Download qualitative.ppt

advertisement
Qualitative
Risk Analysis
Sanjay Goel
University at Albany, SUNY
Fall 2004
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
1
Course Outline
> Unit 1: What is a Security Assessment?
– Definitions and Nomenclature
Unit 2: What kinds of threats exist?
– Malicious Threats (Viruses & Worms) and Unintentional Threats
Unit 3: What kinds of threats exist? (cont’d)
– Malicious Threats (Spoofing, Session Hijacking, Miscellaneous)
Unit 4: How to perform security assessment?
– Risk Analysis: Qualitative Risk Analysis
Unit 5: Remediation of risks?
– Risk Analysis: Quantitative Risk Analysis
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
2
Qualitative Risk Analysis
Outline for this unit
Module 1: Qualitative Risk Analysis
Module 2: Matrix Based Approach
Module 3: Determine Assets and Vulnerabilities
Module 4: Determine Threats and Controls
Module 5: Case Study
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
3
Module 1
Risk Analysis:
Qualitative Risk Analysis
Risk Analysis
Outline
•
What are the difficulties with risk analysis?
•
What are the two different approaches?
•
What is the methodology for qualitative risk
analysis?
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
5
Risk Analysis
Risk Analysis Definition
• Risk analysis involves the identification and
assessment of the levels of risks calculated from the
known values of assets and the levels of threats to,
and vulnerabilities of, those assets.
• It involves the interaction of the following elements:
–
–
–
–
–
–
Assets
Vulnerabilities
Threats
Impacts
Likelihoods
Controls
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
6
Risk Analysis
Concept Map
• Threats exploit system vulnerabilities which expose system assets.
• Security controls protect against threats by meeting security
requirements established on the basis of asset values.
Source: Australian Standard Handbook of Information Security Risk Management – HB231-2000
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
7
Risk Analysis
Difficulties with Information Security Risk Analysis
•
•
•
•
•
Relatively new field
Lack of formal models
Lack of data
Evolving threats
Constantly changing information systems and
vulnerabilities
• Human factors related to security
• No standard of practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
8
Risk Analysis
Approaches
• Two Risk Analysis Approaches
– Qualitative:
Based on literal description of risk factors and risk is
expressed in terms of its potential. Threats and
vulnerabilities are identified and analyzed using subjective
judgment. Uses checklists to determine if recommended
controls are implemented and if different information
systems or organizations are secure.
– Quantitative:
Relating to, concerning, or based on the amount or number
of something, capable of being measured or expressed in
numerical terms.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
9
Risk Analysis: Qualitative
Methodology
• Qualitative risk analysis methodologies involve relative
comparison of risks and prioritization of controls
• Usually associate relationships between interrelated factors
– Things of value for the organization
– Threats: things that can go wrong
– Vulnerabilities: Weaknesses that make a system more prone to attack or
make an attack more likely to succeed
– Controls: These are the countermeasures for vulnerabilities
• More practical since it is based on user inference and follows
current processes better. It capitalizes on user experience and
doesn’t resort to extensive data gathering.
• Probability data is not required and only estimated potential
loss may be used
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
10
Risk Analysis: Qualitative
Questions 1, 2, and 3
1)
What is the difference between quantitative and qualitative risk
analysis?
2)
Why would one be performed instead of another?
3)
What are the benefits to using a matrix based methodology for
qualitative risk analysis?
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
11
Module 2
Determine Assets
and Vulnerabilities
Determine Assets and Vulnerabilities
Outline
•
•
•
•
•
What are tangible assets?
What are non-tangible assets?
How to assign value to assets?
What questions should be asked?
Example
– Lemonade Stand
•
•
How to determine vulnerabilities?
What questions should be asked?
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
13
Determine Assets
Tangible
• Assets- Something that the agency values and has to protect. Assets include all
information and supporting items that an agency requires to conduct business.
• Hardware
– Processors, boards, monitors, keyboards, terminals, drives, cables, connections,
controllers, communications media, etc.
• Software
– Source programs, object programs, purchased programs, operating systems, systems
programs, diagnostic programs, etc.
