Download qualitative.ppt
advertisement
Qualitative Risk Analysis Sanjay Goel University at Albany, SUNY Fall 2004 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Course Outline > Unit 1: What is a Security Assessment? – Definitions and Nomenclature Unit 2: What kinds of threats exist? – Malicious Threats (Viruses & Worms) and Unintentional Threats Unit 3: What kinds of threats exist? (cont’d) – Malicious Threats (Spoofing, Session Hijacking, Miscellaneous) Unit 4: How to perform security assessment? – Risk Analysis: Qualitative Risk Analysis Unit 5: Remediation of risks? – Risk Analysis: Quantitative Risk Analysis Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 2 Qualitative Risk Analysis Outline for this unit Module 1: Qualitative Risk Analysis Module 2: Matrix Based Approach Module 3: Determine Assets and Vulnerabilities Module 4: Determine Threats and Controls Module 5: Case Study Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Module 1 Risk Analysis: Qualitative Risk Analysis Risk Analysis Outline • What are the difficulties with risk analysis? • What are the two different approaches? • What is the methodology for qualitative risk analysis? Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 Risk Analysis Risk Analysis Definition • Risk analysis involves the identification and assessment of the levels of risks calculated from the known values of assets and the levels of threats to, and vulnerabilities of, those assets. • It involves the interaction of the following elements: – – – – – – Assets Vulnerabilities Threats Impacts Likelihoods Controls Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 6 Risk Analysis Concept Map • Threats exploit system vulnerabilities which expose system assets. • Security controls protect against threats by meeting security requirements established on the basis of asset values. Source: Australian Standard Handbook of Information Security Risk Management – HB231-2000 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 7 Risk Analysis Difficulties with Information Security Risk Analysis • • • • • Relatively new field Lack of formal models Lack of data Evolving threats Constantly changing information systems and vulnerabilities • Human factors related to security • No standard of practice Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 8 Risk Analysis Approaches • Two Risk Analysis Approaches – Qualitative: Based on literal description of risk factors and risk is expressed in terms of its potential. Threats and vulnerabilities are identified and analyzed using subjective judgment. Uses checklists to determine if recommended controls are implemented and if different information systems or organizations are secure. – Quantitative: Relating to, concerning, or based on the amount or number of something, capable of being measured or expressed in numerical terms. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 9 Risk Analysis: Qualitative Methodology • Qualitative risk analysis methodologies involve relative comparison of risks and prioritization of controls • Usually associate relationships between interrelated factors – Things of value for the organization – Threats: things that can go wrong – Vulnerabilities: Weaknesses that make a system more prone to attack or make an attack more likely to succeed – Controls: These are the countermeasures for vulnerabilities • More practical since it is based on user inference and follows current processes better. It capitalizes on user experience and doesn’t resort to extensive data gathering. • Probability data is not required and only estimated potential loss may be used Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 10 Risk Analysis: Qualitative Questions 1, 2, and 3 1) What is the difference between quantitative and qualitative risk analysis? 2) Why would one be performed instead of another? 3) What are the benefits to using a matrix based methodology for qualitative risk analysis? Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 11 Module 2 Determine Assets and Vulnerabilities Determine Assets and Vulnerabilities Outline • • • • • What are tangible assets? What are non-tangible assets? How to assign value to assets? What questions should be asked? Example – Lemonade Stand • • How to determine vulnerabilities? What questions should be asked? Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 13 Determine Assets Tangible • Assets- Something that the agency values and has to protect. Assets include all information and supporting items that an agency requires to conduct business. • Hardware – Processors, boards, monitors, keyboards, terminals, drives, cables, connections, controllers, communications media, etc. • Software – Source programs, object programs, purchased programs, operating systems, systems programs, diagnostic programs, etc. • Information/Data – Data used during execution, stored data on various media, archival records, audit data, files with payment details, voice records, image files, product information, continuity plans. • Services – Provided by the company. (e.g. computing and communication services, service providers and utilities) • Documentation – On programs, hardware, systems, administrative procedures and the entire system, contracts, completed forms. