Risk Analysis University at Albany, SUNY Spring 2004 1

advertisement
Risk Analysis
University at Albany, SUNY
Spring 2004
Sanjay Goel
1
Administrivia
• The schedule for the remaining
sessions
– Thursday, March 18th, 1-4 PM
– Tuesday, March 23rd, 8:30 - 11:30.
• Both meetings will be in BA-349.
Sanjay Goel
2
Information Security
Protection of Information Assets
• Information security is the
–
–
–
–
concepts,
techniques,
technical measures, and
administrative measures
used to protect information assets from
– deliberate or inadvertent unauthorized acquisition,
– damage,
– disclosure,
– manipulation,
– modification,
– loss, or
– use.
3
Sanjay Goel
Information Security
Protection of Information Assets
• There are three elements of information
security
– Confidentiality
• Information is only available to authorized individuals
– Integrity
• Information can only be entered, changed or destroyed by
authorized individuals.
– Availability
• Information is provided to authorized users when it is
requested or needed.
Sanjay Goel
4
Threats & Vulnerabilities
Definitions
• Vulnerability: A characteristic (including a weakness)
of an information asset or group of information assets
which can be exploited by a threat.
– A weakness in a system that can potentially be exploited.
• Threat: The potential cause of an unwanted event that
may result in harm to the agency and its assets.
– An actual way of exploiting a vulnerability.
Source: (http://www.oit.nsw.gov.au/pdf/4.4.16.IS1.pdf)
Sanjay Goel
5
Threats & Vulnerabilities
Interdependence
• Threats exploit vulnerabilities in order to cause damage
– a threat is the manifestation of vulnerabilities;
– vulnerabilities are consequences of weaknesses in controls
over assets and data.
threaten
Sanjay Goel
6
Threats & Vulnerabilities
Impact
• Destruction (facilities, data, equipment,
communications, personnel);
• Corruption or modification (data, applications);
• Theft, removal or loss (equipment, data, applications);
• Unwanted Disclosure (data);
• Inappropriate use or acceptance (unlicensed software,
repudiated or false data);
• Interruption of services.
Sanjay Goel
7
Threats & Vulnerabilities
Segregated Based on Impact
• Threats to data
– Breach of confidentiality
– Loss of data integrity
– Denial of service
• Threats to the organization
– Loss of trust
– Embarrassment
– Management failure
• Threats to infrastructure
– Tampering with computer controls can physically
damage infrastructure (e.g. power plants, electric
grid, chemical leaks)
Sanjay Goel
8
Sources of Threats
Not all threats are malicious
• External hackers with malicious intent
– (e.g. espionage, intent to cause damage, terrorism)
• External hackers seeking thrill
• Insiders with malicious intent
– e.g. anger at company, competition with co-worker etc.
• Accidental deletion of files and data
– User errors
• Environmental damage
– e.g. floods, earthquakes
• Equipment and Hardware failure
– e.g. Hard Disk crashes
Sanjay Goel
9
Risk Enablers
Human Errors Behind most Risk Enablers
• Software Design Flaws
• Software Implementation Errors
• System Mis-configuration
– In many companies firewalls are mis-configured
resulting in poor protection
•
•
•
•
Inadequate Security Policies
Poor System Management
Lack of Physical Protections
Lack of employee training
– employees still write all passwords on a sheet of
paper and stick it in a drawer
Sanjay Goel
10
Security Risk
A measure of failure to counter a threat
• Risks of an organization are evaluated by
three distinguishing characteristics:
– A loss associated with an event, e.g.,
disclosure of confidential data, lost time, lost
revenues.
– The likelihood that the event will occur, i.e.
probability of occurrence of event
– The degree to which the risk outcome can be
influenced, i.e. controls that will influence the
event.
Sanjay Goel
11
Security Risk
A measure of failure to counter a threat
• Various forms of threats exist.
• Different stakeholders have different
perception of risk.
• Several sources of threats exist
simultaneously.
Sanjay Goel
12
Risk Analysis
Analyzing the potential loss due to events
• Risk Analysis is the process of examining
a system and its operational context to
determine possible exposures and the
possible harm they can cause.
– A study of risk that a business or system is
subject to.
– A process to determine exposure and
potential loss.