• Information/Data
– Data used during execution, stored data on various media, archival records, audit
data, files with payment details, voice records, image files, product information,
continuity plans.
• Services
– Provided by the company. (e.g. computing and communication services, service
providers and utilities)
• Documentation
– On programs, hardware, systems, administrative procedures and the entire system,
contracts, completed forms.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
14
Determine Assets
Non-Tangible
• People and their knowledge (Employees)
– Integral function/skills which the employee provides (e.g. technical,
operational, marketing, legal, financial, contractors/consultants,
outsourced providers)
• Reputation and Image
– Value attributed to an organization as a result of its general estimation in
the public eye. (e.g. political standing in the case of government
agencies)
• Trust
– Value consistent with public opinion on the integrity and character of an
organization.
• Intellectual Property
– Any product of the human intellect that is unique, novel, and unobvious
(and has some value in the marketplace)
Source: http://www.uta.edu/tto/ip-defs.htm
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
15
Determine Assets
Valuation
• Asset values are used to identify the appropriate protection of
assets and to determine the importance of the assets to the
business.
• Values can be expressed in terms of:
– Potential business impacts affecting loss of confidentiality, integrity and
availability.
• Valuation of some assets different for small and large
organizations
• Intangible assets hard to quantify
• Hidden costs of damages to recovery (often underestimated)
• Borrow from litigation
• Iterative to find ways of valuation
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
16
Determine Assets
Valuation, cont’d.
• In this step, ramifications of computer security failure on
organization are determined.
• Often inaccurate
– Costs of human capital required to recover from failure undervalued
e.g. cost of restoring data
– Indirect consequences of an event unknown until the event actually
happens
– Catastrophic events that cause heavy damage are so infrequent that
correct data unavailable
– Non-tangible assets hard to quantify
• The questions on the next slide prompt us to think about
issues of explicit and hidden cost related to security.
– The answers may not produce precise cost figures, but help identify
sources of various types of costs.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
17
Determine Assets
Guiding Questions to Reflect on Intangible Assets
• What are the legal obligations in preserving confidentiality or
integrity of data?
• What business requirements and agreements cover the situation?
• Could release of a data item cause harm to a person or
organization?
• Could unauthorized access to data cause loss of future business
opportunity?
• What is the psychological effect of lack of computer service?
• What is the value of access to data or programs?
• What is the value of having access to data or programs to
someone else?
• What other problems would arise from loss of data?
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
18
Determine Assets
General Example #1: Lemonade Stand
Billy sells lemonade outside of his house every
weekend for 3 hours a day. Every week he makes about
$40. The wooden stand has a cardboard sign which
reads, “Lemonade for SALE, 25 cents each”. Supplies
he receives from his mother are paper cups and a glass
pitcher and spoon to stir with. For one pitcher of
lemonade, he needs 4 lemons, 2 cups of sugar, 1 quart
of water, and a secret ingredient and 10 minutes. The
special recipe is located in a small space within the
lemonade stand. He has a general crowd of about 10
neighbors who buy from him because they enjoy the
taste of his lemonade and his personality.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
19
Determine Assets
General Example #1: Lemonade Stand, cont’d.
Listing of Tangible Assets:
• Establishment
– Lemonade stand: $5
Listing of Intangible Assets:
• People
– Billy
– Billy’s Mother
• Advertising
– Sign: $1
• Supplies
–
–
–
–
–
–
–
Pitcher: $7
Paper cups: $2/25 pack
Spoon: $1.50
Lemons: $3/10 pack
Sugar: $1/1 lb.
Water: $1/gallon
Secret ingredient: $1/1 lb.
• Intellectual Property
– Special recipe
• Trust
• Reputation
• Customer base
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
20
Determine Vulnerabilities
Specific to Organizations
• Predict damage that might occur and source of damage
• Information
– is an asset that has a value to an agency and must therefore be
appropriately protected.
• The objective of information security is to preserve the
agency’s information assets and the business processes they
support in the context of:
– Confidentiality
Information is only available to authorized individuals
– Integrity
Information can only be entered, changed or destroyed by
authorized individuals.
