Risk Management
advertisement
Security Risk Management Risk Management Risk Identification Identify & Prioritize Assets Identify & Prioritize Threats Identify Vulnerabilities between Assets and Threats (Vulnerability Analysis) Risk Assessment Calculate Relative Risk of Each Vulnerability Risk Control Cost-Benefit Analysis Avoid Control Transfer Mitigate Accept Security Risk Management Risk Assessment: ‘spotting’ the most significant vulnerabilities in the sea of potential vulnerabilities vulnerability that carries most risk Risk Analysis: Is a sec. risk worth a sec. control?! Quantitative, Qualitative, Relative Risk Analysis Qualitative vs. Quantitative Analysis • Qualitative Risk – scenario based approach - uses Analysis labels & relative values (high/low) rather than numbers; blends in experience & personal judgment • Quantitative Risk – predicts level of monetary loss Analysis for each threat, and monetary benefit of controlling the treat each element is quantified and entered into equations, e.g.: asset value threat frequency severity of vulnerability damage impact safeguard cost … Qualitative vs. Quantitative Analysis Qualitative Analysis pros cons Quantitative Analysis • Requires simple (or no) calculations. • Considers hands-on opinions of individuals who know the process best. • Easier to automate and evaluate. • Very useful in performance tracking - provide credible cost/benefit analysis. • Assessment and results are subjective. • Complex calculations – may not be understood by all. • Does not enable dollar cost/benefit discussion. • Very detailed information about environment need to be gathered. • Difficult to track performance. Qualitative vs. Quantitative Analysis “Quantitative risk measurement is the standard way of measuring risk in many fields, such as finance and insurance, but it is not commonly used to measure risk in information systems. Two of the reasons claimed for this are: 1) the difficulties in identifying and assigning a value to assets, and 2) the lack of statistical information that would make it possible to determine frequency. Thus, most of the risk assessment tools that are used today for information systems are measurements of qualitative risk.” http://www.sans.org/reading_room/whitepapers/auditing/ introduction-information-system-risk-management_1204 Qualitative Analysis • Challenges of – define likelihood and impact Qualitative values in a manner that would Analysis allow the same scale to be used across multiple risk assessments Example: Sample ‘likelihood of threat’ definitions Other possibilities: 1) uniform distribution – same % at/for all levels 2) 5 levels of likelihood: very low, low, moderate, very high, high Qualitative Analysis (cont.) Example: Sample ‘impact’ definitions Example: Sample ‘risk determination’ matrix http://www.sans.org/reading_room/whitepapers/auditing/introductioninformation-system-risk-management_1204 Quantitative Analysis • Cost-Benefit – aka economic feasibility study Analysis quantitative decision-making process that: determines the loss in value if the asset remained unprotected determines the cost of protecting an asset helps prioritize actions and spending on security … Company should not spend more to protect an asset than the asset is worth! Quantitative Analysis (cont.) • Asset Value (AV) – includes the following: cost of buying/developing hardware, software, service cost of installing, maintaining, upgrading hardware, software, service cost to train and re-train personnel • Exposure – percentage loss that would occur from a given vulnerability being Factor (EF) exploited by a given threat Quantitative Analysis (cont.) • Single Loss – most likely loss (in value) from Expectancy an attack (SLE) SLE = AV * EF Example: A Web-site’s SLE due to a DDoS Attack Estimated value of a Web-site: AV = $ 1,000,000. A DDoS on the site would result in 10% losses of the site value (EF=0.1). SLE for the site: AV * EF = $ 100,000. Would it be worth investing in anti-DDoS system that costs $100,000 a year? Quantitative Analysis (cont.) • Annualized Rate – indicates how often an attack of Occurrence is expected to successfully (ARO) occur in a year if an attack occurs once every 2 years ⇒ ARO = 0.5 • Annualized Loss – overall loss incurred by an Expectancy attack (i.e. by exploiting a (ALE) vulnerability) in each year ALE = ARO * SLE Quantitative Analysis (cont.) Example: Determining ARO, SLE, ALE http://www.pearsonhighered.com/assets/hip/us/hip_us_pearsonhighered/ samplechapter/078973446X.pdf Quantitative Analysis (cont.) Example: Determining ALE to Occur from Risks http://www.windowsecurity.com/articles/Risk_Assessment_and_Threat_Identification.html A widget manufacturer has installed new network servers, changing its network from P2P, to client/server-based network. The network consists of 200 users who make an average of $20 an hour, working on 100 workstations. Previously, none of the workstations involved in the network had an anti-virus software installed on the machines. This was because there was no connection to the Internet and the workstations did not have USB/disk drives or Internet connectivity, so the risk of viruses was deemed minimal. One of the new servers provides a broadband connection to the Internet, which employees can now use to send and receive email, and surf the Internet. Quantitative Analysis (cont.) Example: Determining ALE to Occur from Risks (cont.) • • • 200 