CSE 4482
Computer Security Management:
Assessment and Forensics
Security
Risk Management
Instructor: N. Vlajic,
Fall 2013
Required reading:
Management of Information Security (MIS), by Whitman & Mattord
Chapter 8
Chapter 9
Learning Objectives
Upon completion of this material, you should be
able to:
•
Define risk management and its role in an organization.
•
Use risk management techniques to identify and
prioritize risk factors for information assets.
•
Asses risk based on the likelihood of adverse events and
the effect on information assets when events occur.
•
Document the results of risk identification.
A true story …
A company suffered a catastrophic
loss one night when its office burned
to the ground.
As the employees gathered around
the charred remains the next morning,
the president asked the secretary if
she had been performing the daily computer backups. To his
relief she replied that yes, each day before she went home she
backed up all of the financial information, invoices, orders ...
The president then asked the secretary to retrieve the backup
so they could begin to determine their current financial status.
“Well”, the secretary said, “I guess I cannot do that. You see, I
put those backups in the desk drawer next to the computer in
the office.”
M. Ciampa, “Security+ Guide to Network Sec. Fundamentals”, 3rd Edition, pp. 303
Introduction
“Investing in stocks carries a risk …”
“Bad hand hygiene carries a risk …”
“Car speeding carries a risk …”
“An outdate anti-virus software carries a risk …”
Introduction (cont.)
• Risk – likelihood that a chosen action or activity
(including the choice of inaction) will lead to a
loss (un undesired outcome)
• Risk Management – identification, assessment,
and prioritization of risks followed by coordinated
use of resources to monitor, control or minimize
the impact of risk-related events or to maximize
the gains.


examples: finances, industrial processes, public health
and safety, insurance, etc.
one of the key responsibilities of every manager within
an organization
http://en.wikipedia.org/wiki/Risk_management
Risk in Information Security
• Risks in Info. Security – risks which arise from
an organization’s use of info. technology (IT)

related concepts: asset, vulnerability, threat
http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter7.html
Risk in Information Security (cont.)
• Asset – anything that needs to be protected because
it has value and contributes to the successful
achievement of the organization’s objectives
• Threat – any circumstance or event with the potential
to cause harm to an asset and result in harm
to organization
• Vulnerability – the weakness in an asset that can
be exploited by threat
• Risk – probability of a threat acting upon a
vulnerability causing harm to an asset
Risk in Information Security (cont.)
• Asset, Threat, Vulnerability & Risk in Info. Sec.
http://en.wikipedia.org/wiki/File:2010-T10-ArchitectureDiagram.png
Risk in Information Security (cont.)
• Interplay between Risk & other Info. Sec. Concepts
http://blog.patriot-tech.com/
Security Risk Management
• Security Risk Management – process of identifying
vulnerabilities in an organization’s info. system
and taking steps to protect the CIA of all of its
components.

Identify
the
Risk Areas
two major sub-processes:
Risk Identification &
Assessment
Risk Control (Mitigation)
Re-evaluate
the Risks
Risk
Management
Cycle
Implement Risk
Management
Actions
Assess the
Risks
Develop Risk
Management
Plan
11
Security Risk Management
Risk Management
Risk Identification
Identify & Prioritize Assets
Identify & Prioritize Threats
Identify Vulnerabilities
between Assets and Threats
(Vulnerability Analysis)
Risk Assessment
Calculate Relative Risk
of Each Vulnerability
Risk Control
Cost-Benefit Analysis
Avoid
Control
Transfer
Mitigate
Accept
Risk Identification
Risk Identification
• Components of Risk Identification
Whitman, Principles of Information Security, pp. 122
Risk Identification (cont.)
Risk Identification:
Asset Inventory
Risk Identification: Asset Inventory
• Risk identification begins with identification of
information assets, including:

No prejudging of asset values should be done at this stage
– values are assigned later!
Risk Identification: Asset Inventory (cont.)
• Identifying Hardware, Software and Networking
Assets


