Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Risk Analysis Class Four University at Albany, SUNY Spring 2004

advertisement 
Risk Analysis
Class Four
University at Albany, SUNY
Spring 2004
Controls
VAM Approach
•
•
•
VAM reflects a systems approach developed for the military defense
environment.
VAM matrix compares security vulnerabilities to controls.
VAM characterizes in terms of four high-level aspects:
–
–
–
–
•
Resilience and robustness
Intelligence, Surveillance, Reconnaissance (ISR) and self-awareness
Counter intelligence, denial of ISR, and target acquisition
Deterrence and punishment
Many of the controls embrace the entire system architecture, e.g.,
– heterogeneity is possible if several different operating systems and hardware
are incorporated in the architecture.
•
VAM provides a matrix that links attributes leading to vulnerabilities to
controls.
INF 766 Risk Analysis
2
Controls
VAM Matrix
• VAM recognizes that controls can have both positive
and negative effects simultaneously, e.g.,
– Encryption enhances confidentiality, but creates key
management issues
– Heterogeneity improves robustness of system, but adds
complexity making system harder to maintain.
INF 766 Risk Analysis
3
Controls
VAM Matrix
• Rating Scheme
• Each cell relating a security technique to a vulnerability
contains a number from -2 to 2, according to this scheme
– 2 means that the control mitigates the vulnerability significantly
• A primary candidate for addressing it.
– 1 means that the control mitigates the vulnerability somewhat, but not
as well as one labeled 2,
• A secondary candidate for addressing it.
– 0 means that the vulnerability may have beneficial side effects that
enhance some aspect of security.
– -1 means that the control worsens the vulnerability somewhat or incurs
new vulnerabilities.
– -2 means that the control worsens the vulnerability significantly or
incurs new vulnerabilities.
INF 766 Risk Analysis
4
Risk Analysis
Security technique may:
2: mitigate vulnerability(primary)
1: mitigate vulnerability(secondary)
0: be facilitated by vulnerability
-1:incur vulnerability(secondary)
-2:incur vulnerability(primary)
VAM Example
Trust, Authentication, and Access
Resilience/Robustness
2
2
1 1 2
2
2
1
1
1
1
0 -2 2
2
1
-1 1
-1 2
-2
Singularity
Uniqueness
Centrality
Homogeneity
Separability
Logic/
Implementation
Errors; Fallability
2
Design
Sensitivity/Fragility
/Limits/Finiteness 2 -1 2
Unrecoverability
2
2
2
2
2
2
2
1
1 -1 2
1
1
2 -1 2
2
2
2
1
1
2
2 -1 1
1
1
1 -2 1 -1
2 1
2 -1
1 -1
Valuation of Security Techniques
Controls
Which Controls are Best?
• The VAM process requires refinement of controls based on the
role:
– Operational: System management perspective
– Design: Developers’ perspective
– Policy: Organizational perspective
• VAM Refinement matrix simplifies control selection
– Rows represent security controls
– Columns serve two functions
• The first three columns represent the perspectives for the relevance of the
control
• The next five columns represent the stage of attack when the control is
useful
INF 766 Risk Analysis
6
Controls
Relevance Matrix
Offense and
Retribution
1
1
1
2
2
1
1
1
Counter-intelligence
2
2
2
2
2
Unperdictability
2
2
2
2
2
Deception to ISR
2
2
2
2
2
Denial of ISR
2
2
2
2
2
Deception to ISR
2
Attack Detection & Forensics
Deterrence
2
Preventative and Retribution
1
2
2
2
2
Criminal and Legal
2
2
2
Civil Proceedings
2
2
2
Assess
2
Self-Awareness
Access
1
2
Knowledge
1
Intelligence Operations
Policy
1
Developer
1
Operational
Non-Retribution
•
1
Apply to Physical, Cyber,
Human/Social, and Infrastructure
Components
Intelligence,
CounterSurveillance,
Intelligence,
Reconnsaissn
Denial of ISR
ace (ISR) and
& Target
SelfAcquisition
Awareness
Helps Protect
These Attack
Stages
Target
Useful to
Users
•
The content of the relevance
matrix, including the columns
and rows, should be
customized to individual
organizations
Rating Scheme
– 1: that control is weakly
relevant to the perspective or
attack stage
– 2: that it is strongly relevant
•
INF 766 Risk Analysis
The VAM approach is
sophisticated and deals with
elaborate systems
– Simpler approach that lists the
controls and weaknesses may
be appropriate.
