The CORAS method for security risk analysis

Similar documents
The CORAS Model-based Method for Security Risk Analysis

Risk-driven Security Testing versus Test-driven Security Risk Analysis

Security Analysis Part I: Basics

Effort-dependent technologies for multi-domain risk-based security testing (DIAMONDS 1 )

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Computer Security Maintenance Information and Self-Check Activities

NIST National Institute of Standards and Technology

The Influence of Software Vulnerabilities on Business Risks 1

INFORMATION SECURITY RISK ANALYSIS A MATRIX-BASED APPROACH

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Working Practices for Protecting Electronic Information

THE OPEN UNIVERSITY OF TANZANIA

System Administrator Guide

DOMAIN SPECIFIC SIMULATION LANGUAGE FOR IT RISK ASSESSMENT

Personal Information Protection Act Information Sheet 11

Entire contents 2011 Praetorian. All rights reserved. Information Security Provider and Research Center

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

Endpoint Protection Small Business Edition 2013?

How to Justify Your Security Assessment Budget

ITS425: Ethical Hacking and Penetration Testing

ITS425: Ethical Hacking and Penetration Testing

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Information Security Team

A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT

Cyber Security Metrics Dashboards & Analytics

Quick Start. Installing the software. for Webroot Internet Security Complete, Version 7.0

Network Segmentation

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

44-76 mix 2. Exam Code:MB Exam Name: Managing Microsoft Dynamics Implementations Exam

CHAPTER 1 INTRODUCTION

Malware, Spyware, Adware, Viruses. Gracie White, Scott Black Information Technology Services

Course: Information Security Management in e-governance

Towards Definition of Secure Business Processes

ARCHITECTURE DESIGN OF SECURITY SYSTEM

HoneyBOT User Guide A Windows based honeypot solution

MEASURES TO ENHANCE MARITIME SECURITY. Industry guidelines on cyber security on board ships. Submitted by ICS, BIMCO, INTERTANKO and INTERCARGO

Workstation Management

Contents. McAfee Internet Security 3

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Windows 7. Qing Liu Michael Stevens

Computer Maintenance Guide

Faculty/Fellows Computer Orientation at DCRI FREQUENTLY ASKED QUESTIONS

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

VULNERABILITY MANAGEMENT AND RESEARCH PENETRATION TESTING OVERVIEW

Connect Smart for Business SME TOOLKIT

Risk Management: Coordinated activities to direct and control an organisation with regard to risk.

Penetration Testing. Presented by

National Cyber Security Month 2015: Daily Security Awareness Tips

Combining Security Risk Assessment and Security Testing Based on Standards

Temple university. Auditing a business continuity management BCM. November, 2015

What you need to know to keep your computer safe on the Internet

Design Authorization Systems Using SecureUML

Welcome to Part 2 of the online course, Spyware and Adware What s in Your Computer?

An approach for evaluating methods for risk and vulnerability assessments

The Importance of Cybersecurity Monitoring for Utilities

Security Alarm Systems

A Modeling Ontology for Integrating Vulnerabilities into Security Requirements Conceptual Foundations

How-To Guide: Cyber Security. Content Provided by

Stellenbosch University. Information Security Regulations

Ricoh HotSpot Printer/MFP Whitepaper Version 4_r4

Hackers: Detection and Prevention

Maintaining, Updating, and Protecting Windows 7

Dealing with risk. Why is risk management important?

Oracle Service Bus Examples and Tutorials

Librarian. Integrating Secure Workflow and Revision Control into Your Production Environment WHITE PAPER

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

MEDICAL DEVICE Cybersecurity.

Protecting personally identifiable information: What data is at risk and what you can do about it

Computer Security: Principles and Practice

Preparing Your Personal Computer to Connect to the VPN

TDDC88 Lab 2 Unified Modeling Language (UML)

THREAT MODELLING FOR WEB SERVICES BASED WEB APPLICATIONS

PROTECTING YOUR DIGITAL LIFE

The Importance of a Data Backup and Disaster Recovery Plan

Capstone Project Putting It All Together

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

white SECURITY TESTING WHITE PAPER

Transcription:

The CORAS method for security risk analysis ESSCaSS 2008 NODES Tutorial 28/8-08 Heidi E. I. Dahl SINTEF

Norwegian research group with 2000 employees from 55 different countries More than 90 percent of our earnings come from contracts for industry and the public sector, and from project grants from the Research Council of Norway Research divisions Health Research Technology and Society Materials and Chemistry Building and Infrastructure Marine Petroleum and Energy SINTEF Foundation Limited companies 2