– Availability
Information is provided to authorized users when it is
requested or needed.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
21
Determine Vulnerabilities
Impact to Assets
• Vulnerability- A weak characteristic of an information asset or group of
assets which can be exploited by a threat. Consequence of weaknesses in
controls.
• To organize threats & assets use the following matrix:
– Harder to determine impact to non-tangible assets
Asset
Hardware
Confidentiality
X
Integrity
Availability
Overloaded, destroyed,
Tampered with
Failed, Stolen,
Destroyed, Unavailable
Software
Stolen, copied,
pirated
Impaired by Trojan horse,
Modified, tampered with
Deleted, Misplaced,
Usage expired
Data
Disclosed,
Damaged (software error,
accessed by
hardware error,
outsider, inferred user error)
Deleted, Misplaced,
Destroyed
People
X
X
Terminated, Quit, Retired,
Vacation
Documentation
X
X
Lost, Stolen, Destroyed
Supplies
X
X
Lost, Stolen, Damaged
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
22
Determine Vulnerabilities
Guiding Questions
• Each vulnerability may affect more than one asset or cause
more than one type of loss
• While completing the matrix, answer the following questions:
– What are the effects of unintentional errors?
e.g. accidental deletion, use of incorrect data
– What are the effects of willful malicious insiders?
e.g. disgruntled employees, bribery, espionage
– What are the effects of outsiders?
e.g. hackers, dial-in access, people sifting through trash
– What are the effects of natural and physical disasters?
e.g. fire, storms, floods, power outage, component failures
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
23
Determine Assets and Vulnerabilities
Assignment
•
Using your own organization, determine the assets and
vulnerabilities and fill them into the appropriate matrices.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
24
Module 3
Determine Threats and Controls
Determine Threats and Controls
Outline
•
•
How do you identify threats?
What types of controls are there?
–
–
–
–
•
Organizational and Management
Physical and Environmental
Operational
Technical
What are the functions of controls?
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
26
Determine Threats and Controls
Identification of Threats
• Threat- Potential cause of an unwanted event that may result in harm to the
agency and its assets. A threat is a manifestation of vulnerability.
• Malicious
– Malicious Software (Viruses, worms, trojan horses, time bomb logic bomb, rabbit,
bacterium)
– Spoofing or Masquerading
– Sequential or Dictionary Scanning
– Snooping (electronic monitoring or “shoulder surfing”)
– Scavenging (“dumpster diving” or automated scanning of data)
– Spamming
– Tunneling
• Unintentional
– Equipment or Software Malfunction
– Human error (back door or user error)
• Physical
– Power loss, vandalism, fire/flood/lightning damage, destruction
Source: http://www.caci.com/business/ia/threats.html
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
27
Determine Threats and Controls
Functions of Controls
• Security Controls- Implementations to reduce overall risk
and vulnerability
• Deter
– Avoid or prevent the occurrence of an undesirable event
• Protect
– Safeguard the information assets from adverse events
• Detect
– Identify the occurrence of an undesirable event
• Respond
– React to or counter an adverse effect
• Recover
– Restore integrity, availability and confidentiality of information
assets
Source: Information Security Guidelines for NSW Government
Agencies Part 3 Information Security Baseline Controls
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
28
Determine Threats and Controls
Controls
• Organizational & Management Controls
– Information security policy, information security infrastructure,
third party access, outsourcing, mobile computing, telecommuting,
asset classification and control, personnel practices, job descriptions,
segregation of duties, recruitment, terms and conditions of
employment, employee monitoring, job terminations and changes,
security awareness and training, compliance with legal and
regulatory requirements, compliancy with security policies and
standards, incident handling, disciplinary process, business
continuity management, system audits
• Physical & Environmental Controls
– Secure areas, equipment security, clear desk and screen policy,
removal of property