7
Risk Analysis
Project Savings
• We now determine whether the costs outweigh the benefits of
preventing or mitigating the risks.
• The effective cost of a given control is the actual cost of the
control minus expected loss from using the control
– Cost of control examples: purchase price, installation costs, and training
costs minus.
– Loss from using control examples: administrative or maintenance costs).
– Thus the true cost of a control may be positive if the control is
expensive to administer or introduces new risk in another area of the
system.
INF 766 Risk Analysis
8
Risk Analysis
Example
• Simple Case:
A company uses a common carrier to link to a network for certain
computing applications.
The company has identified the risks of unauthorized access to data and
computing facilities through the network.
These risks can be eliminated by replacement of remote network access
with the requirement to access the system only from a machine operated
on the company premises.
The machine is not owned; a new one would have to be acquired.
• The economics of this example, which are not very
promising, are as shown in the following slide.
INF 766 Risk Analysis
9
Risk Analysis
Cost/Benefit Analysis
Cost/Benefit Analysis for Replacing Network Access
Item
Amount
Risk: unauthorized access and use
Access to unauthorized data and programs
$100,000 @ 2% likelihood per year
$2,000
Unauthorized use of computing facilities
$10,000 @40% likelihood per year
$4,000
Expected annual loss (2,000 + 4,000)
$6,000
Effectiveness of network control: 100%
-$6,000
Risk Analysis
Cost Control
Control cost:
Hardware (50,000 amortized over 5 years)
+$10,000
Software (20,000 amortized over 5 years)
+$4,000
Support personnel (each year)
+$40,000
Annual cost
$54,000
Expected annual loss (6,000 – 6,000 +54,000)
$54,000
Savings (6,000 – 54,000)
-$48,000
INF 766 Risk Analysis
11
Risk Analysis
Cost/Benefit – Graphical Technique
•
Case:
We are considering making use of regression testing after making an upgrade to
fix a security flaw.
– Regression Testing means applying tests to verify that all remaining functions
are unaffected by the change.
•
•
•
Using the diagram on the following slide, compare the risk impact of
doing regression testing with not doing it.
The upper part of the diagram shows the risk of conducting regression
testing, and the lower part shows the risks of not doing regression testing.
In each of the two cases, one of three things can happen:
– We find a critical fault
– We miss finding the critical fault
– There are no critical faults to be found.
INF 766 Risk Analysis
12
Risk Analysis
Cost Savings
•
For each possibility
– Calculate the probability of an unwanted outcome (UO), P(UO).
– Associate a loss with that unwanted outcome, L(UO).
•
Thus, in our example,
– If we do regression testing and miss a critical fault in the system (a
probability of 0.05), the loss could be $30 million.
– Multiplying the two, we find the risk exposure for that strategy to be $1.5
million.
– As the following calculations in the figure show, it is much safer to do the
regression testing than to skip it.
INF 766 Risk Analysis
13
Risk Analysis
Calculation for Regression Testing
Risk Exposure
P(UO) = 0.75
Find critical fault
yes
Do
regression
testing?
no
P(UO) = 0.05
Don’t find critical fault
$1.500M
$1.975M
L(UO) = $30M
L(UO) = $0.5M
P(UO) = 0.20
$0.100M
No critical fault
L(UO) = $0.5M
P(UO) = 0.25
Find critical fault
$0.125M
P(UO) = 0.55
Don’t find critical fault
P(UO) = 0.20
$0.375M
Combined
Risk
Exposure
L(UO) = $0.5M
L(UO) = $30M
$16.500M
$16.725M
L(UO) = $0.5M
$0.100M
No critical fault
INF 766 Risk Analysis
14
Risk Analysis
Pros & Cons
• Pros
–
–
–
–
–
Improve awareness.
Relate the security mission to management objectives.
Identify assets, vulnerabilities, and controls.
Improve basis for decisions.
Justify expenditures for security.
• Cons
–
–
–
–
Decreased sense of precision and confidence
Hard to perform.
Immutability.
Lack of accuracy.
INF 766 Risk Analysis
15
Matrix Based Approach
Risk Analysis
Aggregation
• Individual risks aggregated to get the total risk posture
– True comparison of relative risks of different organizations
• A mathematical approach to correlate risks with assets of the
organization is provided
– Methodology is standardized.
– Data needs to be customized for the organization.
• Controls can reduce the cost of the exposure
– Need to determine the optimum controls for the organization.
– Methodology for determining controls (shown later).
• Analysis should be undertaken to see the impact of new
projects on security.
