Risk Analysis University at Albany, SUNY Spring 2004 Sanjay Goel 1 Administrivia • The schedule for the remaining sessions – Thursday, March 18th, 1-4 PM – Tuesday, March 23rd, 8:30 - 11:30. • Both meetings will be in BA-349. Sanjay Goel 2 Information Security Protection of Information Assets • Information security is the – – – – concepts, techniques, technical measures, and administrative measures used to protect information assets from – deliberate or inadvertent unauthorized acquisition, – damage, – disclosure, – manipulation, – modification, – loss, or – use. 3 Sanjay Goel Information Security Protection of Information Assets • There are three elements of information security – Confidentiality • Information is only available to authorized individuals – Integrity • Information can only be entered, changed or destroyed by authorized individuals. – Availability • Information is provided to authorized users when it is requested or needed. Sanjay Goel 4 Threats & Vulnerabilities Definitions • Vulnerability: A characteristic (including a weakness) of an information asset or group of information assets which can be exploited by a threat. – A weakness in a system that can potentially be exploited. • Threat: The potential cause of an unwanted event that may result in harm to the agency and its assets. – An actual way of exploiting a vulnerability. Source: (http://www.oit.nsw.gov.au/pdf/4.4.16.IS1.pdf) Sanjay Goel 5 Threats & Vulnerabilities Interdependence • Threats exploit vulnerabilities in order to cause damage – a threat is the manifestation of vulnerabilities; – vulnerabilities are consequences of weaknesses in controls over assets and data. threaten Sanjay Goel 6 Threats & Vulnerabilities Impact • Destruction (facilities, data, equipment, communications, personnel); • Corruption or modification (data, applications); • Theft, removal or loss (equipment, data, applications); • Unwanted Disclosure (data); • Inappropriate use or acceptance (unlicensed software, repudiated or false data); • Interruption of services. Sanjay Goel 7 Threats & Vulnerabilities Segregated Based on Impact • Threats to data – Breach of confidentiality – Loss of data integrity – Denial of service • Threats to the organization – Loss of trust – Embarrassment – Management failure • Threats to infrastructure – Tampering with computer controls can physically damage infrastructure (e.g. power plants, electric grid, chemical leaks) Sanjay Goel 8 Sources of Threats Not all threats are malicious • External hackers with malicious intent – (e.g. espionage, intent to cause damage, terrorism) • External hackers seeking thrill • Insiders with malicious intent – e.g. anger at company, competition with co-worker etc. • Accidental deletion of files and data – User errors • Environmental damage – e.g. floods, earthquakes • Equipment and Hardware failure – e.g. Hard Disk crashes Sanjay Goel 9 Risk Enablers Human Errors Behind most Risk Enablers • Software Design Flaws • Software Implementation Errors • System Mis-configuration – In many companies firewalls are mis-configured resulting in poor protection • • • • Inadequate Security Policies Poor System Management Lack of Physical Protections Lack of employee training – employees still write all passwords on a sheet of paper and stick it in a drawer Sanjay Goel 10 Security Risk A measure of failure to counter a threat • Risks of an organization are evaluated by three distinguishing characteristics: – A loss associated with an event, e.g., disclosure of confidential data, lost time, lost revenues. – The likelihood that the event will occur, i.e. probability of occurrence of event – The degree to which the risk outcome can be influenced, i.e. controls that will influence the event. Sanjay Goel 11 Security Risk A measure of failure to counter a threat • Various forms of threats exist. • Different stakeholders have different perception of risk. • Several sources of threats exist simultaneously. Sanjay Goel 12 Risk Analysis Analyzing the potential loss due to events • Risk Analysis is the process of examining a system and its operational context to determine possible exposures and the possible harm they can cause. – A study of risk that a business or system is subject to. – A process to determine exposure and potential loss. Sanjay Goel 13 Risk Analysis Analyzing the potential loss due to events • Risk is the probability that a specific threat will successfully exploit a vulnerability causing a loss. • By quantifying the risk, we can justify the benefit of spending money to implement controls • For risk analysis: – RISK = LOSS ($) x PROBABILITY Sanjay Goel 14 Risk Exposure Risk Exposure • Risk usually measured as dollars per annum. – ALE: Annual Loss Expectancy, expressed as $/year . • Suppose an event is associated with a loss. – This loss is the risk impact, measured in dollars. • There is a probability of occurrence, a number in the range 0 (if not possible) to 1 (if certain). – Essentially a probability. Sanjay Goel 15 Risk Exposure Risk Exposure • Quantifying the effects of a risk by multiplying the risk impact by the risk probability yields risk exposure. – i.e. Risk-exposure = Risk-impact x Risk-probability – e.g., if the likelihood of virus attack is 0.3 and the cost to clean up the affected systems and files is $10,000, then the risk exposure is $3,000. • $3,000 = $10,000 x 0.3 Sanjay Goel 16 Risk Analysis Example • A Hard Disk Failure on your PC. – Hard Disks fail about every three years. • So, the Likelihood/Probability is 1/3 per year . – The hardware cost is $300 to buy a new disk . – But also, add 10 hours of effort to reload the OS, software, and restore from the last backup. • And 4 more hours