Sanjay Goel
13
Risk Analysis
Analyzing the potential loss due to events
• Risk is the probability that a specific threat will
successfully exploit a vulnerability causing a
loss.
• By quantifying the risk, we can justify the
benefit of spending money to implement
controls
• For risk analysis:
– RISK = LOSS ($) x PROBABILITY
Sanjay Goel
14
Risk Exposure
Risk Exposure
• Risk usually measured as dollars per annum.
– ALE: Annual Loss Expectancy, expressed as
$/year .
• Suppose an event is associated with a loss.
– This loss is the risk impact, measured in dollars.
• There is a probability of occurrence, a number
in the range 0 (if not possible) to 1 (if certain).
– Essentially a probability.
Sanjay Goel
15
Risk Exposure
Risk Exposure
• Quantifying the effects of a risk by multiplying
the risk impact by the risk probability yields risk
exposure.
– i.e. Risk-exposure = Risk-impact x Risk-probability
– e.g., if the likelihood of virus attack is 0.3 and the
cost to clean up the affected systems and files is
$10,000, then the risk exposure is $3,000.
• $3,000 = $10,000 x 0.3
Sanjay Goel
16
Risk Analysis
Example
• A Hard Disk Failure on your PC.
– Hard Disks fail about every three years.
• So, the Likelihood/Probability is 1/3 per year .
– The hardware cost is $300 to buy a new disk .
– But also, add 10 hours of effort to reload the OS,
software, and restore from the last backup.
• And 4 more hours to recreate things since the backup.
– Assume $10.00 per hour for your effort
– Total loss = $300 + 10 x (10 + 4) = $440
• Annual loss expectancy
(440 x 1/3) $pa = $147 pa
Sanjay Goel
17
Risk Analysis
Example
• A virus attack on the same system
– You frequently swap files with other people,
but have no ant-viral software running.
– Assume an attack every 6 months
• That’s a Probability of 2 per annum
– No need to buy a new disk
– Rebuild effort (10 + 4) hours,
– Total loss = 10 x(10+4) = $140
– ALE = ( 140 x 2 ) $pa = $280 pa
Sanjay Goel
18
Risk Mitigation
Strategies for Reduction
• There are three strategies for risk reduction:
– Avoiding the risk, by changing requirements for
security or other system characteristics.
– Transferring the risk, by allocating the risk to other
systems, people, organizations assets or by
buying insurance.
– Assuming the risk, by accepting it, controlling it
with available resources.
Sanjay Goel
19
Risk Analysis
Risk Leverage
• Costs are associated with not only the risk’s
potential impact but also with reducing it.
• Risk leverage is the difference in risk
exposure divided by the cost of reducing
the risk.
Leverage =
(risk exposure before reduction) – (risk exposure after reduction)
(cost of risk reduction)
Sanjay Goel
20
Risk Analysis
Steps
•
The security risks in a computing system can
be analyzed by the following well-defined
steps:
–
–
–
–
–
–
–
Sanjay Goel
Identify assets.
Determine their value, including costs of
recreating any data
Determine the vulnerabilities
Estimate the likelihood of exploitation.
Compute expected annual losses.
Survey applicable controls and their costs.
Perform cost/benefit analysis.
21
A Generic Example
Sanjay Goel
22
Risk Analysis
Example: Gym Locker
• Consider a Gym Locker that is used by its members to
store clothes and other valuables.
• The lockers themselves cannot be locked; however
locks can be purchased for the lockers.
• You need to determine the risk exposure for the
members of the gym and then use certain controls to
reduce the risks.
Sanjay Goel
23
Risk Analysis
Example: Gym Locker
• Identify the assets and determine their value
–
–
–
–
–
–
–
–
clothes
wallet
glasses
sports equipment
drivers license
car keys
house keys
tapes and walkman
$50
$200
$100
$30
$5
$20
$25
$70
• Find vulnerabilities
–
–
–
–
Sanjay Goel
theft
accidental loss
disclosure of information (e.g. read contents of wallet)
vandalism
24
Risk Analysis
Example: Gym Locker
• Find a way to estimate the likelihood of
exploitation.
• This can be the hardest part of the analysis.
• A lot of the information may not be available, or
not lend itself to making ready estimates.
Sanjay Goel
25
Risk Analysis
Example: Gym Locker
• For the gym locker example, one possibility is to use a
scale.