INF 766 Risk Analysis
17
Risk Analysis
Assets and Vulnerabilities
Client Secrets
Lost
Sales/Revenue
Reputation (Trust)
Cleanup Costs
Info/ Integrity
Hardware
Software
Services
•
Relative Impact
Trade Secrets (IP)
Web Servers
Compute Servers
Firewalls
Routers
Client Nodes
Databases
Vulnerabilities
Crit. Infrastructure
Not Relevant - 0
Low – 1
Medium – 3
High – 9
Assets & Costs
Value Scale:
Customize the matrix to assets & vulnerabilities applicable to your case:
– Compute the cost of each asset and put them in the value row
– Determine the correlation with the vulnerability and asset (L(ow)/M(edium)/H(igh))
– Compute the sum of product of vulnerability & asset values; add to impact column
INF 766 Risk Analysis
18
Risk Analysis
Vulnerabilities and Threats
Web Servers
Compute Servers
Firewalls
Routers
Client Nodes
Databases
…
…
…
Relative Threat
Importance
…
Denial of Service
Spoofing, Masquerading
Malicious Code
Human Errors
Insider Attacks
Intrusion …
Not Relevant - 0
Low– 1
Medium – 3
High – 9
Threats
•
Vulnerabilities
Scale
Value
Complete the matrix based on the specific case
– Add the values from the Impact column of the previous matrix
– Determine the association between the threat and vulnerability
– Compute aggregate exposure values by multiplying the impact and the associations
INF 766 Risk Analysis
19
Risk Analysis
Threats and Controls
Human Errors
Insider Attacks
Intrusion
Physical
Damage
Spam
…
…
Value of Control
Malicious Code
•
Spoofing
Value
Controls
Firewalls
IDS
Single Sign-On
DMZ
Training
Security Policy
Network Configuration
Hardening Environment
DOS
Not Relevant - 0
Low – 1
Medium – 3
High – 9
Threats
Scale
Customize the matrix based on the specific case:
– Add the values from the relative exposure column of the previous matrix.
– Determine the impact of different controls on different threats.
– Compute the aggregate value of benefit of each control.
INF 766 Risk Analysis
20
Risk Analysis
Total Exposure
•
Determine the frequency of each attack using statistical data
– With controls,
– Without controls.
•
•
•
Compute the exposure of each asset given the frequency of attacks
Compare the exposure with controls, with cost of controls, with the
exposure without controls, to determine the optimum control
The hardest part of the exercise is getting the frequency of attacks using
statistical data since,
– data is difficult to obtain,
– data is often inaccurate.
•
Use your best judgment for obtaining frequency data.
INF 766 Risk Analysis
21
Quantitative Analysis
Risk Aggregation
INF 766 Risk Analysis
23
Risk Aggregation
Model Cont’d.
INF 766 Risk Analysis
24
Risk Aggregation
Modeling Uncertainties
• Some uncertainty exists regarding the value that should be
assumed by one or more independent variables in the Risk
model.
• This lack of knowledge about particular values or the
knowledge that some values might always vary contributes
to the model’s uncertainty.
• If it cannot be determined with certainty what value one or
more input variables in a model will assume, this
uncertainty is naturally reflected on the outcome of the
dependent variable(s).
• The risk metric is not determined by the value of its
independent variables (asset values and vulnerabilities,
frequency and impact of threats); it is also a function of the
probability distribution of each of these random variables
• A good approach to dealing with uncertainty is simulation
INF 766 Risk Analysis
25
Monte Carlo Simulation
Approach
• The simulation approach uses the following steps:
– Develop the risk model.
– Define the shape and parameters of the probability
distributions of each input variable.
– Run the Monte Carlo simulation.
– Build a histogram for each of the dependent variables
in the model (risk and updated risk).
– Compute summary statistics for each dependent
variable in the model.
– Perform sensitivity analysis to detect variability
sources.
– Analyze potential dependency relationships among
variables in the model.
