Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Security Risk Analysis & Management Security Risk Analysis & Requirements Engineering 1

advertisement 
Security Risk Analysis & Management
Security Risk Analysis & Requirements Engineering
1
Security in System Development
z
z
Risk Analysis & Management needs to be a part of
system development, not tacked on afterwards
Baskerville's three generations of methods
1st Generation: Checklists
Example: BS 7799 Part 1
2nd Generation: Mechanistic engineering methods
Example: this risk analysis method
3rd Generation: Integrated design
Not yet achieved
[Baskerville, R. (1993). Information Systems Security Design Methods:
Implications for Information Systems Development. ACM Computing
Surveys 25(4): 375-414.]
Security Risk Analysis & Management
2
Introduction
Risk Analysis and Management Framework
Assets
Threats
Vulnerabilities
Risks
Security Measures
}
}
Analysis
Management
Security Risk Analysis & Management
3
Definitions 1
The meanings of terms in this area is not universally
agreed. We will use the following
z Threat: Harm that can happen to an asset
z Impact: A measure of the seriousness of a threat
z Attack: A threatening event
z Attacker: The agent causing an attack (not necessarily
human)
z Vulnerability: a weakness in the system that makes an
attack more likely to succeed
z Risk: a quantified measure of the likelihood of a threat
being realised
Security Risk Analysis & Management
4
Definitions 2
z
Risk Analysis involves the identification and
assessment of the levels of risk, calculated from the
z
z
z
z
Values of assets
Threats to the assets
Their vulnerabilities and likelihood of exploitation
Risk Management involves the identification, selection
and adoption of security measures justified by
z
z
The identified risks to assets
The reduction of these risks to acceptable levels
Security Risk Analysis & Management
5
Goals of Risk Analysis
z
z
All assets have been identified
All threats have been identified
z
z
Their impact on assets has been valued
All vulnerabilities have been identified and assessed
Security Risk Analysis & Management
6
Problems of Measuring Risk
Businesses normally wish to measure in money, but
z Many of the entities do not allow this
z
z
z
Valuation of assets
– Value of data and in-house software - no market value
– Value of goodwill and customer confidence
Likelihood of threats
– How relevant is past data to the calculation of future probabilities?
z The nature of future attacks is unpredictable
z The actions of future attackers are unpredictable
Measurement of benefit from security measures
– Problems with the difference of two approximate quantities
-5 probability
z How does an extra security measure affect a ~10
of attack?
Security Risk Analysis & Management
7
Risk Levels
z
z
Precise monetary values give a false precision
Better to use levels, e.g.
z
z
z
High, Medium, Low
– High: major impact on the organisation
– Medium: noticeable impact (“material” in auditing terms)
– Low: can be absorbed without difficulty
1 - 10
Express money values in levels, e.g.
z
For a large University Department a possibility is
– High
£1,000,000+
– Medium
£1,000+
– Low
< £1,000
Security Risk Analysis & Management
8
Risk Analysis Steps
z
Decide on scope of analysis
z
z
z
z
z
Set the system boundary
Identification of assets & business processes
Identification of threats and valuation of their impact on
assets (impact valuation)
Identification and assessment of vulnerabilities to
threats
Risk assessment
Security Risk Analysis & Management
9
Risk Analysis – Defining the Scope
z
z
Draw a context diagram
Decide on the boundary
z
z
It will rarely be the computer!
Make explicit assumptions about the security of
neighbouring domains
z
Verify them!
Security Risk Analysis & Management
10
Risk Analysis - Identification of
Assets
z
Types of asset
z
z
z
z
z
z
z
z
Hardware
Software: purchased or developed programs
Data
People: who run the system
Documentation: manuals, administrative procedures, etc
Supplies: paper forms, magnetic media, printer liquid, etc
Money
Intangibles
– Goodwill
– Organisation confidence
– Organisation image
Security Risk Analysis & Management
11
Risk Analysis – Impact
Valuation
Identification and valuation of threats - for each group
of assets
z Identify threats, e.g. for stored data
z
z
z
z
z
z
Loss of confidentiality
Loss of integrity
Loss of completeness
Loss of availability (Denial of Service)
For many asset types the only threat is loss of
availability
Assess impact of threat
z
z
Assess in levels, e.g H-M-L or 1 - 10
This gives the valuation of the asset in the face of the threat
Security Risk Analysis & Management
12
Risk Analysis – Process
Analysis
Every company or organisation has some processes
that are critical to its operation
z The criticality of a process may increase the impact
valuation of one or more assets identified
So
z Identify critical processes
z Review assets needed for critical processes
z Revise impact valuation of these assets
z
Security Risk Analysis & Management
13
Risk Analysis – Vulnerabilities 1
z
Identify vulnerabilities against a baseline system
z
z
For risk analysis of an existing system
– Existing system with its known security measures and weaknesses
For development of a new system
– Security facilities of the envisaged software, e.g. Windows NT
– Standard good practice, e.g. BS 7799 recommendations of good
practice
Security Risk Analysis & Management
14
Risk Analysis – Vulnerabilities 2
For each threat
z Identify vulnerabilities
z
z
Assess levels of likelihood - High, Medium, Low
z
z
z
How to exploit a threat successfully;
Of attempt
– Expensive attacks are less likely (e.g. brute-force attacks on encryption
keys)
Successful exploitation of vulnerability;
Combine them
Likelihood of Attempt
Vuln
erabi
lity Low Med High
Likelihood
of Success
Low Low Low Med
Med Low Med High
High Low Med High
Security Risk Analysis & Management
15
Risk Assessment
Assess risk
z If we had accurate probabilities and values, risk would
be
z
z
z
Impact valuation x probability of threat x probability of exploitation
Plus a correction factor for risk aversion
Since we haven't, we construct matrices such as
Risk
Impact valuation
Low Med High
Low Low Low Med
Vulnerability
Med Low Med High
High Low Med High
Security Risk Analysis & Management
16
Responses to Risk
Responses to risk
z Avoid it completely by withdrawing from an activity
z Accept it and do nothing
z Reduce it with security measures
Security Risk Analysis & Management
17
Security Measures
Possible security measures
z Transfer the risk, e.g. insurance
z Reduce vulnerability
z
z
z
z
Reduce likelihood of attempt
– e.g. publicise security measures in order to deter attackers
– e.g. competitive approach - the lion-hunter’s approach to security
Reduce likelihood of success by preventive measures
– e.g. access control, encryption, firewall
Reduce impact, e.g. use fire extinguisher / firewall
Recovery measures, e.g. restoration from backup
Security Risk Analysis & Management
18
Risk Management
z
z
Identify possible security measures
Decide which to choose
z
Ensure complete coverage with confidence that:
– The selected security measures address all threats
– The results are consistent
– The expenditure and its benefits are commensurate with the risks
z Consider doing less than the BS7799 recommendations?