Can be done automatically (using specialized software)
or manually.
Needs certain planning – e.g. which attributes of each
asset should be tracked, such as:
 name – tip: naming should not convey critical info to potential attackers
 asset tag – unique number assigned during acquisition process
 IP address
 MAC address
 software version
 serial number
 manufacturer name
 manufacturer model or part number
Risk Identification: Asset Inventory (cont.)
Example: Network Asset Tracker
http://www.misutilities.com/
http://www.misutilities.com/network-asset-tracker/howtouse.html
Risk Identification: Asset Inventory (cont.)
• Identifying People, Procedures and Data Assets


Not as readily identifiable as other assets – require that
experience and judgment be used.
Possible attributes:
 people – avoid personal names, as they may change, use:
∗ position name
∗ position number/ID
∗ computer/network access privileges
 procedures
∗ description
∗ intended purpose
∗ software/hardware/networking elements to which it is tied
∗ location of reference-document, …
 data
∗ owner
∗ creator
∗ manager
∗ location, …
Risk Identification:
Asset Ranking / Prioritization
Risk Identification: Asset Ranking
• Assets should be ranked so that most valuable
assets get highest priority when managing risks

Questions to consider when determining asset value /
rank:
1) Which info. asset is most critical to overall success
of organization?
Example: Amazon’s ranking assets
Amazon’s network consists of regular desktops and web servers.
Web servers that advertise company’s products and receive orders
24/7 - critical.
Desktops used by customer service department – not so critical.
Risk Identification: Asset Ranking (cont.)
2) Which info. asset generates most revenue?
3) Which info. asset generates highest profitability?
Example: Amazon’s ranking assets
At Amazon.com, some servers support book sales (resulting
in highest revenue), while others support sales of beauty
products (resulting in highest profit).
4) Which info. asset is most expensive to replace?
5) Which info. asset’s loss or compromise would be
most embarrassing or cause greatest liability?
Risk Identification: Asset Ranking (cont.)
Example: Weighted asset ranking (NIST SP 800-30)
Not all asset ranking questions/categories may be equally
important to the company.
A weighting scheme could be used to account for this …
Data asset / information
transmitted:
Each criteria is assigned a weight (0 – 100), must total 100!
Each asset is
assigned a
score (0.1-1.0)
for each critical
factor.
Risk Identification:
Threat Identification
& Prioritization
Risk Identification: Threat Identification
• Any organization faces a wide variety of threats.
• To keep risk management ‘manageable’ …
 realistic threats must be identified and further investigated,
while unimportant threats should be set aside
Example: CSI/FBI survey of types of threats/attacks
Risk Identification: Threat Identification (cont.)
• Threat Modeling/Assessment – practice of building
an abstract model of how an attack may proceed
and cause damage

Attacker-centric – starts from attackers, evaluates their
motivations and goals, and how they might achieve them
through attack tree.
http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Identification (cont.)
• Threat Modeling/Assessment

System-centric – starts from model of system, and
attempts to follow model dynamics and logic, looking
for types of attacks against each element of the model.
http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Identification (cont.)
• Threat Modeling/Assessment

Asset-centric – starts from assets entrusted to a system,
such as a collection of sensitive personal information, and
attempts to identify how CIA security breaches can happen.
http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Prioritization
• Questions used to prioritize threats:

Which threats present a danger to organization’s
assets in its current environment? ( ‘pre-step’ )
 Goal: reduce the risk management’s scope and cost.
 Examine each category from CSI/FBI list, or as identified through
threat assessment process, and eliminate any that do not apply to your
organization.

Which threats represent the most danger … ?
 Goal: provide a rough assessment of each threat’s potential impact
given current level of organization’s preparedness.
 ‘Danger’ might be a measured of:
1) severity, i.e. overall damage that the threat could create
2) probability of the threat attacking this particular organization
Risk Identification: Threat Prioritization (cont.)
• Other questions used to assess/prioritize threats:


