slides
advertisement
CE/CZ 4064 Security Management Risk Analysis and Assessments CE/CZ 4064: Security Management, © 2014, Anwitaman DATTA Risk management CE/CZ 4064: Security Management, © 2014, Anwitaman DATTA Dilemmas of Information Security How much resource for which? Prevent Detect Respond Dilemmas of Information Security Complacency If no major security incidents happened recently, why bother? How do you justify a budget for security? Dilemmas of Information Security Security at all cost!! But, there is “no perfect security” How do we know what is good enough? Security is priceless Dilemmas of Information Security The fallacy of relative privation Is being better than the competition good enough? Dilemmas of Information Security Or is it to follow “Best practices”? Lowest common denominator Dilemmas of Information Security Standards compliant? compliance out of compulsion Sounds like a burden, but is there any value? Dilemmas of Information Security Everything has a price Blakley et al. (2001) rationalize that since is priceless information security concerns Security the protection of business-critical or sensitive information and related IT systems and infrastructure, failures of information security will trigger adverse events, resulting in losses or damages that will exert negative impacts on a business. Information security must be a risk managementOr, discipline that is it? manages risks by considering their costs and/or impacts on a business. In other words, “information security is information risk management” Dilemmas of Information Security Recognizing the wisdom of the “no perfect security” principle and the need to prioritize and decide resource allocations within a limited security budget, a risk management approach seems logical and has been widely proposed for managing information security. OSCAR WILDE Risk analysis CE/CZ 4064: Security Management, © 2014, Anwitaman DATTA Risk analysis Many methodologies (but trying to broadly investigate): What needs to be protected? Who/What are the threats and vulnerabilities? What are the implications if they were damaged or lost? What is the value to the organization? What can be done to minimize exposure to the loss or damage? Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76 Risk analysis Desired outcome: Recommendations that maximize the protection of confidentiality, integrity and availability while still providing functionality and usability Note: Instead of the CIA-triad, the scope of protection may be expanded to other desirable security attributes. Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76 Risk analysis Process: Scope What is it for? What all is to be investigated? The network, the databases, the web service, system boundary, … Who is it for? CFO needs to know different things than what the CISO or the network administrator needs to know … Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76 Risk analysis Process: Data Collection processes and policies in place which softwares/patches are being used repository of known vulnerabilities (for the products being used) … Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76 Risk analysis Process: Vulnerability analysis determine current exposures e.g., not the latest patches penetration testing (e.g., using standard tools) With/without knowledge of the internals Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76 Risk analysis Process: Vulnerability analysis a x e le p m Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76 Risk analysis Process: Vulnerability analysis a x e le p m Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76 Risk analysis Process: Threat analysis exa le p m Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76 Risk analysis Process: Risk identification and analysis of acceptable risks Risk analysis Process: Analysis of acceptable risks Sources: http://blog.securestate.com/acceptance-is-the-first-step/ http://executive-education.insead.edu/ressources_edp/library/ckfinder/userfiles/images/executive_education/ssss.png Qualitative risk analysis Different (relative) levels of the risks’ probabilities and impacts be defined. Definitions of probability levels and impact levels are tailored to the individual settings. Note: We already did a similar exercise for the vulnerability analysis Sources: http://m.engineering.queensu.ca/Outreach/EngineeringStudents/files/PMBOK3rdEnglish.pdf Qualitative risk analysis Other aspects Risk urgency Collaterals and interdependencies Sources: http://m.engineering.queensu.ca/Outreach/EngineeringStudents/files/PMBOK3rdEnglish.pdf What is it really worth? Quantitative risk analysis Difficult to make improvements in security without proper financial analyses to justify the budget Quantitative risk analysis attempts to assign independently objective monetary values to the components