employees 100 workstations $20 hour One of the managers read in a trade magazine that other widget companies have reported an annual 75% chance of viruses infecting their network after installing T1 lines, and it may take up to 3 hours to restore the system. A vendor will sell licensed copies of antivirus software for all servers and the 100 workstations at a cost of $4,700 per year. The company has asked you to determine the annual loss that can be expected from viruses, and determine if it is beneficial in terms of cost to purchase licensed copies of anti-virus software. Quantitative Analysis (cont.) Example: Determining ALE to Occur from Risks (cont.) Based on the provided data: ARO = 0.8 SLE = 200 user * ($ 20 / user-hour) * 3 hours = $ 12,000 ALE = SLE * ARO = $ 9,000 Because the ALE is $9,000, and the cost of the software that will minimize this risk is $4,700 per year, this means the company would save $4,300 per year by purchasing the software ($9,000 - $4,700 = $4,300). Quantitative Analysis (cont.) • Cost-Benefit Analysis – expresses cost benefit of a safeguard – i.e., Formula determines whether a particular control is worth its cost GROSS risk reduction benefit NRRB = [ALE(prior) - ALE(post)] – ACS NET risk reduction benefit ALE(prior) – ALE before implementing control ALE(post) – ALE after implementing control ACS – annual cost of safeguard Quantitative Analysis (cont.) Example: Cost-Benefit Analysis ALE GRRB gross risk reduction benefit ALE(prior) before safeguards NRRB net risk reduction benefit ACS annual. cost of safeguards ALE(post) after safeguards Time Only NRRB>0 justifies the use of safeguard(s)! Quantitative Analysis (cont.) Example: Determining NRRB Your organization has decide to centralize anti-virus support on a server which automatically updates virus signatures on user’s PCs . When calculating risk due to viruses, the annualized loss expect. (ALE) is $145,000. The cost of this anti-virus countermeasure in a year is estimated to be $24,000, but it will lower the ALE to $65,000. Is this a cost-effective countermeasure? Why or why not? ALE (prior) = $145 k ALE (post) = $65 k ACS = $24 k NRRB = ALE (prior) – ALE (post) – ACS = $145 k - $65 k - $24 k = $56 k, so there are positive benefits of this solution Quantitative Analysis (cont.) Example: Cert. Info. Sys. Sec. Prof. (CISSP) Exam ALE (prior) = AV*EF*ARO = $106 *0.1*0.2 = $20,000 ALE (post) = $0 (best case scenario - safeguard 100% eff.) ACS = ? For NRRB ≥ 0, safeguard of up to $20,000 acceptable. Quantitative Analysis (cont.) Example: Cost-benefit analysis in case of 100% effective safeguard ALE NRRB net risk reduction benefit ACS annual. cost of safeguards ALE(prior) before safeguards ALE(post) after safeguards Time Other Feasibility Measures • Cost-benefit analysis determines whether a security control measure is feasible economically. • Other ‘measures of feasibility’, when evaluating a security control, include: • Organizational – examines how well a proposed Feasibility security control will contribute to organization’s strategic objectives e.g. a firewall might be a good security safeguard, but may prevent effective flow of multimedia data Other Feasibility Measures (cont.) • Behavioral – examines user’s and management’s Feasibility acceptance and support of a proposed security control e.g. if users do not accept a new policy / technology / program, it will inevitably fail most common methods for obtaining user acceptance are: communication – affected parties must know the purpose and benefits of the proposed change education – affected parties must be educated on how to work under the new constraints involvement – affected parties must be given a chance to express what they want and what they will tolerate from the system Other Feasibility Measures (cont.) • Technical – determine whether organization has Feasibility or can acquire technology and/or necessary technical expertise to implement and support a control e.g. a firewall may require special software hardware support / installation on all computers • Political – determines what can and cannot be Feasibility done based on consensus and relationships between different departments … IT and Info. Sec. department might have to compete for same resources Relative Analysis • Rather than using quantitative or qualitative risk analysis measures, an organization may resort to relative risk analysis of a control, including: • Benchmarking – study practices used in other organizations that obtain results you would like to duplicate • Due Care or – implement a minimum level of Due Diligence security failure to maintain a standard of due care can open an organization to legal liability – especially important if dealing with customer data Relative Assessment (cont.) • Best Practices – implement entire set of security controls as recommended for your industry / general public ‘best practices’ according to Microsoft: use antivirus software use strong passwords verify your software security setting update product security build personal firewalls back up early and often protect against power surges and losses • Gold Standard – implement controls beyond best practices – for those that strive to be ‘the best of the best’ Risk Assessment Methodologies • Risk Assessment – set of procedures & activities Methodology that structure risk assessment process each methodology may be suitable (only) for certain situations and