How much would it cost to recover from a successful
attack?
Which threats would require greatest expenditure
to prevent?
• Threat ranking can be quantitative or qualitative.
• Once threats are prioritized, each asset should be
reviewed against each threat to create a specific
list of vulnerabilities.
Risk Identification:
Vulnerability Analysis
Vulnerability Analysis
• Vulnerability – flaw or weakness in an info. asset,
its design, control or security
procedure that can be exploited
accidentally or deliberately


sheer existence of a vulnerability does
not mean harm WILL be caused – threat
agent is required
vulnerabilities are characterized by the
level of tech. skill required to exploit them
 vulnerability that is easy to exploit is often
a high-danger vulnerability
Asset
Vulnerability
Threat
Vulnerability Analysis (cont.)
Example: Vulnerability assessment of critical files
people open
suspicious e-mail
attachments
[procedural / control
weakness]
Deliberate
Software
Attack –
Virus Attack
antivirus software not
up-to-date &
file copying off
USBs allowed
desktop (files)
Asset
[procedural / control
weakness]
Vulnerability
Threat
Vulnerability Analysis (cont.)
Example: Vulnerability assessment of critical files
NIC can support datarates of up to 50 Mbps
[design weakness]
DDoS
Attack
CPU ‘freezes’ at
10,000 packets/sec
server
Asset
[design/implementation
flaw]
Vulnerability
Threat
Vulnerability Analysis (cont.)
Example: Vulnerability assessment of a router
temperature control in
router/server room is
not adequate ⇒ router
overheats and
shuts downs
[control weakness,
design flaw]
net. administrator
allows access to
unauthor. user ⇒
unauthor. user uploads a
virus, router crashes
router
[control / procedural
weakness]
Asset
Vulnerability
Act of Human
Error or
Failure
Threat
Vulnerability Analysis (cont.)
Example: Vulnerability assessment of a DMZ router
Asset !!!
http://technet.microsoft.com/enus/library/cc723507.aspx#XSLTsection123
121120120
Vulnerability Analysis (cont.)
• TVA Worksheet – at the end of risk identification
procedure, organization should
derive threats-vulnerabilitiesassets (TVA) worksheet


this worksheet is a starting point for
risk assessment phase
TVA worksheet combines prioritized
lists of assets and threats
 prioritized list of assets is placed along
x-axis, with most important assets on
the left
 prioritized list of threats is placed along
y-axis, with most dangerous threats at
the top
 resulting grid enables a simplistic
vulnerability assessment
Vulnerability Analysis (cont.)
If one or more vulnerabilities exist between T1 and A1, they can be categorized as:
T1V1A1 – Vulnerability 1 that exists between Threat 1 and Asset 1
T1V2A1 – Vulnerability 2 that exists between Threat 1 and Asset 1, …
If intersection
between T2 and
A2 has no
vulnerability,
the risk
assessment team
simply crosses
out that box.
Risk Assessment
Risk Assessment
• Summary of Vulnerability Analysis
Act of human error or failure
People
Procedure
Data
Software
Hardware
Networking
Deliberate act of trespass
cause
damage
(loss)
flaw or
weakness
in asset’s
exploit
design,
implementation,
control or
security procedure
Deliberate act of extortion
Deliberate act of sabotage
Deliberate software attacks
Technical software failures
Technical hardware failures
Forces of nature
Etc.
Vulnerability
Asset
Threat
Risk Assessment (cont.)
• Risk Assessment – provides relative numerical
risk ratings (scores) to each
specific vulnerability
 in risk management, it is not the
presence of a vulnerability that really
matters, but the associated risk!
• (Security) Risk – quantifies: 1) possibility that a
threat successfully acts upon a vulnerability and
2) how severe the consequences would be
R=P*V


P = probability of risk-event occurrence
V = value lost / cost to organization
Risk Assessment (cont.)
Weighted score
indicating the
relative
importance
(associated
loss) of the
given asset.
Should be used
if concrete
$ amounts are
not available.
Risk Assessment (cont.)
• Extended Risk Formula v.1.
R = Pa ⋅ P s ⋅ V
P



Pa = probability that an attack/threat (against a
vulnerability) takes place
Ps = probability that the attack successfully exploits
the vulnerability
V = value lost by exploiting the vulnerability
Vulnerability
Asset
Threat
Risk Assessment (cont.)
• Extended Risk Formula v.2.
R = Pa ⋅ (1-Pe) ⋅ V
Ps