– Find a measure that people can estimate.
• Estimate how often a threat will occur:
– 10: More than once a day
– 9: Once a day
– 8: Once every three days
– 7: Once a week
– 6: Once every two weeks
– 5: Once a month
– 4: Once every four months
– 3: Once a year
– 2: Once every three years
– 1: Less than once every three years
Sanjay Goel
26
Risk Analysis
Example: Gym Locker
•
•
For example, the loss associated with a locker theft.
On the scale, theft might have an estimated likelihood of 7.
– That is, on average, about once per week.
•
Figure the annual loss
– Assume the entire contents of the locker get cleaned out.
• ~$500 dollars worth of expected loss each time (once a week).
– ~$26,000 dollars per year
•
Sanjay Goel
= $500 x 52 times/year.
27
Risk Analysis
Example: Gym Locker
• Determine the cost of added security
– To get a new lock would cost 5 dollars.
– It would cost another 10 dollars to break the lock whenever a
key is lost.
– Assume that on average a member loses a key twice a month
• Estimate likelihood of exploitation under added security
– The new likelihood of theft could be estimated at a 4.
• Once every four months.
• Cost Benefit Analysis
– Revised Losses (including cost of controls) = 500 * 3 + 15*24
= $1860
– Net savings = 26,000 – 1,860 = $24,140
Sanjay Goel
28
A Security Example
Sanjay Goel
29
Identification of Assets
Tangible
• Hardware
–
–
–
–
–
–
–
–
–
–
–
Processors,
boards,
monitors,
keyboards,
terminals,
drives,
cables,
connections,
controllers,
communications media,
etc.
Sanjay Goel
30
Identification of Assets
Tangible
• Software
–
–
–
–
–
–
–
Source programs,
Executable programs,
purchased programs,
operating systems,
systems programs,
diagnostic programs,
etc.
Sanjay Goel
31
Identification of Assets
Tangible
• Data
–
–
–
–
–
Data used during execution,
Stored data on various media,
Archival records,
Audit data,
Etc.
Sanjay Goel
32
Identification of Assets
Tangible
• Documentation
–
–
–
–
–
–
On programs,
hardware,
systems,
Administrative procedures and
Spanning the entire system,
Etc.
Sanjay Goel
33
Identification of Assets
Non-Tangible
• People
– Skills needed to run the computing systems, etc.
• Supplies
– e.g. paper, forms, laser cartridges, magnetic media
• Reputation
• Trust
• Political Fallout
• In case of government agencies, contractors, etc.
Sanjay Goel
34
Identification of Assets
VAM Methodology (RAND Corp.)
• VAM – Vulnerability Assessment and Mitigation
– It is a process supported by a tool that helps in identification of
assets, vulnerabilities and countermeasures.
• VAM methodology includes additional assets, such as
– The enabling infrastructure.
– The building or vehicle in which the systems will reside.
– The power, water, air, and other environmental conditions
necessary for proper functioning.
– Human and social assets, such as policies, procedures, &
training.
Sanjay Goel
35
Determine Vulnerabilities
Specific to Organizations
• Predict the damage that might occur and its source.
• Vulnerabilities are derived to ensure the three goals of
information security
– Confidentiality, Integrity and Availability
• To organize threats & assets use the following matrix:
Asset
Confidentiality
Integrity
Availability
Hardware
Software
Data
People
Documentation
Supplies
Sanjay Goel
36
Determine Vulnerabilities
Guiding Questions
• Each vulnerability may affect more that one asset or
cause more than one type of loss
• While completing the matrix answer the following
questions:
– What are the effects of unintentional errors?
e.g. accidental deletion, use of incorrect data
– What are the effects of willfully malicious insiders?
e.g. disgruntled employees, bribery, espionage
– What are the effects of outsiders?
e.g. hackers, dial-in access, people sifting through trash
– What are the effects of natural and physical disasters?
