Security Threats Severity Analysis January 20, 2016 © Abdou Illia – Spring 2016 What is Severity Analysis? Accessing security threats occurrence likelihood Accessing threats’ potential damage 2 Key Questions to be asked What resources do I need to protect? What is the risk associated with potential threats? How do I protect valuable resources? At what cost? 3 What resources do I need to protect? Do an inventory External server using internal SQL database to provide sales over the internet Internal email server Remote Access server for dial-up Backup/File server Internal eCommerce Web server Domain controller Sales, customers, inventory, HR data Company’s network including routers, firewalls, etc. ……………………. Do risk assessment Quantitative risk assessment NIST Guide: http://www.nist.gov/itl/csd/risk-092011.cfm Assessment Template: http://www.eiu.edu/~a_illia/MIS4850/RiskAssmt_Template_07112007.doc Qualitative risk assessment 4 Accessing potential damage Determining extent to which a threat could Modify critical corporate data Delete critical corporate data Allow unauthorized access to confidential info. Allow misdirection of confidential info. Allow message alteration Slow down network services Jeopardize network service availability Lead to loss of customers’ faith and trust Lead to loss of employees or customers’ privacy 5 Example: Risk assessment Treat Vulnerability Damage Loss of power High Loss of data access Possible data loss Computer virus High Loss of access to system Possible data loss Natural disaster Low Loss of access to system Loss of data, hardware Denial of service attack High Loss of access to system Eavesdropping Medium Access to customers info ……… ……… 6 How do I protect valuable resources? Policies Acceptable use policy Firewall policies Confidential info policy Password policy Remote Access policy Security Awareness policy … Methods of protection Antivirus 128-key encryption Two-factor authentication ….. 7 Threat Severity Analysis Step Threat A B C D 1 Cost if attack succeeds $500,000 $10,000 $100,000 $10,000 2 Probability of occurrence 80% 20% 5% 70% 3 Threat severity $400,000 $2,000 $5,000 $7,000 4 Countermeasure cost $100,000 $3,000 $2,000 $20,000 5 Value of protection $300,000 ($1,000) $3,000 ($13,000) 6 Apply countermeasure? Yes No Yes No 7 Priority 1 NA 2 NA 8 Exercise Visit the www.sophos.com web site in order to gather information about a worm called W32/SillyFDC-FA and answer the following two questions. 1) 2) Using bullets, list specific malicious actions that W32/SillyFDC-FA could take to potentially damage or disturb a computer system. Use the questionnaire provided by the instructor to access the potential risk posed by W32/SillyFDCFA. A complete In-class Exercise will be given in class with more details. 9 Realities Can never eliminate risk “Information assurance” is impossible Risk Analysis Goal is reasonable risk Risk analysis weighs the probable cost of compromises against the costs of countermeasures Also, security has negative side effects that must be weighed 10 Copyright Pearson Prentice Hall 2013 Asset Value (AV) X Exposure Factor (EF) Percentage loss in asset value if a compromise occurs = Single Loss Expectancy (SLE) Expected loss in case of a compromise Single Loss Expectancy (SLE) SLE X Annualized Rate of Occurrence (ARO) Annual probability of a compromise = Annualized Loss Expectancy (ALE) Expected loss per year from this type of compromise Annualized Loss Expectancy (ALE) 11 Copyright Pearson Prentice Hall 2013 Base Case Asset Value (AV) Countermeasure A $100,000 $100,000 80% 20% $80,000 $20,000 Annualized Rate of Occurrence (ARO) 50% 50% Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $10,000 ALE Reduction for Countermeasure NA $30,000 Annualized Countermeasure Cost NA $17,000 Annualized Net Countermeasure Value NA $13,000 Exposure Factor (EF) Single Loss Expectancy (SLE): = AV*EF Countermeasure A should reduce the exposure factor by 12 75% Copyright Pearson Prentice Hall 2013 2.4: Classic Risk Analysis Calculation (Figure 214) (continued) Base Case Asset Value (AV) Countermeasure B $100,000 $100,000 80% 