Pe = probability that the system’s security measures
effectively protect against the attack
(reflection of system’s security effectiveness)
Ps
= probability
that the attack
is successfully
executed
Pe
= probability
that the attack
is NOT successfully
executed, i.e.
system defences are
effective
Risk Assessment (cont.)
• Extended Whitman’s Risk Formula *
R = P ⋅ V – CC [%] + UK [%]
LE = Loss Expectancy
(i.e. Potential Loss)




P = probability that certain vulnerability (affecting a
particular asset) get successfully exploited
V = value of information asset ∈ [1, 100]
CC = current control = percentage of risk already mitigated
by current control
UK = uncertainty of knowledge = uncertainty of current
knowledge of the vulnerability (i.e. overall risk)
* One of many risk models. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.211.7952
Risk Assessment (cont.)
• Extended Whitman’s Risk Formula (cont.)
R = P ⋅ V – CC ⋅ (P ⋅ V) + UK ⋅ (P ⋅ V) =
= P ⋅ V ⋅ [ 1 – CC + UK ]
Mathematically more sound expression!


CC = current control = fraction of risk already mitigated
by current control
UK = uncertainty of knowledge = fraction of risk that is
not fully known
Risk Assessment (cont.)
• Extended Whitman’s Risk Formula (cont.)
R = P * V – CC [%] + UK [%]
For many vulnerabilities respective
probabilities are known. E.g. the likelihood
that any given email will contain a virus or
worm and those get ‘activated’ by the user.
If a vulnerability is fully managed by an
existing control, it can be set aside.
(In this case, R≤0.)
It is not possible to know everything about a vulnerability,
respective threat, or how great an impact a successful attack
would have.
A factor that accounts for uncertainty of estimating the given
risk should always be added to the equation.
Risk Assessment (cont.)
Example: Risk determination
Asset A
Has a value of 50.
Has one vulnerability, with a likelihood of 1.0.
No current control for this vulnerability.
Your assumptions and data are 90% accurate.
P=1
A
V = 50
Asset B
Has a value of 100.
P = 0.5 P = 0.1
Has two vulnerabilities:
* vulnerability #2 with a likelihood of 0.5, and
a current control that addresses 50% of its risk;
B
* vulnerability #3 with a likelihood of 0.1 and
V = 100
no current controls.
Your assumptions and data are 80% accurate.
Which asset/vulnerability should be dealt with first ?!
Risk Assessment (cont.)
Example: Risk determination (cont.)
The resulting ranked list of risk ratings for the three
vulnerabilities is as follows:
Asset A:
Vulnerability 1 rated as 55 = (50×1.0) – 50*0 + 50*0.1
Asset B:
Vulnerability 2 rated as 35 = (100×0.5) – 50*0.5 + 50*0.2
Asset B:
Vulnerability 3 rated as 12 = (100×0.1) – 10*0 + 10*0.2
Risk Assessment (cont.)
• Documenting Results – 5 types of documents
Of Risk Assessment
ideally created
1) Information asset classification worksheet
2) Weighted asset worksheet
3) Weighted threat worksheet
4) TVA worksheet
5) Ranked vulnerability risk worksheet
 extension of TVA worksheet, showing only the assets
and relevant vulnerabilities
 assigns a risk-rating ranked value for each uncontrolled
asset-vulnerability pair
Risk Assessment (cont.)
A: vulnerable
assets
AI: weighted
asset value
V: each asset’s
vulnerability
VL: likelihood
of vulnerability
realization
AI x VL
Customer service email
has relatively low value
but represents most
pressing issue due to
high vulnerability
likelihood.
Risk Assessment (cont.)
• At the end of risk assessment process, the TVA
and/or ranked-vulnerability worksheets should
be used to develop a prioritized list of tasks.
Risk Assessment (cont.)
• Automated Risk Assessment Tools: SKYBOX
http://www.skyboxsecurity.com/resources/product-demos/product-demo-skyboxrisk-control-vulnerability-management
Risk Control
Risk Control Strategies
Once all vulnerabilities/risks are evaluated, the company has to decide
on the ‘course of action’ – often influenced by $$$ …
risk high, cost low
risk low, cost high
Computer Security, Stallings, pp. 487
Risk Control Strategies (cont.)
• Basic Strategies to Control Risks