Source: Information Security Guidelines for NSW Government
Agencies Part 3 Information Security Baseline Controls
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
29
Determine Threats and Controls
Operational Controls
• Operational Controls
– Documentation, configuration and change management, incident
management, software development and test environment,
outsourced facilities, systems planning, systems and acceptance
testing, protection against malicious code, data backup, logging,
software and information exchange, security of media in transit,
electronic commerce security, electronic data interchange, internet
commerce, email security, electronic services, electronic publishing,
media
Source: Information Security Guidelines for NSW Government
Agencies Part 3 Information Security Baseline Controls
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
30
Determine Threats and Controls
Technical Controls
• Technical Controls
– Identification and authentication, passwords, tokens, biometric
devices, logical access control, review of access rights, unattended
user hardware, network management, operational procedures,
predefined user access paths, dial-in access controls, network
planning, network configuration, segregation of networks, firewalls,
monitoring of network, intrusion detection, internet connection
policies, operating system access control, identification of terminals
and workstations, secure logon practices, system utilities, duress
alarm, time restriction, application access control and restriction,
isolation of sensitive applications, audit trails and logs
Source: Information Security Guidelines for NSW Government
Agencies Part 3 Information Security Baseline Controls
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
31
Determine Assets and Vulnerabilities
Assignment
•
Using your own organization, determine the vulnerabilities and
threats and fill them into the appropriate matrices.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
32
Module 4
Matrix Based Approach
Matrix Based Approach
Outline
•
What are the steps involved?
•
How do you fill in the matrices?
– Asset/Vulnerability Matrix
– Vulnerability/Threat Matrix
– Threat/Control Matrix
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
34
Matrix Based Approach
Methodology
• Consists of three matrices
– Vulnerability Matrix: Links assets to vulnerabilities
– Threat Matrix: Links vulnerabilities to threats
– Control Matrix: Links threats to the controls
• Step 1
– Identify the assets & compute the relative importance of assets
• Step 2
–
–
–
–
–
List assets in the columns of the matrix.
List vulnerabilities in the rows within the matrix.
The value row should contain asset values.
Rank the assets based on the impact to the organization.
Compute the aggregate value of relative importance of different
vulnerabilities
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
35
Matrix Based Approach
Methodology
• Step 3
– Add aggregate values of vulnerabilities from vulnerability matrix to the
column side of the threat matrix
– Identify the threats and add them to the row side of the threat matrix
– Determine the relative influence of threats on the vulnerabilities
– Compute aggregate values of importance of different threats
• Step 4
– Add aggregate values of threats from the threat matrix to the column
side of control matrix
– Identify the controls and add them to the row side of the control
matrix
– Compute aggregate values of importance of different controls
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
36
Matrix Based Approach
Determining L/M/H
• There needs to be a threshold for determining the correlations
within the matrices. For each matrix, the thresholds can be
different. This can be done in two ways:
• Qualitatively
– determined relative to other correlations
– e.g. asset1/vulnerability1 (L) is much lower than asset3/vulnerability3
(H) correlation. asset2/vulnerability2 correlation is in-between (M)
• Quantitatively
– determined by setting limits
– e.g. if no correlation (0), if lower than 10% correlation (L), if lower
than 35% medium (M), if greater than 35% (H)
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
37
Matrix Based Approach
Extension of L/M/H
• Although the example provided gives 4 different levels (Not
Relevant, Low, Medium, and High), organizations may choose
to have more levels for finer grained evaluation.