INF 766 Risk Analysis
26
Monte Carlo Simulation
Value of Assets
INF 766 Risk Analysis
27
Monte Carlo Simulation
Annualized Frequency of Threats
Truncated Normal (mean, std. dev, min=0)
INF 766 Risk Analysis
28
Monte Carlo Simulation
Impact of Threats
INF 766 Risk Analysis
29
Monte Carlo Simulation
Controls
INF 766 Risk Analysis
30
Monte Carlo Simulation
Distribution of Risk Exposure
Histogram of Exposure Risk
(1000 runs)
30
25
Frequency
20
15
10
5
0
5610
10627
15643
20660
25677
Cumulative Distribution
Risk (in $)
Histogram of Exposure Risk
Cumulative Distribution of Exposure Risk
(1000 runs)
1000
900
800
Frequency
700
600
500
400
300
200
100
0
5610
10627
15643
20660
25677
Risk (in $)
INF 766 Risk Analysis
31
Monte Carlo Simulation
Distribution of Reduced Risk Exposure
Histogram of Reduced Exposure Risk
(1000 runs)
45
40
35
Frequency
30
25
20
15
10
5
0
47
271
496
720
Cumulative Distribution
945
Risk (in $)
Histogram of Reduced Exposure Risk
Cumulative Distribution of Reduced Exposure Risk
(1000 runs)
1000
900
800
Frequency
700
600
500
400
300
200
100
0
47
271
496
720
945
Risk (in $)
INF 766 Risk Analysis
32
Monte Carlo Simulation
Sensitivity Analysis of Exposure Risk
A
n
n
u
a
l
i
z
e
d
F
r
e
q
u
e
n
c
y
Sensitivity Analysis
Exposure Risk
-100.0% -80.0%
-60.0%
-40.0%
-20.0%
0.0%
20.0%
40.0%
60.0%
80.0%
100.0%
Worms
Password Based Attacks
Viruses
Intrusion
Overflow Attacks
INF 766 Risk Analysis
33
Risk Management in
Other Fields
Operational Risk Management
Objectives?
• Internal Control to Manage Financial Exposure,
Profitability.
• Enhancing Quality as a Competitive Business Strategy.
• Maintaining the Firm’s Reputation for Integrity.
• Managing Strategic/Business Risk.
INF 766 Risk Analysis
35
Operational Risk Management
Key Aspects
• A Deep Understanding of the Business
• Its key risks and its major exposures
• Careful Thought About “What If”
• Awareness that Most Problems Involve Weak
Management Supervision and Multiple Breakdowns in
Controls
• Realization that the basis of any measure is inherently
subjective.
INF 766 Risk Analysis
36
Security for Business Process
Internal Revenue Service
• The example process is a taxpayer requesting information on
status of refund via the Internet.
• The components of this process are: the taxpayer, the Internet,
the central entry point on the Internet for IRS (the portal), the
Internet Refund Fact of Filing application that processes the
request (IRFOF), and the databases containing information
on the taxpayer and his tax information.
Refund Data
T
PORTAL
IRFOF
INF 766 Risk Analysis
T
37
Security for Business Process
IRS
• Security (confidentiality, integrity, and availability) must be
considered in multiple dimensions and layers
• The databases and applications are evaluated in terms of who
or what other applications should have access (confidentiality)
to the data and what can be done to the data (integrity).
• The actual computer the application runs upon, along with its
operating system, is evaluated against who or what
application needs access (confidentiality), the priority of that
need (availability), and what operations can occur on that
computer by that person or application (integrity).
• The network is evaluated for availability and confidentiality.
In this example, the network is not only the internal IRS
network but also includes the Internet.
• And lastly, one needs to look at the physical protections
surrounding the employees and the information technology
(equipment and communication lines).
INF 766 Risk Analysis
38
Security for Business Process
IRS
• To begin discussing security considerations, we use the
following diagram.
• The taxpayer provides name and tax information which
authenticates the taxpayer for this application.
Access Control
Authentication Credentials
A
T
T: Refund Info
3: Taxpayer
E: IRFOF
A
PORTAL
A
IRFOF
Refund Data
T
Data Sensitivity
User Type
Authentication Decision
INF 766 Risk Analysis
39
Security for Business Process
IRS
• In the preceding example, confidentiality was addressed
through the various authentication and identification checks
• Data integrity was addressed during the identification checks.
These checks would determine the operations in which an
authorized user could engage, as in being able to read the tax
information
• Availability was not addressed in the example, but could be
addressed by adding in redundant access points, as in adding a
second portal for users to access
Refund Data
T
PORTAL
IRFOF
INF 766 Risk Analysis
T
40
Security for Business Process
Conclusions
• Not all business processes will have multiple layers of defense.
Some may be missing security features, such as access
controls or audit trails, at the application or database level.
• The type and number of security features will be driven by the
level of risk an organization is willing to accept.
• Because of the interconnectivity of the Internet and internal
networks, no one process owner can accept a higher level of
risk than the organization has stated it is willing to accept.
• As new security defenses are added to an infrastructure,
existing vulnerabilities in business processes need to be
reviewed to determine whether the level of risk is still at an
acceptable level.