Avoidance
 do not proceed with the activity or system that creates this risk

Reduced Likelihood (Control)
 by implementing suitable controls, lower the chances of the
vulnerability being exploited

Transference
 share responsibility for the risk with a third party

Mitigation
 reduce impact should an attack still exploit the vulnerability

Acceptance
 understand consequences and acknowledge risks without
any attempt to control or mitigate
Risk Control Strategies (cont.)
• Avoidance – strategy that results in complete
abandonment of activities or
systems due to overly excessive risk


usually results in loss of convenience or
ability to preform some function that is
useful to the organization
the loss of this capacity is traded off
against the reduced risk profile
Recommended for vulnerabilities with
very high risk factor
that are very costly to fix.
Risk Control Strategies (cont.)
• Reduced – risk control strategy that attempts
Likelihood to prevent exploitation of vulnerability
by means of following techniques:

application of technology
 implementation of security controls and
safeguards, such as: anti-virus software,
firewall, secure HTTP and FTP servers, etc.

policy
 e.g. insisting on safe procedures

training and education
 change in technology and policy must be
coupled with employee’s training and education
Recommended for vulnerabilities with
high risk factor that are moderately costly to fix.
Risk Control Strategies (cont.)
• Transference – risk control strategy that attempts
to shift risk to other assets, other
processes or other organizations

if organization does not have adequate
security experience, hire individuals or
firms that provide expertise
 ‘stick to your knitting’!
 e.g., by hiring a Web consulting firm, risk
associated with domain name registration,
Web presence, Web service, … are passed
onto organization with more experience
Recommended for vulnerabilities with
high risk factor that are moderately costly to fix
if employing outside require expertise.
Risk Control Strategies (cont.)
• Mitigation – risk control strategy that attempts to
reduce the likelihood or impact caused
by a vulnerability – includes 3 plans:
(1)
(2)
(3)
Risk Control Strategies (cont.)
• Acceptance – strategy that assumes NO action
towards protecting an information
asset – instead, accept outcome …

should be used only after doing all of the
following
 assess the probability of attack and likelihood
of successful exploitation of a vulnerability
 approximate annual occurrence of such an
attack
steps
to be
discussed
 estimate potential loss that could result
from attacks
 perform a thorough cost-benefit analysis
assuming various protection techniques
 determine that particular asset did not
justify the cost of protection!
Risk Control Strategies (cont.)
How do we know whether risk control techniques
gave worked / are sufficient?!
Example: Risk tolerance vs. residual risk
Risk
Company’s
Risk Tolerance
Residual Risk
vulnerability risk
before controls
vulnerability risk
after controls
Time
Risk Control Strategies (cont.)
• Risk Tolerance – risk that organization is willing
to accept after implementing
risk-mitigation controls
• Residual Risk – risk that has not been completely
removed, reduced or planned for,
after (initial) risk-mitigation
controls have been employed


goal of information security is not to
bring residual risk to 0, but to bring
it in line with companies risk tolerance
risk-mitigation controls may (have
to) be reinforced until residual risk
falls within tolerance
Risk Control Strategies (cont.)
• Risk Handling – helps choose one among four
Decision Process risk control strategies
Is system
Is vulnerability
risk tolerance
Attacker not
likely to attack.
Initial estimated risk
below risk tolerance.
acceptance
Risk Control Strategies (cont.)
• Risk Control – after control has been selected &
Cycle
implemented, control should be
monitored and (if needed) adjusted
on an on-going basis
Risk Control Strategies (cont.)
• Four groups that bear responsibility for effective
management of security risks, each with unique
roles:




Information Security Management – group with
leadership role – most knowledgeable about causes of
security risks (security threats and attacks)
IT Community / Management – group that helps build
secure systems and ensure their safe operation
General Management – must ensure that sufficient
resources (money & personnel) are allocated to IT and
info. security groups to meet organizational security needs
Users – (when properly trained) group that plays critical
part in prevention, detection and defence against security
threats/attacks