• For example:
– Not Relevant (0)
– Very Low (1)
– Low (2)
– Medium-Low (3)
– Medium (4)
– Medium-High (5)
– High (6)
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
38
Matrix Based Approach
Assets and Vulnerabilities
Value
Relative Impact
Services
Software
Hardware
Info/ Integrity
Cleanup Costs
Lost Sales/Revenue
Reputation (Trust)
Client Secrets
Trade Secrets (IP)
Critical Infrastructure
Vulnerabilities
Assets & Costs
Scale
Not Relevant - 0
Low – 1
Medium – 3
High – 9
Web Servers
Compute Servers
Firewalls
Routers
Client Nodes
Databases
• Customize matrix to assets & vulnerabilities applicable to case
– Compute cost of each asset and put them in the value row
– Determine correlation with vulnerability and asset (L/M/H)
– Compute the sum of product of vulnerability & asset values; add to impact column
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
39
Matrix Based Approach
Vulnerabilities and Threats
…
…
…
…
Relative Threat
Importance
Value
Databases
Client Nodes
Routers
Firewalls
Compute Servers
Web Servers
Threats
Vulnerabilities
Scale
Not Relevant - 0
Low– 1
Medium – 3
High – 9
Denial of Service
Spoofing and Masquerading
Malicious Code
Human Errors
Insider Attacks
Intrusion …
• Complete matrix based on the specific case
– Add values from the Impact column of the previous matrix
– Determine association between threat and vulnerability
– Compute aggregate exposure values by multiplying impact and the associations
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
40
Matrix Based Approach
Threats and Controls
Value of Control
…
…
Physical Damage
Spam
Intrusion
Insider Attacks
Human Errors
Malicious Code
Spoofing
Denial of Service
Threats
Scale
Not Relevant - 0
Low – 1
Medium – 3
High – 9
Value
Controls
Firewalls
IDS
Single Sign-On
DMZ
Training
Security Policy
Network Configuration
Hardening of Environment
• Customize matrix based on the specific case
– Add values from the relative exposure column of the previous matrix
– Determine impact of different controls on different threats
– Compute the aggregate value of benefit of each control
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
41
Matrix-Based Approach
Review
• This methodology used for qualitative analysis is a
matrix-based approach.
• The Matrix-based approach:
–
–
–
–
–
–
–
Brings transparency to risk analysis process
Provides a comprehensive methodology
Easy to use
Allows organizations to work with partial data
More data can be added as made available
Risk posture can be compared to other organization's
Determines controls needed to improve security
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
42
Matrix Based Approach
Assignment
•
Go through the next modules in the unit to appropriately fill in
the matrices presented in this module.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
43
Module 5
Case Study
Case Study
Outline
•
•
What is the case about?
What would fit into the categories of:
–
–
–
–
•
Assets
Vulnerabilities
Threats
Controls
Filling in the matrices
– Asset/Vulnerability
– Vulnerability/Threat
– Threat/Control
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
45
Case Study
Example
• Use the information that you have learned in the lecture in
the following case study of a government organization.
• Remember these key steps for determining ALE
– Identify and determine the value of assets
– Determine vulnerabilities
– Estimate likelihood of exploitation
– Compute ALE
– Survey applicable controls and their costs
– Perform a cost-benefit analysis
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
46
Case Study
Case
An organization delivers service throughout New York State. As part of the planning process to prepare the annual
budget, the Commissioner has asked the Information Technology Director to perform a risk analysis to determine
the organization’s vulnerability to threats against its information assets, and to determine the appropriate level of
expenditures to protect against these vulnerabilities.
The organization consists of 4,000 employees working in 200 locations, which are organized into 10 regions. The
average rate of pay for the employees is $20/hr. Cost benefit analysis has been done on the IT resource
deployment, and the current structure is the most beneficial to the organization, so all security recommendations
should be based on the current asset deployment.
Each of the 200 locations has approximately 20 employees using an equal number of desktop and laptop
computers for their fieldwork. These computers are used to collect information related to the people served by the
organization, including personally identifying information. Half of each employee’s time is spent collecting
information from the clients using shared laptop computers, and half is spent processing the client information at
the field office using desktop computers. Replacement cost for the laptops is $2,500 and for the desktop is $1,500.
Each of the 10 regions has a network server, which stores all of the work activities of the employees in that region.
Each server will cost $30,000 to replace, plus 80 hours of staff time. Each incident involving a server costs the
organization approximately $1,600 in IT staff resources for recovery. Each incident where financial records or
personal information is compromised costs the organization $15,000 in lawyers time and settlement payouts.
Assume that the total assets of the organization are worth 10 million dollars.