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 14 Determine Assets Non-Tangible • People and their knowledge (Employees) – Integral function/skills which the employee provides (e.g. technical, operational, marketing, legal, financial, contractors/consultants, outsourced providers) • Reputation and Image – Value attributed to an organization as a result of its general estimation in the public eye. (e.g. political standing in the case of government agencies) • Trust – Value consistent with public opinion on the integrity and character of an organization. • Intellectual Property – Any product of the human intellect that is unique, novel, and unobvious (and has some value in the marketplace) Source: http://www.uta.edu/tto/ip-defs.htm Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 15 Determine Assets Valuation • Asset values are used to identify the appropriate protection of assets and to determine the importance of the assets to the business. • Values can be expressed in terms of: – Potential business impacts affecting loss of confidentiality, integrity and availability. • Valuation of some assets different for small and large organizations • Intangible assets hard to quantify • Hidden costs of damages to recovery (often underestimated) • Borrow from litigation • Iterative to find ways of valuation Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 16 Determine Assets Valuation, cont’d. • In this step, ramifications of computer security failure on organization are determined. • Often inaccurate – Costs of human capital required to recover from failure undervalued e.g. cost of restoring data – Indirect consequences of an event unknown until the event actually happens – Catastrophic events that cause heavy damage are so infrequent that correct data unavailable – Non-tangible assets hard to quantify • The questions on the next slide prompt us to think about issues of explicit and hidden cost related to security. – The answers may not produce precise cost figures, but help identify sources of various types of costs. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 17 Determine Assets Guiding Questions to Reflect on Intangible Assets • What are the legal obligations in preserving confidentiality or integrity of data? • What business requirements and agreements cover the situation? • Could release of a data item cause harm to a person or organization? • Could unauthorized access to data cause loss of future business opportunity? • What is the psychological effect of lack of computer service? • What is the value of access to data or programs? • What is the value of having access to data or programs to someone else? • What other problems would arise from loss of data? Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 18 Determine Assets General Example #1: Lemonade Stand Billy sells lemonade outside of his house every weekend for 3 hours a day. Every week he makes about $40. The wooden stand has a cardboard sign which reads, “Lemonade for SALE, 25 cents each”. Supplies he receives from his mother are paper cups and a glass pitcher and spoon to stir with. For one pitcher of lemonade, he needs 4 lemons, 2 cups of sugar, 1 quart of water, and a secret ingredient and 10 minutes. The special recipe is located in a small space within the lemonade stand. He has a general crowd of about 10 neighbors who buy from him because they enjoy the taste of his lemonade and his personality. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 19 Determine Assets General Example #1: Lemonade Stand, cont’d. Listing of Tangible Assets: • Establishment – Lemonade stand: $5 Listing of Intangible Assets: • People – Billy – Billy’s Mother • Advertising – Sign: $1 • Supplies – – – – – – – Pitcher: $7 Paper cups: $2/25 pack Spoon: $1.50 Lemons: $3/10 pack Sugar: $1/1 lb. Water: $1/gallon Secret ingredient: $1/1 lb. • Intellectual Property – Special recipe • Trust • Reputation • Customer base Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 20 Determine Vulnerabilities Specific to Organizations • Predict damage that might occur and source of damage • Information – is an asset that has a value to an agency and must therefore be appropriately protected. • The objective of information security is to preserve the agency’s information assets and the business processes they support in the context of: – Confidentiality Information is only available to authorized individuals – Integrity Information can only be entered, changed or destroyed by authorized individuals. – Availability Information is provided to authorized users when it is requested or needed. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 21 Determine Vulnerabilities Impact to Assets • Vulnerability- A weak characteristic of an information asset or group of assets which can be exploited by a threat. Consequence of weaknesses in controls. • To organize threats & assets use the following matrix: – Harder to determine impact to non-tangible assets Asset Hardware Confidentiality X Integrity Availability Overloaded, destroyed, Tampered with Failed, Stolen, Destroyed, Unavailable Software Stolen, copied, pirated Impaired by Trojan horse, Modified, tampered with Deleted, Misplaced, Usage expired Data Disclosed, Damaged (software error, accessed by hardware error, outsider, inferred user error) Deleted, Misplaced, Destroyed People X X Terminated, Quit, Retired, Vacation Documentation X X Lost, Stolen, Destroyed Supplies X X Lost, Stolen, Damaged Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 22 Determine Vulnerabilities Guiding Questions • Each vulnerability may affect more than one asset or cause more than one type of loss • While completing the matrix, answer the following questions: – What are the effects of unintentional errors? e.g. accidental deletion, use of incorrect data – What are the effects of willful malicious insiders? e.g. disgruntled employees, bribery, espionage – What are the effects of outsiders? e.g. hackers, dial-in access, people sifting through trash – What are the effects of natural and physical disasters? e.g. fire, storms, floods, power outage, component failures Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 23 Determine Assets and Vulnerabilities Assignment • Using your own organization, determine the assets and vulnerabilities and fill them into the appropriate matrices. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 24 Module 3 Determine Threats and Controls Determine Threats and Controls Outline • • How do you identify threats? What types of controls are there? – – – – • Organizational and Management Physical and Environmental Operational Technical What are the functions of controls? Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 26 Determine Threats and Controls Identification of Threats • Threat- Potential cause of an unwanted event that may result in harm to the agency and its assets. A threat is a manifestation of vulnerability. • Malicious – Malicious Software (Viruses, worms, trojan horses, time bomb logic bomb, rabbit, bacterium) – Spoofing or Masquerading – Sequential or Dictionary Scanning – Snooping (electronic monitoring or “shoulder surfing”) – Scavenging (“dumpster diving” or automated scanning of data) – Spamming – Tunneling • Unintentional – Equipment or Software Malfunction – Human error (back door or user error) • Physical – Power loss, vandalism, fire/flood/lightning damage, destruction Source: http://www.caci.com/business/ia/threats.html Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 27 Determine Threats and Controls Functions of Controls • Security Controls- Implementations to reduce overall risk and vulnerability • Deter – Avoid or prevent the occurrence of an undesirable event • Protect – Safeguard the information assets from adverse events • Detect – Identify the occurrence of an undesirable event • Respond – React to or counter an adverse effect • Recover – Restore integrity, availability and confidentiality of information assets Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 28 Determine Threats and Controls Controls • Organizational & Management Controls – Information security policy, information security infrastructure, third party access, outsourcing, mobile computing, telecommuting, asset classification and control, personnel practices, job descriptions, segregation of duties, recruitment, terms and conditions of employment, employee monitoring, job terminations and changes, security awareness and training, compliance with legal and regulatory requirements, compliancy with security policies and standards, incident handling, disciplinary process, business continuity management, system audits • Physical & Environmental Controls – Secure areas, equipment security, clear desk and screen policy, removal of property Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 29 Determine Threats and Controls Operational Controls • Operational Controls – Documentation, configuration and change management, incident management, software development and test environment, outsourced facilities, systems planning, systems and acceptance testing, protection against malicious code, data backup, logging, software and information exchange, security of media in transit, electronic commerce security, electronic data interchange, internet commerce, email security, electronic services, electronic publishing, media Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 30 Determine Threats and Controls Technical Controls • Technical Controls – Identification and authentication, passwords, tokens, biometric devices, logical access control, review of access rights, unattended user hardware, network management, operational procedures, predefined user access paths, dial-in access controls, network planning, network configuration, segregation of networks, firewalls, monitoring of network, intrusion detection, internet connection policies, operating system access control, identification of terminals and workstations, secure logon practices, system utilities, duress alarm, time restriction, application access control and restriction, isolation of sensitive applications, audit trails and logs Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 31 Determine Assets and Vulnerabilities Assignment • Using your own organization, determine the vulnerabilities and threats and fill them into the appropriate matrices. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 32 Module 4 Matrix Based Approach Matrix Based Approach Outline • What are the steps involved? • How do you fill in the matrices? – Asset/Vulnerability Matrix – Vulnerability/Threat Matrix – Threat/Control Matrix Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 34 Matrix Based Approach Methodology • Consists of three matrices – Vulnerability Matrix: Links assets to vulnerabilities – Threat Matrix: Links vulnerabilities to threats – Control Matrix: Links threats to the controls • Step 1 – Identify the assets & compute the relative importance of assets • Step 2 – – – – – List assets in the columns of the matrix. List vulnerabilities in the rows within the matrix. The value row should contain asset values. Rank the assets based on the impact to the organization. Compute the aggregate value of relative importance of different vulnerabilities Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 35 Matrix Based Approach Methodology • Step 3 – Add aggregate values of vulnerabilities from vulnerability matrix to the column side of the threat matrix – Identify the threats and add them to the row side of the threat matrix – Determine the relative influence of threats on the vulnerabilities – Compute aggregate values of importance of different threats • Step 4 – Add aggregate values of threats from the threat matrix to the column side of control matrix – Identify the controls and add them to the row side of the control matrix – Compute aggregate values of importance of different controls Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 36 Matrix Based Approach Determining L/M/H • There needs to be a threshold for determining the correlations within the matrices. For each matrix, the thresholds can be different. This can be done in two ways: • Qualitatively – determined relative to other correlations – e.g. asset1/vulnerability1 (L) is much lower than asset3/vulnerability3 (H) correlation. asset2/vulnerability2 correlation is in-between (M) • Quantitatively – determined by setting limits – e.g. if no correlation (0), if lower than 10% correlation (L), if lower than 35% medium (M), if greater than 35% (H) Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 37 Matrix Based Approach Extension of L/M/H • Although the example provided gives 4 different levels (Not Relevant, Low, Medium, and High), organizations may choose to have more levels for finer grained evaluation. • For example: – Not Relevant (0) – Very Low (1) – Low (2) – Medium-Low (3) – Medium (4) – Medium-High (5) – High (6) Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 38 Matrix Based Approach Assets and Vulnerabilities Value Relative Impact Services Software Hardware Info/ Integrity Cleanup Costs Lost Sales/Revenue Reputation (Trust) Client Secrets Trade Secrets (IP) Critical Infrastructure Vulnerabilities Assets & Costs Scale Not Relevant - 0 Low – 1 Medium – 3 High – 9 Web Servers Compute Servers Firewalls Routers Client Nodes Databases • Customize matrix to assets & vulnerabilities applicable to case – Compute cost of each asset and put them in the value row – Determine correlation with vulnerability and asset (L/M/H) – Compute the sum of product of vulnerability & asset values; add to impact column Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 39 Matrix Based Approach Vulnerabilities and Threats … … … … Relative Threat Importance Value Databases Client Nodes Routers Firewalls Compute Servers Web Servers Threats Vulnerabilities Scale Not Relevant - 0 Low– 1 Medium – 3 High – 9 Denial of Service Spoofing and Masquerading Malicious Code Human Errors Insider Attacks Intrusion … • Complete matrix based on the specific case – Add values from the Impact column of the previous matrix – Determine association between threat and vulnerability – Compute aggregate exposure values by multiplying impact and the associations Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 40 Matrix Based Approach Threats and Controls Value of Control … … Physical Damage Spam Intrusion Insider Attacks Human Errors Malicious Code Spoofing Denial of Service Threats Scale Not Relevant - 0 Low – 1 Medium – 3 High – 9 Value Controls Firewalls IDS Single Sign-On DMZ Training Security Policy Network Configuration Hardening of Environment • Customize matrix based on the specific case – Add values from the relative exposure column of the previous matrix – Determine impact of different controls on different threats – Compute the aggregate value of benefit of each control Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 41 Matrix-Based Approach Review • This methodology used for qualitative analysis is a matrix-based approach. • The Matrix-based approach: – – – – – – – Brings transparency to risk analysis process Provides a comprehensive methodology Easy to use Allows organizations to work with partial data More data can be added as made available Risk posture can be compared to other organization's Determines controls needed to improve security Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 42 Matrix Based Approach Assignment • Go through the next modules in the unit to appropriately fill in the matrices presented in this module. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 43 Module 5 Case Study Case Study Outline • • What is the case about? What would fit into the categories of: – – – – • Assets Vulnerabilities Threats Controls Filling in the matrices – Asset/Vulnerability – Vulnerability/Threat – Threat/Control Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 45 Case Study Example • Use the information that you have learned in the lecture in the following case study of a government organization. • Remember these key steps for determining ALE – Identify and determine the value of assets – Determine vulnerabilities – Estimate likelihood of exploitation – Compute ALE – Survey applicable controls and their costs – Perform a cost-benefit analysis Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 46 Case Study Case An organization delivers service throughout New York State. As part of the planning process to prepare the annual budget, the Commissioner has asked the Information Technology Director to perform a risk analysis to determine the organization’s vulnerability to threats against its information assets, and to determine the appropriate level of expenditures to protect against these vulnerabilities. The organization consists of 4,000 employees working in 200 locations, which are organized into 10 regions. The average rate of pay for the employees is $20/hr. Cost benefit analysis has been done on the IT resource deployment, and the current structure is the most beneficial to the organization, so all security recommendations should be based on the current asset deployment. Each of the 200 locations has approximately 20 employees using an equal number of desktop and laptop computers for their fieldwork. These computers are used to collect information related to the people served by the organization, including personally identifying information. Half of each employee’s time is spent collecting information from the clients using shared laptop computers, and half is spent processing the client information at the field office using desktop computers. Replacement cost for the laptops is $2,500 and for the desktop is $1,500. Each of the 10 regions has a network server, which stores all of the work activities of the employees in that region. Each server will cost $30,000 to replace, plus 80 hours of staff time. Each incident involving a server costs the organization approximately $1,600 in IT staff resources for recovery. Each incident where financial records or personal information is compromised costs the organization $15,000 in lawyers time and settlement payouts. Assume that the total assets of the organization are worth 10 million dollars. The organization has begun charging fees for the public records it collects. This information is sold from the organization website at headquarters, via credit card transactions. All of the regional computers are linked to the headquarters via an internal network, and the headquarters has one connection to the Internet. The headquarters servers query the regional servers to fulfill the transactions. The fees collected are approximately $10,000 per day distributed equally from each region, and the transactions are uniformly spread out over a 24-hour period. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 47 Case Study Example- Assets (Tangible) • Transaction Revenue- amount of profit from transactions • Data- client information • Laptops- shared, used for collecting information • Desktops- shared, used for processing client information • Regional Servers- stores all work activities of employees in region • HQ Server- query regional servers to fulfill transactions Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 48 Case Study Example- Asset Valuations (Cost per Day) Transaction Revenue $10,000 per day Data (Liability) $10 million (total assets of organization) Laptops ½ x 200 (locations) x 20 (employees) x $2,500 (laptop cost) = $5,000,000 Desktops ½ x 200 (locations) x 20 (employees) x $1,500 (desktop cost) = $3,000,000 Regional Servers $30,000 (server cost)x 10 (regions) + 80 (hours) x $20 (pay rate) x 10 (regions)+ $10,000 (transaction revenue) = $326,000 HQ Server $10,000 (transaction revenue) + $100,000 (cost of HQ server) + 80 (hours) x $20 (pay rate) x 10 (regions) = $126,000 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 49 Case Study Example- Vulnerabilities • Vulnerabilities are weaknesses that can be exploited • Vulnerabilities – Laptop Computers – Desktop Computers – Regional Servers – HQ server – Network Infrastructure – Software • Computers and Servers are vulnerable to network attacks such as viruses/worms, intrusion & hardware failures • Laptops are especially vulnerable to theft Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 50 Case Study Example- Threats • Threats are malicious & benign events that can exploit vulnerabilities • Several Threats exist – – – – – – – Hardware Failure Software Failure Theft Denial of Service Viruses/Worms Insider Attacks Intrusion and Theft of Information Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 51 Case Study Example- Controls •Intrusion detection and firewall upgrades on HQ Server – mitigate HQ server failure and recovery •Anti-Virus Software – mitigates threat of worms, viruses, DOS attacks, and some intrusions • Firewall upgrades – mitigates threats of DOS attacks and some intrusions, worms and viruses • Redundant HQ Server – reduces loss of transaction revenue •Spare laptop computers at each location – reduces loss of transaction revenue and productivity • Warranties – reduces loss of transaction revenue and cost of procuring replacements • Insurance – offset cost of liability • Physical Controls – reduce probability of theft • Security Policy – can be used to reduce most threats. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 52 Case Study Asset/Vulnerability Matrix • The coefficients of this matrix are usually based on internal data as well as financial loss organizations • For the current example we will assume data for illustration of the concept – Transactions are mostly associated with the regional servers which store the data, the HQ server which takes all requests, and the network infrastructure with which clients access the data. (.30 each) – Laptops, desktops and software is only associated with the remaining 10% (.033 each) – Data that is located on laptops and desktops make up only 10% of total data because they are only used for collecting and processing. – The regional servers contain all other data. – Other assets are associated at 100% with their respective vulnerabilities. (e.g. laptops with laptops, desktops with desktops, etc.) • The threshold for this matrix will be: – – – – Not Relevant: 0 Low: 0 < x <= 0.01 Medium: 0.01 < x <= 0.05 High: 0.05 < x < 1 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 53 Case Study Asset/Vulnerability Matrix, cont’d. Assets Transaction Revenue Data (Liability) Laptops Desktops Regional Servers HQ Server Aggregates (Impact) 10,000 10,000,000 5,000,000 3,000,000 326,000 126,000 S (asset value x vulnerability) Laptops 1 1 3 0 0 0 25,010,000 Desktops 1 1 0 3 0 0 19,010,000 Regional Servers 2 3 0 0 3 0 30,998,000 HQ Servers 2 0 0 0 0 3 398,000 Network Infrast. 2 0 0 0 0 0 20,000 Software 1 0 0 0 0 0 10,000 Vulnerabilities Input Asset Values • Customize matrix to assets & vulnerabilities applicable to case – Compute cost of each asset and put them in the value row 0 – Not Relevant 1 – Low 2 – Medium 3 – High – Determine correlation with vulnerability and asset (0 for Not Relevant, 1 for Low, 2 for Medium and 3 for High) – Compute the sum of product of vulnerability & asset values; add to impact column Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 54 Case Study Vulnerability/Threat Matrix • The coefficients of this matrix are usually based on data from the literature, e.g., – – – – if rate of failure of hardware is rf (per unit time) the number of pieces of hardware is n then the total number of failed components during a time period is rf*n the fraction of hardware that fails is rf*n/n= rf • For the current example we will assume data for illustration of the concept – Failure rate of laptops is .001 per day (i.e., one in a thousand laptops encounters hardware failure during a day) – Similarly failure rate of a desktop is .0002 (i.e. 2 in ten thousand desktops would encounter hardware failure in a given day. – Hardware failure can cause loss of software, however, our assumption is that all software is replaceable from backups Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 55 Case Study Vulnerability/Threat Matrix, cont’d. Vulnerabilities Laptops Desktops Regional Servers HQ Servers Network Infrast. Software Aggregates (Threat Importance) 25,010,000 19,010,000 30,998,000 398,000 20,000 10,000 S (impact value x threat value) Hardware Failure 2 1 1 1 3 0 100,486,000 Software Failure 2 2 2 2 0 0 150,832,000 Equipment Theft 3 2 1 1 1 2 144,486,000 Denial of Service 1 1 2 2 0 0 106,812,000 Viruses/Worms 2 2 2 2 0 2 150,852,000 Insider Attacks 2 2 1 1 1 2 119,476,000 Intrusion 2 2 2 2 0 2 150,852,000 Threats Input Impact Aggregates • Complete matrix based on the specific case 0 – Not Relevant 1 – Low 2 – Medium 3 – High – Add values from the Impact column of the previous matrix – Determine association between threat and vulnerability – Compute aggregate exposure values by multiplying impact and the associations and adding across vulnerabilities Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 56 Case Study Vulnerability/Threat Matrix, cont’d. – We assume that the hardware failure will disrupt the network once every one hundred days – There is 0.3 percent chance that software failure can lead to failure of desktops – We assume that there is a .01 chance of a laptop being stolen, .001 for a desktop, and .0002 for servers. – There is a very low chance that network equipment is stolen since it is kept in secure rooms (.0001) – When equipment is stolen some software may have been stolen as well – We assume that denial-of-service is primarily targeted at servers and not individual machines – We assume that the denial-of-service can disable machines as well as cause destruction of software – Insider attacks are primarily meant to exploit data & disable machines – We assume that the servers have less access thus are less vulnerable to insider attacks • The threshold for this matrix will be: – – – – Not Relevant: 0 Low: 0 < x <= 