SINTEF > Cooperative and Trusted Systems > Quality and Security Technology Model based security analysis Model driven security architecture Trust management Tools for analysis and documentation Empirical research on methods and tools to build secure systems Security risk analysis CORAS Method Language (textual syntax, semantics, calculus) Usability and Security 3

Outline Security risk analysis An example driven introduction to the CORAS method CORAS resources 4

The example A PhD student is worried about losing the work she has done on her thesis The Big Corporation funding her work is worried that sensitive business information will reach its competitors They decide to do a security risk analysis to determine whether the risk level is acceptable 5

Why do we analyse security risks? asset, something of value vulnerability reduced risk level threat constitutes a security risk we need to introduce security mechanisms 6

75 % of all sensitive data losses are caused by human error Taking Action to Protect Sensitive Data, IT Policy Compliance Group, 2007 7

SINTEF researcher Analyst BC thesis advisor Ann Decision maker System user Security expert BC security expert System developer 8

The CORAS method Model based method for security risk analysis that provides a customized graphical language for threat and risk modelling a diagram editor detailed guidelines explaining how the language should be used to capture and model relevant information during the various stages of the security analysis CORAS has been developed through both empirical investigations and a series of industrial field studies (projects financed by the Norwegian Research Council and the EU) is based on international standards for risk management (e.g. AS/NZS 4360:2004) 9

The standard analysis process Establish the context Identify risks Analyse risks Evaluate risks Treat risks from the Australian Risk Management Standard AS/NZS 4360:2004 10

Elements of the analysis Vulnerability Analysis context Treatment Threat Target Asset Risk Unwanted incident Likelihood Consequence 11

The CORAS method 12

Introductory meeting Introduce the analysis method Gather information from the client about the target of analysis and the desired focus and scope. Decision makers Technical expertise (optional) 13

Introductory meeting Agenda A short introduction to CORAS The client presents the target of analysis A discussion of the focus and scope of the analysis 14

Client s presentation of target Ann Onymous PhD student in Computer Science Uses data from Big Corporation (BC) Works in her office at the university and at home At the university Shares an office with another PhD student Works on laptop in docking station Wired internet At home Lives with her boyfriend Brings her laptop home with her or uses shared computer Wireless internet 15

Focus and scope The focus of the analysis is data security, in terms of business sensitive data from BC and the PhD thesis itself. The scope is data security at home and at work. We do not consider risks involved in transporting the data. 16

Output from the introductory meeting Informal description of the target Necessary system documentation Contract between Ann and BC IT security guidelines at the university Security measures in place at home and at the university A sketch of Ann s work habits A short statement of the focus and scope of the analysis 17

High-level analysis Ensure that the analysts and the client have a common understanding of the target of analysis Determine the assets that will focus the analysis Get an overview of the client s initial concerns Decision makers Technical expertise 18

High-level analysis Agenda The analysts presents a description of the target of analysis The client corrects errors and misunderstandings Asset identification High-level analysis 19

System description Home computer Check email Internet browsing Trying new software File sharing Boyfriend Ann Writing PhD thesis 20

Asset identification We use an asset diagram to model the parties involved in the analysis, which assets they want to protect, and whether harm to one asset may cause harm to any of the others. 21

Asset diagram 22

High-level analysis Who/what is the cause? Ann Laptop Hacker How? What may happen? What does it harm? Deletes the thesis by mistake Crashes and the last hours work is lost Gains access to business sensitive information and sells it to competitor What makes this possible? No backup Old laptop Lack of security at home 23

Output from the high-level analysis meeting Asset diagram Preliminary list of unwanted incidents 24

Approval Arrive at an approved target description Decide which risk levels are acceptable for each asset Decision makers (important) Technical expertise 25

Approval Agenda The target description and assets are approved by the client Consequence scales Likelihood scale Risk evaluation criteria 26

Likelihood scale Likelihood 1 rarely 2 sometimes 3 regularly 4 often 27

Consequence scale Consequence (PhD thesis and Business sensitive information) 1 harmless 2 moderate 3 serious 4 catastrophic 28

Risk matrix Risk matrix (PhD thesis and Business sensitive information) c \ l rarely sometimes regularly often harmless moderate serious catastrophic 29

Output from the approval meeting Approved target description Likelihood and consequence scales Risk matrices 30

Risk identification Create an overview of the risk picture, i.e. how threats may exploit vulnerabilities to cause unwanted incidents that cause damage to the assets. Technical expertise Users 31

Risk identification Agenda Model risks in threat diagrams 32

Modelling risks in threat diagrams We use threat diagrams to model threats, what we fear they may do to our assets, how it happens and which vulnerabilities makes this possible. Threat (deliberate) Threat scenario [likelihood] Threat (accidental) Threat (non-human) Unwanted incident [likelihood] Vulnerability Asset 33