The organization has begun charging fees for the public records it collects. This information is sold from the
organization website at headquarters, via credit card transactions. All of the regional computers are linked to the
headquarters via an internal network, and the headquarters has one connection to the Internet. The headquarters
servers query the regional servers to fulfill the transactions. The fees collected are approximately $10,000 per day
distributed equally from each region, and the transactions are uniformly spread out over a 24-hour period.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
47
Case Study
Example- Assets (Tangible)
• Transaction Revenue- amount of profit from transactions
• Data- client information
• Laptops- shared, used for collecting information
• Desktops- shared, used for processing client information
• Regional Servers- stores all work activities of employees in
region
• HQ Server- query regional servers to fulfill transactions
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
48
Case Study
Example- Asset Valuations (Cost per Day)
Transaction Revenue
$10,000 per day
Data (Liability)
$10 million (total assets of organization)
Laptops
½ x 200 (locations) x 20 (employees) x
$2,500 (laptop cost) = $5,000,000
Desktops
½ x 200 (locations) x 20 (employees) x
$1,500 (desktop cost) = $3,000,000
Regional Servers
$30,000 (server cost)x 10 (regions) +
80 (hours) x $20 (pay rate) x 10 (regions)+
$10,000 (transaction revenue) = $326,000
HQ Server
$10,000 (transaction revenue) +
$100,000 (cost of HQ server) +
80 (hours) x $20 (pay rate) x 10 (regions) = $126,000
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
49
Case Study
Example- Vulnerabilities
• Vulnerabilities are weaknesses that can be exploited
• Vulnerabilities
– Laptop Computers
– Desktop Computers
– Regional Servers
– HQ server
– Network Infrastructure
– Software
• Computers and Servers are vulnerable to network attacks
such as viruses/worms, intrusion & hardware failures
• Laptops are especially vulnerable to theft
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
50
Case Study
Example- Threats
• Threats are malicious & benign events that can exploit
vulnerabilities
• Several Threats exist
–
–
–
–
–
–
–
Hardware Failure
Software Failure
Theft
Denial of Service
Viruses/Worms
Insider Attacks
Intrusion and Theft of Information
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
51
Case Study
Example- Controls
•Intrusion detection and firewall upgrades on HQ Server
– mitigate HQ server failure and recovery
•Anti-Virus Software
– mitigates threat of worms, viruses, DOS attacks, and some intrusions
• Firewall upgrades
– mitigates threats of DOS attacks and some intrusions, worms and viruses
• Redundant HQ Server
– reduces loss of transaction revenue
•Spare laptop computers at each location
– reduces loss of transaction revenue and productivity
• Warranties
– reduces loss of transaction revenue and cost of procuring replacements
• Insurance
– offset cost of liability
• Physical Controls
– reduce probability of theft
• Security Policy
– can be used to reduce most threats.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
52
Case Study
Asset/Vulnerability Matrix
• The coefficients of this matrix are usually based on internal data as well
as financial loss organizations
• For the current example we will assume data for illustration of the
concept
– Transactions are mostly associated with the regional servers which store the
data, the HQ server which takes all requests, and the network infrastructure
with which clients access the data. (.30 each)
– Laptops, desktops and software is only associated with the remaining 10%
(.033 each)
– Data that is located on laptops and desktops make up only 10% of total data
because they are only used for collecting and processing.
– The regional servers contain all other data.
– Other assets are associated at 100% with their respective vulnerabilities. (e.g.
laptops with laptops, desktops with desktops, etc.)
• The threshold for this matrix will be:
–
–
–
–
Not Relevant: 0
Low: 0 < x <= 0.01
Medium: 0.01 < x <= 0.05
High: 0.05 < x < 1
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
53
Case Study
Asset/Vulnerability Matrix, cont’d.
Assets
Transaction
Revenue
Data
(Liability)
Laptops
Desktops
Regional
Servers
HQ Server
Aggregates
(Impact)
10,000
10,000,000
5,000,000
3,000,000
326,000
126,000
S (asset value x
vulnerability)
Laptops
1
1
3
0
0
0
25,010,000
Desktops
1
1
0
3
0
0
19,010,000
Regional Servers
2
3
0
0
3
0
30,998,000
HQ Servers
2
0
0
0
0
3
398,000
Network Infrast.
