for systems in which some or all of the components are in standby mode. The starting point (referred to as the initiating event) disrupts normal system operation. The event tree displays the sequences of events involving success and/or failure of the system components. Security Frameworks 2005 22

Vulnerability Trees Vulnerability trees are hierarchy trees constructed as a result of the relationship between one vulnerability and other vulnerabilities and/or steps; A threat agent has to carry out in order to reach the top of the tree; The top of the tree is known as the top vulnerability and we will symbolise it with a capital V. Thereare a largenumberof ways that such a top vulnerability can be exploited. Each of these ways will constitute a branch of the tree. The branches will be constructed by child vulnerabilities. A zone B zone G C F Security Frameworks 2005 23 H D A B E

Attack Trees Structured attack scenarios against a system organized in a tree structure; Root node represents a main goal, child nodes are subgoals that must be achieved to accomplish higher level goals; A given system is likely to have many attack trees associated with its operation; A set of attack trees is referred to as an attack forest; And/Or structure;

Attack Trees Open Safe Break lock Know code Hole in The wall Steal safe Written in A note Given by a Person Menace Blackmail Eavesdrop Corrupt Extort code Snooping talks Security Frameworks 2005 25

Attack Trees Open Safe 10.000 Break lock 30.000 Know code 20.000 Hole in The wall 10.000 Steal safe 100.000 Written in A note 75.000 Given by a Person 20.000 Menace 60.000 Blackmai 100.000 l Eavesdrop 60.000 Corrupt 20.000 Extort Code 20.000 Snooping Talks 40.000 Security Frameworks 2005 26

Attack Scenery Analysis Analysing Sceneries Attack we ll follow these simple steps 1. Attack Strategies Recognizing; 2. Countermeasures Recognizing; While to examine various points of view analysing Attack Sceneries we ll folow these steps: 1. Attack Tree Labelling; 2. Countermeasures Labelling; Security Frameworks 2005 27

Attack Strategies Recognizing Attacker s Aim: Steal data from a server Steal Data Steal Saved Data Steal Server Phisically Let s develop separately these childs Security Frameworks 2005 28

Attack Strategies Recognizing Steal Saved Data Obtain a Login Have a Login Attack Remotely Steal to an User Corrupt an User Exploit DB Vulnerability Exploit Mail Vulnerability Steal Server Phisically Break into building Break through Door Escape unobserved Break into building Obtain keys Escape unobserved Security Frameworks 2005 29

Countermeasures Recognizing Steal Saved Data Obtain a Login Have a Login Attack Remotely Steal to an User Corrupt an User Resp. Redistr. Exploit DB Vulnerability Exploit Mail Vulnerability Change Password Change Password Motivate Workers System Update Antivirus Shutdown Pc After use Add Auth Mechanism Check Script Validation Block Susp. Attachments Add Auth Mechanism Resp. Redistr. Content Separation Resp. Redistr. Motivate workers Security Frameworks 2005 30

Countermeasures Recognizing Steal Server Phisically Break into building Break through Door Escape unobserved Break into building Obtain keys Escape unobserved Install Cameras Install Armoured door Install Cameras Install Cameras Magnetic lock Install cameras policeman policeman policeman policeman Security Frameworks 2005 31

Business Point of View Attack Tree Labelling: 1. Study tree in order to define best investments and to preserve assets; 2. Use of labels in order to evaluate tree in a quantitative way (AV,EF,ARO) nodes: SLE and ALE calculations depends only on EF and ARO values involved in the node itself; Attacks described by AND nodes: SLE and ALE calculations depends on EF and ARO values involved with the actions under the AND node; 3. Attacks described by OR nodes 4. Attacks

Business Point of View A AV EFb AROb B SLEb ALEb EFc AROc C SLEc ALEc D E Security Frameworks 2005 33

Business Point of View Attack EF ARO SLE ALE Steal Data + Steal Root Perm. 100% 0,09 100.000 9.000 Steal Saved Data + Corrupt to gain Root Perm. Steal Saved Data + Root Perm. Steal Saved Data + Remote Attack (DB) Steal Saved Data + Remote Attack (DB) 100% 0,09 100.000 9.000 100% 0,40 100.000 40.000 90% 0,08 90.000 7.200 85% 0,68 85.000 57.800 Security Frameworks 2005 34

Business Point of View Countermeasures Labelling: 1. Study tree in order to define best defense sceneries; 2. Use of labels in order to evaluate best countermeasures (% Risk Mitigated, Cost of Investment,ROSI); 3. Countermeasures described by OR nodes: ROSI calculated for each countermeasure; ROSI is 4. Countermeasures described by AND nodes: ROSI calculated for each countermeasure s combination; ROSI is Security Frameworks 2005 35

Business Point of View A B C %RM1 Cost1 %RM2 Cost2 1 2 ROSI1 ROSI2 %RM3 Cost3 D 3 E %RM4 Cost4 4 ROSI 3,4 ROSI 3,5 %RM5 Cost5 5 Security Frameworks 2005 36

Business Point of View Countermeasure ALE %RM Cost ROSI Change Password 9.000 60% 500 9,80 Shutdown Pc after use 9.000 10% 100 8,00 Responsibility Redistribution 40.000 50% 15.000-0,70 System Update 7.200 90% 2.500 1,59 Antivirus 57.800 80% 2.000 22,10 Security Frameworks 2005 37

Attacker Point of View Attack Tree Labelling: 1. Study tree in order to define the expect profit gained from successful attacks; 2. Use of labels in order to evaluate Attack s cost (Gain,Cost Cost) 3. Attacks described by OR nodes: Cost Cost calculation depends only on Cost values involved in the node itself; 4. Attacks described by AND nodes: Cost Cost calculation depends on Cost values involved with the composing nodes; Security Frameworks 2005 38

Attacker Point of View A AV B CostB C CostC = CostD + CostE CostD D E CostE Security Frameworks 2005 39

Attacker Point of View Attack Cost Steal Data + Steal Root Perm. 3.000 Steal Saved Data + Corrupt to gain Root Perm. 10.000 Steal Saved Data + Root Perm. 0 Steal Saved Data + Remote Attack (DB) 2.000 Steal Saved Data + Remote Attack (DB) 1.000 Security Frameworks 2005 40

Attacker Point of View Countermeasures Labelling: 1. Study tree in order to define best attack strategies; 2. Use of labels in order to evaluate gain expected from a successful attack (loss,roa); 3. Countermeasures described by OR nodes: ROA calculated for each countermeasure; ROA is 4. Countermeasures described by AND nodes: ROA calculated for each countermeasure s combination; ROA is Security Frameworks 2005 41

Attacker Point of View A B C loss1 loss2 1 2 ROA1 ROA2 loss3 D 3 E loss4 4 ROA 3,4 ROA 3,5 loss5 5 Security Frameworks 2005 42

Attacker Point of View Countermeasure Cost Loss ROA Change Password 3.000 1.000 7,50 Add Authentication Mechanism 10.000 1.500 2,60 Responsibility Redistribution 0 700 42,85 System Update 2.000 2.500 6,67 Antivirus 1.000 1.500 12,00 Security Frameworks 2005 43

Conclusions Possible future works: 1. Developing a new method involved with ARO evaluation; 2. Add a new index to ROA regarding a possible Attack Opposite Exposition; 3. Developing economical studies to underline the most exploited vulnerabilities;

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information