What are the threats? Hacker Business sensitive information Ann PhD thesis Home computer 34

What do we fear will happen? Competitor uses business sensitive information strategically Hacker Business sensitive information is published in national newspaper Business sensitive information Ann Home computer All work on thesis is lost A day s worth of work on the thesis is lost PhD thesis 35

How does it happen? Ann s boyfriend Hacker Ann Home computer Boyfriend runs file sharing application on home computer Ann installs software that contains spyware on her laptop Boyfriend shares folder with business sensitive information Hacker gains access to Ann s laptop Computer components fails Spyware crashes computer Hacker copies all data from laptop Hacker deletes all files in My documents Competitor uses business sensitive information strategically Business sensitive information is published in national newspaper All work on thesis is lost A day s worth of work on the thesis is lost Business sensitive information PhD thesis 36

Which vulnerabilities makes this possible? 37

Risk estimation Estimate the current risk level Decision makers Technical expertise Users 38

Risk estimation Agenda Assign likelihoods to each unwanted incident Assign consequences to each impact relation 39

Assigning likelihoods and consequences Ann s boyfriend Hacker Ann Home computer Boyfriend runs file sharing application on home computer Unaware of spyware No firewall Old components Complicated file sharing preferences Ann installs software that contains spyware on her laptop Boyfriend shares folder with business sensitive information Hacker gains access to Ann s laptop Computer components fails Spyware crashes computer Hacker copies all data from laptop Hacker deletes all files in My documents No backup of thesis files Competitor uses business sensitive information strategically Business sensitive information is published in national newspaper All work on thesis is lost A day s worth of work on the thesis is lost Business sensitive information PhD thesis 40

Assigning likelihoods and consequences Hacker deletes all files in My documents [rarely] All work on thesis is lost [sometimes] 4 Spyware crashes computer [sometimes] No backup of thesis files A day s worth of work on the thesis is lost [sometimes] 2 PhD thesis Computer components fails [rarely] 41

Completed threat diagram 42

Risk evaluation Evaluating which risks are acceptable and which are not. Give an overview of the risks. Decision makers 43

Risk evaluation Agenda Enter the risks in the risk matrix Summarize the risk picture in risk diagrams 44

Are the risks acceptable? Risk matrix (PhD thesis and Business sensitive information) harmless c \ l rarely sometimes regularly often moderate serious BS info is published in national newspaper catastrophic Competitor uses BS info strategically A day s worth of work on the thesis is lost All work on thesis is lost 45

Summarizing the risk picture We use risk diagrams to show how threats pose risks to the assets. 46

Risk diagrams 47

Risk treatment Getting an overview of potential treatments of the unacceptable risks. Decision makers Technical expertise Users 48

Risk treatment Agenda Add treatments to the threat diagrams Add treatments to risk diagrams 49

Adding treatments to the threat diagrams Threat (deliberate) Threat (accidental) Threat (non-human) Vulnerability Asset Threat scenario [likelihood] Unwanted incident [likelihood] Risk Treatment scenario 50

What can we do to reduce the risks to an acceptable level? 51

Treatment overview diagram Install firewall Ann s boyfriend Hacker R1: Competitor uses business sensitive information strategically Business sensitive information Restrict sharing on home computer Ann Home computer Spyware awareness course R3: All work on thesis is lost PhD thesis Do regular backups of thesis files 52

Executive summary The focus of the security risk analysis is data security, in terms of business sensitive data from BC and the PhD thesis itself. The scope is data security at home and at work. We do not consider risks involved in transporting the data. The unacceptable risks that were uncovered were R1: Competitor uses business sensitive information strategically R3: All work on thesis is lost In order to reduce the risks to an acceptable level, the following treatments were suggested: Restrict sharing on home computer Install firewall Spyware awareness course Do regular backups of thesis files 53

Resources: http://coras.sourceforge.net/ Downloads The CORAS diagram editor The CORAS icons (Visio stencil, PNG, SVG) Publications: Folker den Braber, Ida Hogganvik, Mass Soldal Lund, Ketil Stølen, and Fredrik Vraalsen. Model-based security analysis in seven steps a guided tour to the CORAS method. BT Technology Journal, 25(1): 101 117, 2007. Ida Hogganvik. A graphical approach to security risk analysis. PhD thesis, Faculty of Mathematics and Natural Sciences, University of Oslo, 2007. Heidi E. I. Dahl and Ida Hogganvik and Ketil Stølen. Structured semantics for the CORAS security risk modelling language. Technical report STF07 A970, SINTEF Information and Communication Technology, 2007. 54

Questions? Heidi E. I. Dahl heidi.dahl@sintef.no

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information