2
0
0
0
0
0
20,000
Software
1
0
0
0
0
0
10,000
Vulnerabilities
Input Asset Values

• Customize
matrix to assets & vulnerabilities applicable to case
– Compute cost of each asset and put them in the value row
0 – Not Relevant
1 – Low
2 – Medium
3 – High
– Determine correlation with vulnerability and asset (0 for Not Relevant, 1 for Low, 2 for Medium and 3 for High)
– Compute the sum of product of vulnerability & asset values; add to impact column
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
54
Case Study
Vulnerability/Threat Matrix
• The coefficients of this matrix are usually based on data
from the literature, e.g.,
–
–
–
–
if rate of failure of hardware is rf (per unit time)
the number of pieces of hardware is n then
the total number of failed components during a time period is rf*n
the fraction of hardware that fails is rf*n/n= rf
• For the current example we will assume data for illustration
of the concept
– Failure rate of laptops is .001 per day (i.e., one in a thousand laptops
encounters hardware failure during a day)
– Similarly failure rate of a desktop is .0002 (i.e. 2 in ten thousand
desktops would encounter hardware failure in a given day.
– Hardware failure can cause loss of software, however, our
assumption is that all software is replaceable from backups
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
55
Case Study
Vulnerability/Threat Matrix, cont’d.
Vulnerabilities
Laptops
Desktops
Regional
Servers
HQ
Servers
Network
Infrast.
Software
Aggregates
(Threat
Importance)
25,010,000
19,010,000
30,998,000
398,000
20,000
10,000
S (impact value x
threat value)
Hardware Failure
2
1
1
1
3
0
100,486,000
Software Failure
2
2
2
2
0
0
150,832,000
Equipment Theft
3
2
1
1
1
2
144,486,000
Denial of Service
1
1
2
2
0
0
106,812,000
Viruses/Worms
2
2
2
2
0
2
150,852,000
Insider Attacks
2
2
1
1
1
2
119,476,000
Intrusion
2
2
2
2
0
2
150,852,000
Threats
Input Impact
Aggregates
• Complete matrix based on the specific case
0 – Not Relevant
1 – Low
2 – Medium
3 – High
– Add values from the Impact column of the previous matrix
– Determine association between threat and vulnerability
– Compute aggregate exposure values by multiplying impact and the associations and
adding across vulnerabilities
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
56
Case Study
Vulnerability/Threat Matrix, cont’d.
– We assume that the hardware failure will disrupt the network once every one hundred days
– There is 0.3 percent chance that software failure can lead to failure of desktops
– We assume that there is a .01 chance of a laptop being stolen, .001 for a desktop, and .0002
for servers.
– There is a very low chance that network equipment is stolen since it is kept in secure rooms
(.0001)
– When equipment is stolen some software may have been stolen as well
– We assume that denial-of-service is primarily targeted at servers and not individual machines
– We assume that the denial-of-service can disable machines as well as cause destruction of
software
– Insider attacks are primarily meant to exploit data & disable machines
– We assume that the servers have less access thus are less vulnerable to insider attacks
•
The threshold for this matrix will be:
–
–
–
–
Not Relevant: 0
Low: 0 < x <= 0.001
Medium: 0.001 < x <= 0.01
High: 0.01 < x < 1
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
57
Case Study
Threat/Control Matrix
• Some of these controls have threats associated with them. However,
these are secondary considerations and we will be focusing on primary
threats.
• We assume that IDS systems will control 30% of the DOS attacks, 30%
of Viruses and Worms and 90% of intrusions
– In addition, IDS systems do not impact insider attacks
• Anti-Virus Software will prevent 90% of Viruses and Worms.
• That upgrades to a firewall will greatly control (90% each) of DOS
attacks, as well as Viruses and Worms. It will control 30% of intrusions,
but not insider attacks.
• A redundant HQ server will control 10% of hardware failure (when the
original HQ server fails). This is the same percentage for theft and
insider attacks.
• Also, a redundant HQ server will help with 80% in cases of DOS attacks
on the HQ server.
• Spare laptops will assist in cases of hardware failure and theft (30%
because of volume).
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
58
Case Study
Threat/Control Matrix, cont’d.