0.001 Medium: 0.001 < x <= 0.01 High: 0.01 < x < 1 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 57 Case Study Threat/Control Matrix • Some of these controls have threats associated with them. However, these are secondary considerations and we will be focusing on primary threats. • We assume that IDS systems will control 30% of the DOS attacks, 30% of Viruses and Worms and 90% of intrusions – In addition, IDS systems do not impact insider attacks • Anti-Virus Software will prevent 90% of Viruses and Worms. • That upgrades to a firewall will greatly control (90% each) of DOS attacks, as well as Viruses and Worms. It will control 30% of intrusions, but not insider attacks. • A redundant HQ server will control 10% of hardware failure (when the original HQ server fails). This is the same percentage for theft and insider attacks. • Also, a redundant HQ server will help with 80% in cases of DOS attacks on the HQ server. • Spare laptops will assist in cases of hardware failure and theft (30% because of volume). Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 58 Case Study Threat/Control Matrix, cont’d. • We assume that warranties will help with 70% of both hardware failure and software failure. While it will assist with the cost of new hardware or software, will not reduce employee time. • It is determined that insurance will be able to control 90% of impacts from the threats of theft, DOS attacks, Virus/Worm attacks, Insider Attacks, and Intrusion. • Physical controls (locks, key cards, biometrics, etc.) will control 90% of theft. • Also, it is assumed that a security policy will assist with 20% of all threats since every policy can have procedures which can assist in prevention. Customize matrix based on the specific case • – Add values from the threat importance column of the previous matrix – Determine impact of different controls on different threats – Compute the sum of the products of the threat importance by the impact of controls to determine values. • The threshold for this matrix will be: – – – – Not Relevant: 0 Low: 0 < x <= 0.01 Medium: 0.01 < x <= 0.05 High: 0.05 < x < 1 Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 59 Case Study Threat/Control Matrix, cont’d. Threats Hardware Failure Software Failure Theft Denial of Service Viruses/ Worms Insider Attacks Intrusion Aggregates (Value of Control) Input Threat Importance Values 100,486,000 150,832,000 144,486,000 106,812,000 150,852,000 119,476,000 150,852,000 S (threat importance x impact of controls) Intrusion Detection 0 0 0 0 0 0 0 $967,884,000.00 Anti-Virus 0 0 0 0 0 0 0 $452,556,000.00 Firewall Upgrades 0 0 0 0 0 0 0 $1,074,696,000.00 Redundant HQ Server 2 2 2 2 2 2 2 $684,884,000.00 Spare Laptops 2 2 2 2 2 2 2 $489,944,000.00 Warranties 0 0 0 0 0 0 0 $753,954,000.00 Insurance 3 3 3 3 3 3 3 $2,017,434,000.00 Physical Controls 0 0 0 0 0 0 0 $433,458,000.00 Security Policy 0 0 0 0 0 0 0 $923,796,000.00 Controls Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 0 – Not Relevant 1 – Low 2 – Medium 3 – High 60 Case Study Assignment • Given the matrices and the example case provided, use this same methodology in application to determine the information security risk in your own organization. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 61 Appendix Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 62 Qualitative Risk Analysis Summary • Qualitative risk analysis involves using relative values of assets, threats, vulnerabilities to: – Determine the relative exposure of different assets of the organization – Determine the relative effectiveness of different controls • The methodology developed here uses a series of matrices to collect the data on assets, vulnerabilities, threats and controls • Data from the matrices is integrated to determine the relative importance of controls • This approach is suitable when precise data for different elements is unavailable • Most organizations start with a qualitative analysis and gradually migrate to a quantitative analysis Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 63 Qualitative Risk Analysis Summary Cont’d. •Risk Aggregation: J K L I i 1 i 1 R* (t j ij ) jk kl al Ci j 1k 1l 1 •Optimization – simple formulation •Cost Benefit Analysis I ij (1 qi ij ) k Q k Q k 1 j 1 Minimize : R j such that j * LEVERAGE = (RISK EXPOSUREbefore reduction – RISK EXPOSUREafter reduction) ________________________________________________ COST OF REDUCTION •Regression Testing –Used for comparing risk impact •Monte Carlo Simulation – 1)Develop risk model, 2) Define the shape and parameters, 3)Run simulation, 4)Build histogram, 5)Compute summary statistics, 6)Perform sensitivity analysis, 7)Analyze potential dependency relationship Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 64 Acknowledgements Grants & Personnel • Support for this work has been provided through the following grants – NSF 0210379 – FIPSE P116B020477 • Damira Pon, from the Center of Information Forensics and Assurance contributed extensively by reviewing and editing the material • Robert Bangert-Drowns from the School of Education provided extensive review of the material from a pedagogical view. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 65