to recreate things since the backup. – Assume $10.00 per hour for your effort – Total loss = $300 + 10 x (10 + 4) = $440 • Annual loss expectancy (440 x 1/3) $pa = $147 pa Sanjay Goel 17 Risk Analysis Example • A virus attack on the same system – You frequently swap files with other people, but have no ant-viral software running. – Assume an attack every 6 months • That’s a Probability of 2 per annum – No need to buy a new disk – Rebuild effort (10 + 4) hours, – Total loss = 10 x(10+4) = $140 – ALE = ( 140 x 2 ) $pa = $280 pa Sanjay Goel 18 Risk Mitigation Strategies for Reduction • There are three strategies for risk reduction: – Avoiding the risk, by changing requirements for security or other system characteristics. – Transferring the risk, by allocating the risk to other systems, people, organizations assets or by buying insurance. – Assuming the risk, by accepting it, controlling it with available resources. Sanjay Goel 19 Risk Analysis Risk Leverage • Costs are associated with not only the risk’s potential impact but also with reducing it. • Risk leverage is the difference in risk exposure divided by the cost of reducing the risk. Leverage = (risk exposure before reduction) – (risk exposure after reduction) (cost of risk reduction) Sanjay Goel 20 Risk Analysis Steps • The security risks in a computing system can be analyzed by the following well-defined steps: – – – – – – – Sanjay Goel Identify assets. Determine their value, including costs of recreating any data Determine the vulnerabilities Estimate the likelihood of exploitation. Compute expected annual losses. Survey applicable controls and their costs. Perform cost/benefit analysis. 21 A Generic Example Sanjay Goel 22 Risk Analysis Example: Gym Locker • Consider a Gym Locker that is used by its members to store clothes and other valuables. • The lockers themselves cannot be locked; however locks can be purchased for the lockers. • You need to determine the risk exposure for the members of the gym and then use certain controls to reduce the risks. Sanjay Goel 23 Risk Analysis Example: Gym Locker • Identify the assets and determine their value – – – – – – – – clothes wallet glasses sports equipment drivers license car keys house keys tapes and walkman $50 $200 $100 $30 $5 $20 $25 $70 • Find vulnerabilities – – – – Sanjay Goel theft accidental loss disclosure of information (e.g. read contents of wallet) vandalism 24 Risk Analysis Example: Gym Locker • Find a way to estimate the likelihood of exploitation. • This can be the hardest part of the analysis. • A lot of the information may not be available, or not lend itself to making ready estimates. Sanjay Goel 25 Risk Analysis Example: Gym Locker • For the gym locker example, one possibility is to use a scale. – Find a measure that people can estimate. • Estimate how often a threat will occur: – 10: More than once a day – 9: Once a day – 8: Once every three days – 7: Once a week – 6: Once every two weeks – 5: Once a month – 4: Once every four months – 3: Once a year – 2: Once every three years – 1: Less than once every three years Sanjay Goel 26 Risk Analysis Example: Gym Locker • • For example, the loss associated with a locker theft. On the scale, theft might have an estimated likelihood of 7. – That is, on average, about once per week. • Figure the annual loss – Assume the entire contents of the locker get cleaned out. • ~$500 dollars worth of expected loss each time (once a week). – ~$26,000 dollars per year • Sanjay Goel = $500 x 52 times/year. 27 Risk Analysis Example: Gym Locker • Determine the cost of added security – To get a new lock would cost 5 dollars. – It would cost another 10 dollars to break the lock whenever a key is lost. – Assume that on average a member loses a key twice a month • Estimate likelihood of exploitation under added security – The new likelihood of theft could be estimated at a 4. • Once every four months. • Cost Benefit Analysis – Revised Losses (including cost of controls) = 500 * 3 + 15*24 = $1860 – Net savings = 26,000 – 1,860 = $24,140 Sanjay Goel 28 A Security Example Sanjay Goel 29 Identification of Assets Tangible • Hardware – – – – – – – – – – – Processors, boards, monitors, keyboards, terminals, drives, cables, connections, controllers, communications media, etc. Sanjay Goel 30 Identification of Assets Tangible • Software – – – – – – – Source programs, Executable programs, purchased programs, operating systems, systems programs, diagnostic programs, etc. Sanjay Goel 31 Identification of Assets Tangible • Data – – – – – Data used during execution, Stored data on various media, Archival records, Audit data, Etc. Sanjay Goel 32 Identification of Assets Tangible • Documentation – – – – – – On programs, hardware, systems, Administrative procedures and Spanning the entire system, Etc. Sanjay Goel 33 Identification of Assets Non-Tangible • People – Skills needed to run the computing systems, etc. • Supplies – e.g. paper, forms, laser cartridges, magnetic media • Reputation • Trust • Political Fallout • In case of government agencies, contractors, etc. Sanjay Goel 34 Identification of Assets VAM Methodology (RAND Corp.) • VAM – Vulnerability Assessment and Mitigation – It is a process supported by a tool that helps in identification of assets, vulnerabilities and countermeasures. • VAM methodology includes additional assets, such as – The enabling infrastructure. – The building or vehicle in which the systems will reside. – The power, water, air, and other environmental conditions necessary for proper functioning. – Human and social assets, such as policies, procedures, & training. Sanjay Goel 35 Determine Vulnerabilities Specific to Organizations • Predict the