•
We assume that warranties will help with 70% of both hardware failure and
software failure. While it will assist with the cost of new hardware or software,
will not reduce employee time.
•
It is determined that insurance will be able to control 90% of impacts from the
threats of theft, DOS attacks, Virus/Worm attacks, Insider Attacks, and
Intrusion.
•
Physical controls (locks, key cards, biometrics, etc.) will control 90% of theft.
•
Also, it is assumed that a security policy will assist with 20% of all threats since
every policy can have procedures which can assist in prevention.
Customize matrix based on the specific case
•
– Add values from the threat importance column of the previous matrix
– Determine impact of different controls on different threats
– Compute the sum of the products of the threat importance by the impact of controls
to determine values.
•
The threshold for this matrix will be:
–
–
–
–
Not Relevant: 0
Low: 0 < x <= 0.01
Medium: 0.01 < x <= 0.05
High: 0.05 < x < 1
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
59
Case Study
Threat/Control Matrix, cont’d.
Threats
Hardware
Failure
Software
Failure
Theft
Denial of
Service
Viruses/
Worms
Insider
Attacks
Intrusion
Aggregates
(Value of
Control)
Input Threat
Importance
Values
100,486,000
150,832,000
144,486,000
106,812,000
150,852,000
119,476,000
150,852,000
S (threat importance
x impact of controls)
Intrusion
Detection
0
0
0
0
0
0
0
$967,884,000.00
Anti-Virus
0
0
0
0
0
0
0
$452,556,000.00
Firewall
Upgrades
0
0
0
0
0
0
0
$1,074,696,000.00
Redundant HQ
Server
2
2
2
2
2
2
2
$684,884,000.00
Spare Laptops
2
2
2
2
2
2
2
$489,944,000.00
Warranties
0
0
0
0
0
0
0
$753,954,000.00
Insurance
3
3
3
3
3
3
3
$2,017,434,000.00
Physical
Controls
0
0
0
0
0
0
0
$433,458,000.00
Security Policy
0
0
0
0
0
0
0
$923,796,000.00
Controls
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
0 – Not Relevant
1 – Low
2 – Medium
3 – High
60
Case Study
Assignment
•
Given the matrices and the example case provided, use this
same methodology in application to determine the information
security risk in your own organization.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
61
Appendix
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
62
Qualitative Risk Analysis
Summary
• Qualitative risk analysis involves using relative values of assets, threats,
vulnerabilities to:
– Determine the relative exposure of different assets of the organization
– Determine the relative effectiveness of different controls
• The methodology developed here uses a series of matrices to collect the
data on assets, vulnerabilities, threats and controls
• Data from the matrices is integrated to determine the relative
importance of controls
• This approach is suitable when precise data for different elements is
unavailable
• Most organizations start with a qualitative analysis and gradually migrate
to a quantitative analysis
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
63
Qualitative Risk Analysis
Summary Cont’d.
•Risk Aggregation:
J
K L
I
i 1
i 1
R*     (t j    ij )   jk   kl  al   Ci
j 1k 1l 1
•Optimization
– simple formulation
•Cost Benefit Analysis
I
 ij  (1  qi ij )
k Q
k Q
k 1
j 1
Minimize : R    j such that   j  
*
LEVERAGE = (RISK EXPOSUREbefore reduction – RISK EXPOSUREafter reduction)
________________________________________________
COST OF REDUCTION
•Regression Testing
–Used for comparing risk impact
•Monte Carlo Simulation
– 1)Develop risk model, 2) Define the shape and parameters, 3)Run
simulation, 4)Build histogram, 5)Compute summary statistics,
6)Perform sensitivity analysis, 7)Analyze potential dependency
relationship
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
64
Acknowledgements
Grants & Personnel
• Support for this work has been provided through the
following grants
– NSF 0210379
– FIPSE P116B020477
• Damira Pon, from the Center of Information Forensics and
Assurance contributed extensively by reviewing and editing
the material
• Robert Bangert-Drowns from the School of Education
provided extensive review of the material from a pedagogical
view.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
65
Download