80% $80,000 $80,000 Annualized Rate of Occurrence (ARO) 50% 25% Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $20,000 ALE Reduction for Countermeasure NA $20,000 Annualized Countermeasure Cost NA $4,000 Annualized Net Countermeasure Value NA $16,000 Exposure Factor (EF) Single Loss Expectancy (SLE): = AV*EF Countermeasure B should cut the frequency of 13 compromises in half Copyright Pearson Prentice Hall 2013 2.4: Classic Risk Analysis Calculation (Figure 214) (continued) Base Case Countermeasure A B Asset Value (AV) $100,000 $100,000 Although Countermeasure A reduces the ALE more, Exposure Factor (EF) Countermeasure B is much less80% expensive. 20% $100,000 Single Loss Expectancy (SLE): AV*EF $80,000 $20,000 The annualized net= countermeasure value for B is larger. $80,000 Annualized Rate ofThe Occurrence 50% company (ARO) should select countermeasure B. 50% 25% Annualized Loss Expectancy (ALE): = SLE*ARO 80% $40,000 $10,000 $20,000 ALE Reduction for Countermeasure NA $30,000 $20,000 Annualized Countermeasure Cost NA $17,000 $4,000 Annualized Net Countermeasure Value NA $13,000 $16,000 14 Copyright Pearson Prentice Hall 2013 2.4: Problems with Classic Risk Analysis Calculations Uneven Multiyear Cash Flows For both attack costs and defense costs Must compute the return on investment (ROI) using discounted cash flows Net present value (NPV) or internal rate of return (ROI) 15 Copyright Pearson Prentice Hall 2013 Total Cost of Incident (TCI) ◦ Exposure factor in classic risk analysis assumes that a percentage of the asset is lost ◦ In most cases, damage does not come from asset loss ◦ For instance, if personally identifiable information is stolen, the cost is enormous but the asset remains ◦ Must compute the total cost of incident (TCI) ◦ Include the cost of repairs, lawsuits, and many other factors 16 Copyright Pearson Prentice Hall 2013 2.4: Problems with Classic Risk Analysis Calculations Many-to-Many Relationships between Countermeasures and Resources Classic risk analysis assumes that one countermeasure protects one resource Single countermeasures, such as a firewall, often protect many resources Single resources, such as data on a server, are often protected by multiple countermeasures Extending classic risk analysis is difficult 17 Copyright Pearson Prentice Hall 2013 2.4: Problems with Classic Risk Analysis Calculations Impossibility of Knowing the Annualized Rate of Occurrence There simply is no way to estimate this This is the worst problem with classic risk analysis As a consequence, firms often merely rate their resources by risk level 18 Copyright Pearson Prentice Hall 2013 2.4: Problems with Classic Risk Analysis Calculations Problems with “Hard-Headed Thinking” Security benefits are difficult to quantify If only support “hard numbers” may underinvest in security 19 Copyright Pearson Prentice Hall 2013 2.4: Problems with Classic Risk Analysis Calculations Perspective Impossible to do perfectly Must be done as well as possible Identifies key considerations Works if countermeasure value is very large or very negative But never take classic risk analysis seriously 20 Copyright Pearson Prentice Hall 2013 Risk Reduction The approach most people consider Install countermeasures to reduce harm Makes sense only if risk analysis justifies the countermeasure Risk Acceptance If protecting against a loss would be too expensive, accept losses when they occur Good for small, unlikely losses Good for large but rare losses 21 Copyright Pearson Prentice Hall 2013 2.4: Responding to Risk Risk Transference Buy insurance against security-related losses Especially good for rare but extremely damaging attacks Does not mean a company can avoid working on IT security If bad security, will not be insurable With better security, will pay lower premiums 22 Copyright Pearson Prentice Hall 2013 2.4: Responding to Risk Risk Avoidance Not to take a risky action Lose the benefits of the action May cause anger against IT security Recap: Four Choices when You Face Risk Risk reduction Risk acceptance Risk transference Risk avoidance 23 Copyright Pearson Prentice Hall 2013