Security Risk Analysis & Management
19
Iterate
z
Adding security measures changes the system
z
z
Vulnerabilities may have been introduced
After deciding on security measures, revisit the risk
analysis and management processes
z
e.g. introduction of encryption of stored files may remove the threat to
Confidentiality but introduce a threat to Availability
– What happens if the secret key is lost?
Security Risk Analysis & Management
20
Conclusion: Problems of Risk
Analysis and Management
z
z
z
Lack of precision
Volume of work and volume of output
Integrating them into a ”normal” development process
Security Risk Analysis & Management
21
Current Risk Management
Techniques
Security Risk Analysis & Requirements Engineering
22
Risk Management Techniques 1
Commercial tools
z
z
CRAMM (CCTA Risk Assessment and Management Methodology):
z
z
z
Mostly rely on check lists
UK Government approach
Supported by software
PROTEUS (BSI) software:
z
z
z
z
Gap analysis to identify necessary actions and existing strengths
Comprehensive practical guidance and the text of BS 7799
Reporting, for easy monitoring and maintenance
Evidence to customers and auditors
Security Risk Analysis & Management
23
Risk Management Techniques 2
Generic processes
z Threat trees (see below):
z
z
z
z
Threat analysis
Based on fault trees
Only addresses the threat identification stage
Attack trees (see below)
z
Vulnerability analysis
Security Risk Analysis & Management
24
Threat Trees 1
AT&T Bell Laboratories
z Categorisation of threats
z
z
Disclosure / Integrity / Denial of service
Categorisation of vulnerabilities by view
z
z
z
z
z
z
z
Personnel view
Physical view
Operational view
Communications view
Network view
Computing view
Information view
[Amoroso, E., W.E. Kleppinger, and D. Majette, An Engineering
Approach to Secure System Analysis, Design and Integration.
AT&T Technical Journal, 1994. 73(5): p. 40-51.]
Security Risk Analysis & Management
25
Threat Trees 2
z
z
Model of system
Calculate risks from
z
z
Impact
Vulnerability
Originator
O
Message
Handling
M
Threats to
Electronic Mail
Recipient
R
Disclosure
Denial of
Service
Integrity
Other
Subscribers
S
Electronic
Mail System
External
E
O R M S E
O R M S E
O R M S E
Security Risk Analysis & Management
26
Attack Trees
z
Tree Structure
z
z
z
Goal is root node
Ways of achieving goals are leaf nodes
Costs can be associated with nodes
[Schneier, B, Secrets and Lies. 2000: John Wiley and Sons.]
Security Risk Analysis & Management
27
Attack Tree Example
Goal: Read a specific message …
1. Convince sender to reveal message (OR)
1.1. Bribe user
1.2. Blackmail user
1.3 Threaten user
1.4. Fool user
2. Read message when it is being entered into the computer (OR)
2.1. Monitor electromagnetic emanations from computer screen (Countermeasure:
use a TEMPEST computer)
2.2. Visually monitor computer screen
2.3. Monitor video memory
2.4. Monitor video cables
3. Read message when it is being stored on sender's disk
(Countermeasure: use SFS to encrypt hard drive) (AND)
3.1 Get access to hard drive (Countermeasure: Put physical locks on all doors and
windows)
3.2. Read a file protected with SFS.
4. …..
Security Risk Analysis & Management
28
Related documents
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
Risk Analysis - Information Systems and Internet Security
Risk Analysis - Information Systems and Internet Security
ex_buisness_expansion
ex_buisness_expansion
Energy Sector Jiang Chen Chad Edward Kirksey Francisco Jose Kollmann
Energy Sector Jiang Chen Chad Edward Kirksey Francisco Jose Kollmann
The foremost goal of the information security function should be to
The foremost goal of the information security function should be to
Download
advertisement