damage that might occur and its source. • Vulnerabilities are derived to ensure the three goals of information security – Confidentiality, Integrity and Availability • To organize threats & assets use the following matrix: Asset Confidentiality Integrity Availability Hardware Software Data People Documentation Supplies Sanjay Goel 36 Determine Vulnerabilities Guiding Questions • Each vulnerability may affect more that one asset or cause more than one type of loss • While completing the matrix answer the following questions: – What are the effects of unintentional errors? e.g. accidental deletion, use of incorrect data – What are the effects of willfully malicious insiders? e.g. disgruntled employees, bribery, espionage – What are the effects of outsiders? e.g. hackers, dial-in access, people sifting through trash – What are the effects of natural and physical disasters? e.g. fire, storms, floods, power outage, component failures Sanjay Goel 37 Determine vulnerabilities Impact to Assets • Table lists some impact to tangible assets – Harder to determine impact to non-tangible assets Asset Confidentiality Integrity Availability Overloaded, destroyed, Failed, Stolen, Tampered with Destroyed, Unavailable Hardware Software Impaired by Trojan Stolen, copied, horse, Modified, pirated tampered with Deleted, Misplaced, Usage expired Data Disclosed, accessed by outsider, inferred Deleted, Misplaced, Destroyed Damaged (software error, hardware error, user error) People Terminated, Quit, Retired, Vacation Documentation Lost, Stolen, Destroyed Supplies Lost, Stolen, Damaged Sanjay Goel 38 Determine Vulnerabilites Key Attributes • No simple checklist to list all vulnerabilities • Assets have properties that make them vulnerable – Properties exist in three categories (i.e. Architecture, Behavioral, General) Design/Architecture Behavioral • Singularity – Uniqueness – Centrality – Homogeneity • Separability • Logic/implementation errors; fallibility • Design sensitivity, fragility, limits, finiteness • Unrecoverability • Behavioral • Sensitivity/fragility • Malevolence • Rigidity • Malleability • Gullibility, deceivability, naïveté • Complacency • Corruptibility, • Controllability General • • • • • • Accessible, Detectable, Identifiable, Transparent, Interceptable Hard to manage or control • Selfunawareness and unpredictability • Predictability Likelihood of Exploitation Frequency of event • Likelihood relates to the stringency of existing controls – i.e. likelihood that someone or something will evade controls • Several approaches to computing the probability that an event will occur – classical, frequency and subjective • Not easy to determine an event’s probabilities using classical methods – Frequency probability can be computing by tracking failures that result in security breaches or create new vulnerabilities can be identified – e.g. operating systems can track hardware failures, failed login attempts, changes in the sizes of data files etc. • In case automatic tracking is not feasible expert judgment is used to determine the frequency Sanjay Goel 40 Likelihood of Exploitation Delphi Approach Frequency Ratings More than once a day 10 Once a day 9 Once every three days 8 Once a week 7 Once in two weeks 6 Once a month 5 Once every four months 4 Once a year 3 Once every three years 2 Less than once in three years 1 Sanjay Goel • Subjective probability technique originally devised to deal with public policy decisions • Assumes experts can make informed decisions • Results from several experts are analyzed • Estimates are revised until consensus is reached among experts 41 Compute Expected Loss Tangible & Non-tangible assets • In this step ramifications of a computer security failure on the organization are determined. • Often inaccurate – Costs of human capital required to recover from failure undervalued e.g. cost of restoring data – Indirect consequences of an event unknown until the event actually happens – Catastrophic events that cause heavy damage are so infrequent that correct data is unavailable – Non-tangible assets are hard to quantify • The questions, on the next slide, can prompt us to think about issues of explicit and hidden cost related to security. – The answers may not produce precise cost figures, but can help identify the sources of various types of costs. Sanjay Goel 42 Compute Expected Loss Guiding Questions • What are the legal obligations in preserving the confidentiality or integrity of the data? • What business requirements and agreements cover the situation? • Could release of data item cause harm to person or organization? • Could unauthorized access to data cause the loss of future business opportunity? • What is the psychological effect of lack of computer service? • What is the value of access to data or programs? • What is the value of having access to data or programs to someone else? • What other problems would arise from loss of data? Sanjay Goel 43 Controls Surveying and Implementing Technique 1 Technique 2 Technique 3 Technique 4 Secondary Primary Vulnerability A Vulnerability B Vulnerability C Vulnerability D Vulnerability E Primary Vulnerability F Secondary Vulnerability G Vulnerability T Caution Controls Surveying and Implementing Cont’d. • The previous slide shows matching of vulnerabilities with appropriate security techniques (controls). • Note – Vulnerabilities E and F are countered by primary techniques 2 and 4, respectively. – The secondary control techniques 2 and 3 for vulnerability F are good defense in depth. – The fact that there is no secondary control for vulnerability E is a minor concern. – Vulnerability T is a serious caution, because it has no control whatsoever.