• When a business process changes, the security features should
always be reviewed to determine any impacts and to ensure
no new risks have been introduced into the process.
INF 766 Risk Analysis
41
Risk Management in Manufacturing
Strong Financial Pressures
• We need to redefine roles and ownership structures to manage
contracting & ownership risks.
• Risk management has to be used as strategic lever to create
customer and shareholder value.
• A customized delivery system has to be developed to
minimize working capital risks.
INF 766 Risk Analysis
42
Manufacturing Sector
Many sources of risk, some endangering the enterprise
• Financial Valuation & Economic Factors
• Volumetric (Forecasting)
• Pricing and Upstream Cost (Economic)
• Strategic Behavior (Supply Chain Partners, Competitors,
Customers)
• Political and Regulatory Factors
• Disruptions (Accidents, Sabotage, Strikes)
INF 766 Risk Analysis
43
Manufacturing Sector
Strategies
• Discovery and Valuation
–
–
–
Scenario and Vulnerability Analysis
Exchanges and Benchmarks
Enterprise Risks and Product Line Risks
• Risk Transfer Tools, including Insurance
–
–
New tools from Weather derivatives to securitization
New assessment methodologies
• Disruption Risks: The New Kid on the Block
–
–
–
Supply Chain Changes Resulting from Unbundling
Security and Major Accidents/Incidents
Operational Risks, from Fraud to Governance
INF 766 Risk Analysis
44
Health Care Industry
Unique Attributes
•
•
•
•
•
•
Most hazardous industry.
Light regulation.
Paucity of data.
Primitive use of IT.
Primitive standards of performance.
Safety is not a major priority.
INF 766 Risk Analysis
45
Health Care Industry
Annual Statistics
• 1.3 million injuries
• 180,000 deaths
• $ 50 billion total
costs (1989 $)
• $ 14 billion
uncompensated
costs
• Most dangerous
industry
100000
90000
80000
70000
60000
50000
40000
30000
20000
10000
0
Deaths
Medical
INF 766 Risk Analysis
Auto
Workplace
Air
46
Health Care Industry
Risk Management
• Approach:
– Traditional “Damage control” – Liability management
– Recently: Error prevention
• Barriers
– Accountability - A blaming culture
– Lack of leadership
– Limited physician engagement
INF 766 Risk Analysis
47
Summary
1. Risk assessment is a technique supporting
security planning.
2. Inherent in several sectors of business (nuclear,
financial, chemical industry)
3. Lack of data is key issue in information security
risk analysis
INF 766 Risk Analysis
48
Decision Making Framework
Supply Chain Variables Impact on ROA
Material
and MOH
Freight
and
Duties
Inventory-driven
Costs
ROA = (Revenues - Costs) * (1 - TaxRate)
Current Assets + Physical Assets
Site
Location(s)
Inventory
Levels
INF 766 Risk Analysis
49
Vulnerability/risk
Assessment
Corporate
Business Continuity
Functions
Crisis Management
Business Area
Analysis
Business area
impact analysis
Risk Management
and Loss control
Crisis
Communications
CRISIS
EVENT
Restoration
Incident Management
Contingency
planning
From J.
Harrald,
GWU
Exercises/
Drills
Incident Response
Business
Resumption
INF 766 Risk Analysis
Disaster
Recovery
Business
Recovery
50
Decision Making Framework
Try to operate in the green area
Unacceptable Consequences
CRITICALITY
(Eliminate Unacceptable Risk Factors)
Risk Reduction
Risk Acceptance
(Baseline Protection)
Source: ManTech, Inc.
VULNERABILITY
INF 766 Risk Analysis
51
Related documents
MA121, Homework #2 due Monday, Nov. 12 in class
MA121, Homework #2 due Monday, Nov. 12 in class
UNIVERSITY OF DUBLIN TRINITY COLLEGE
UNIVERSITY OF DUBLIN TRINITY COLLEGE
M317 sec 2 Assignment 3 due Wed 1. Prove that if
M317 sec 2 Assignment 3 due Wed 1. Prove that if
Interagency Visitor Center Alkali Meadow Restoration and Native Plant Demonstration Project
Interagency Visitor Center Alkali Meadow Restoration and Native Plant Demonstration Project
Analysis Homework #2 Solutions 1. 2.
Analysis Homework #2 Solutions 1. 2.
Too and Enough
Too and Enough
PDE Examples Sheet 2
PDE Examples Sheet 2
Download
advertisement