industries because of various needs and various situations, a variety of risk assessment methodologies (tools) have been developed: OCTAVE FAIR Microsoft Risk Management Approach ISO Standard for Sec. Risk Management Risk Assessment Methodologies (cont.) • OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation - developed by a research team from Carnegie Mellon suite of tools, techniques and methods uses a 3-phase approach to assemble a comprehensive picture of information security needs of an enterprise Phase 1: Build Asset-Based Threat Profile Key areas of expertise within organization are examined, through a set of workshops with staff, to identify: * * * * * important information assets threats to those assets security requirements of assets current protection strategies weaknesses in organizational policies and practice Risk Assessment Methodologies (cont.) • OCTAVE (cont.) Phase 2: Identify Infrastructure Vulnerabilities Key operational components of IT infrastructure are examined for technical vulnerabilities. Possible types of vulnerabilities: * design vulnerabilities * implementation vulnerability * configuration vulnerability Tools that can be used during this phase: * file integrity checkers * virus scanners * system scanners * network scanners / mappers Network/system should assessed from outside enterprise, inside enterprise, and from individual subsystems within enterprise Risk Assessment Methodologies (cont.) • OCTAVE (cont.) Phase 3: Develop Security Strategy and Plans Information generated in Phases 1 & 2 are analyzed to: 1) identify and evaluate risks based on their impact 2) develop protection strategy and mitigation plans OCTAVE uses qualitative approach to evaluate risks as well as to evaluate their impact. http://www.proceedings2006.imcsit.org/pliks/160.pdf Risk Assessment Methodologies (cont.) • OCTAVE (cont.) Characteristics of OCTAVE: Self-directed. A small team of organization’s personnel (analyst team) manages the process and analyzes all information. Multidisciplinary Analyst Team. OCTAVE requires that analyst team comprises representatives from both the mission-related and IT areas of organization. Workshop-Based Approach. Workshop-based approach for gathering information and making decisions is used. Analyst team members are primary workshop facilitators. Catalogs of Information. In all three phases, OCTAVE benchmarks organization against catalogs of information: catalog of practices, threat profile, catalog of vulnerabilities. Risk Assessment Methodologies (cont.) • FAIR – Factor Analysis of Information Risk, by J. Jones framework that aims to help organizations understand, analyze & measure information risk (the why and the how) key components of FAIR framework: Taxonomy of factors that make up information risk. (provides precise def. of asset, threat, vulnerability, risk) Methods for measuring factors that derive info. risk. (measures of threat event frequency, vulnerability, loss) Computational model for math. calculation of risk. Simulation model that combines the above to build and analyze risk scenarios of any size or complexity. can be used to strengthen risk analysis processes like OCTAVE Risk Assessment Methodologies (cont.) • FAIR Analysis Steps: Identify Scenario Components 1. identify the asset in risk 2. identify the threat to community under consideration Evaluate Loss Event Frequency (LEF) 3. 4. 5. 6. 7. estimate the probable threat event frequency (TEF) estimate the threat capability (TCap) estimate control strength derive vulnerability (Vuln) derive loss event frequency (LEF) Evaluate Probable Loss Magnitude (PLM) 8. estimate worst-case loss 9. estimate probable loss Derive and Articulate Risk 10. derive and articulate risk Risk Assessment Methodologies (cont.) • FAIR Analysis Characteristics: Quantitative – risk expressed in quantitative terms Probabilistic – accounts for uncertainty Intuitive – clear and ‘easy to follow’ logic/approach Flexible – can be applied to any level of abstraction Compatible with widely used security standards Agnostic – can be applied to other (non-information) security disciplines Familiar to Management – communicates in terms that are familiar and meaningful to management Approved and reviewed by experts Sophisticated – applies sophisticated scientific principles Risk Assessment Methodologies (cont.) Example: FAIR Risk Factoring The probable frequency, within a given timeframe, that a treat agent will act against an asset. = The probable frequency, within a given timeframe, that a treat agent will come into contact with an asset. X The probability that a treat agent will act against an asset once contact occurs. Microsoft’s 10 Immutable Laws of Security http://technet.microsoft.com/en-us/library/cc722487.aspx Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore! Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore! Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore! Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more! Law #5: Weak passwords trump strong security. Microsoft’s 10 Immutable Laws of Security (cont.) Law #6: A computer is only as secure as the administrator is trustworthy. Law #7: Encrypted data is only as secure as the decryption key. Law #8: An out of date virus scanner is only marginally better than no virus scanner at all. Law #9: Absolute anonymity isn't practical, in real life or on the Web. Law #10: Technology is not a panacea.