e.g. fire, storms, floods, power outage, component failures
Sanjay Goel
37
Determine vulnerabilities
Impact to Assets
• Table lists some impact to tangible assets
– Harder to determine impact to non-tangible assets
Asset
Confidentiality
Integrity
Availability
Overloaded, destroyed, Failed, Stolen,
Tampered with
Destroyed, Unavailable
Hardware
Software
Impaired by Trojan
Stolen, copied,
horse, Modified,
pirated
tampered with
Deleted, Misplaced,
Usage expired
Data
Disclosed,
accessed by
outsider,
inferred
Deleted, Misplaced,
Destroyed
Damaged (software
error, hardware error,
user error)
People
Terminated, Quit,
Retired, Vacation
Documentation
Lost, Stolen, Destroyed
Supplies
Lost, Stolen, Damaged
Sanjay Goel
38
Determine Vulnerabilites
Key Attributes
• No simple checklist to list all vulnerabilities
• Assets have properties that make them vulnerable
– Properties exist in three categories (i.e. Architecture, Behavioral,
General)
Design/Architecture
Behavioral
• Singularity
– Uniqueness
– Centrality
– Homogeneity
• Separability
• Logic/implementation
errors; fallibility
• Design sensitivity,
fragility, limits,
finiteness
• Unrecoverability
• Behavioral
• Sensitivity/fragility
• Malevolence
• Rigidity
• Malleability
• Gullibility, deceivability,
naïveté
• Complacency
• Corruptibility,
• Controllability
General
•
•
•
•
•
•
Accessible,
Detectable,
Identifiable,
Transparent,
Interceptable
Hard to manage
or control
• Selfunawareness and
unpredictability
• Predictability
Likelihood of Exploitation
Frequency of event
• Likelihood relates to the stringency of existing controls
– i.e. likelihood that someone or something will evade controls
• Several approaches to computing the probability that an
event will occur
– classical, frequency and subjective
• Not easy to determine an event’s probabilities using
classical methods
– Frequency probability can be computing by tracking failures that
result in security breaches or create new vulnerabilities can be
identified
– e.g. operating systems can track hardware failures, failed login
attempts, changes in the sizes of data files etc.
• In case automatic tracking is not feasible expert
judgment is used to determine the frequency
Sanjay Goel
40
Likelihood of Exploitation
Delphi Approach
Frequency
Ratings
More than once a day
10
Once a day
9
Once every three days
8
Once a week
7
Once in two weeks
6
Once a month
5
Once every four months
4
Once a year
3
Once every three years
2
Less than once in three years 1
Sanjay Goel
• Subjective probability
technique originally
devised to deal with
public policy
decisions
• Assumes experts can
make informed
decisions
• Results from several
experts are analyzed
• Estimates are revised
until consensus is
reached among
experts
41
Compute Expected Loss
Tangible & Non-tangible assets
• In this step ramifications of a computer security failure
on the organization are determined.
• Often inaccurate
– Costs of human capital required to recover from failure
undervalued e.g. cost of restoring data
– Indirect consequences of an event unknown until the event
actually happens
– Catastrophic events that cause heavy damage are so
infrequent that correct data is unavailable
– Non-tangible assets are hard to quantify
• The questions, on the next slide, can prompt us to think
about issues of explicit and hidden cost related to
security.
– The answers may not produce precise cost figures, but can
help identify the sources of various types of costs.
Sanjay Goel
42
Compute Expected Loss
Guiding Questions
• What are the legal obligations in preserving the
confidentiality or integrity of the data?
• What business requirements and agreements cover the
situation?
• Could release of data item cause harm to person or
organization?
• Could unauthorized access to data cause the loss of
future business opportunity?
• What is the psychological effect of lack of computer
service?
• What is the value of access to data or programs?
• What is the value of having access to data or programs
to someone else?
• What other problems would arise from loss of data?
Sanjay Goel
43
Controls
Surveying and Implementing
Technique 1
Technique 2
Technique 3
Technique 4
Secondary
Primary
Vulnerability A
Vulnerability B
Vulnerability C
Vulnerability D
Vulnerability E
Primary
Vulnerability F
Secondary
Vulnerability G
Vulnerability T
Caution
Controls
Surveying and Implementing Cont’d.
• The previous slide shows matching of vulnerabilities
with appropriate security techniques (controls).
• Note
– Vulnerabilities E and F are countered by primary techniques 2
and 4, respectively.
– The secondary control techniques 2 and 3 for vulnerability F
are good defense in depth.
– The fact that there is no secondary control for vulnerability E is
a minor concern.
– Vulnerability T is a serious caution, because it has no control
whatsoever.
Download