of the risk assessment and to the assessment of the potential loss Sources: http://www.sans.org/reading-room/whitepapers/auditing/quantitative-risk-analysis-step-by-step-849 Quantitative risk analysis Advantages (if done “correctly”) More objectivity in its assessment Analysis is often derived from some irrefutable facts Offers direct projection of cost/benefit of proposal More powerful selling tool to management less prone to arouse disagreements during management review Can be fine-tuned to meet the needs of specific situations and customised for specific industries Sources: http://www.sans.org/reading-room/whitepapers/auditing/quantitative-risk-analysis-step-by-step-849 Example BuyAnyTime Inc. is an online retailer, gearing up for Christmas sale - and for the increased traffic at its site for a period of one month (30 days), it expects the following: Average 100 transactions a minute Average $10 profit per transaction Current system avg downtime of 30 minutes per day An upgrade will cost $800,000 and reduce downtime to 5 minutes per day Is it worth it? Example 30 minutes downtime Cost to business = $ 30*30*10*100 = $ 900,000 vs 5 minutes downtime Cost to business = $ (5*30*10*100 + 800,000) = $ 950,000 Example BuyAnyTime Inc. does a consumer survey to conclude, that in fact, if they have more than 10 minutes downtime per day, their reputation will suffer, leading to 2% customer attrition. Reevaluate the decision? Assume reduction in the volume of transactions to be proportional to the quantum of customer attrition. Example 30 minutes downtime vs 5 minutes downtime Cost to business = $ 30*30*10*100 = $ 900,000 Reevaluated cost to business = $ (30*30*10*100) + $(1410*30*10*2) = $ 1,746,000 Cost to business = $ (5*30*10*100 + 800,000) = $ 950,000 Quantitative risk analysis Need to take into account Different risk countermeasure strategies will have different payback or cash flow scenarios. One time investment (infrastructure upgrade) vs. recurrent costs (regular penetration tests by security consultant) Long term benefits vs. time-limited benefits Secondary effects (e.g., reputation as an “asset”) Annualized Loss Expectancy The monetary loss expected in one year due to a risk where ALE: Annualized Loss Expectancy ARO: Annual Rate of Occurrence SLE: Single Loss Expectancy Annualized Loss Expectancy The monetary loss expected in one year due to a risk ARO: Annual Rate of Occurrence How often does a specific loss event from a particular risk occur? Annualized Loss Expectancy The monetary loss expected in one year due to a risk SLE: Single Loss Expectancy The monetary loss expected from the occurrence of a risk once, on an asset. The exposure factor is represented in the impact of the risk over the asset, or percentage of asset lost. ALE example A company has 10000 employees. Personal information and emails for these employees are stored in a distributed manner over ten machines, each storing 1000 distinct (nonintersecting) records. Whenever one of these employees fall victim to a phishing attack, the whole machine (where the victim’s records are stored) is compromised. The IT department claims that the Single Loss Expectancy from such an incident is 5000$. What is the valuation of the whole asset according to the IT department? If 18 people fall victim to phishing spread over a year, what is the annualised loss expectancy? Annualized Loss Expectancy Many “shortcomings” If all 18 people fall victim to phishing together, what is the annualised loss expectancy? Depends on the actual number of machines affected. (level of abstraction may not capture things precisely) Combining the two risk components - asset value and the probability of loss together “simplifies” things (which is sometimes good), but this simplification also means distinguishing high-frequency, low-impact events from low frequency, high-impact events based on a single number is no longer possible. Annualized Loss Expectancy Many “shortcomings” Say, the cost estimated by the IT department was based on the cost to restore data. But now if an employee sues the company because his/her personal data was not properly protected (say under a new “Personal Data Protection Act”), then what? May not be possible/easy to “correctly” value the asset Objectivity is subjective Annualized Loss Expectancy Many “shortcomings” ARO: Annual Rate of Occurrence May not be easy to predict/may have high variance AV and EF: Asset valuation and Exposure factor May not be easy to quantify and can be subjective, the person assessing the risk may have to define it … Hybrid approach Risk assessment is not a precise science A hybrid of qualitative and quantitative approaches All models are wrong, but some are useful. - George Box Identifying & Prioritizing CE/CZ 4064: Security Management, © 2014, Anwitaman DATTA Penetration testing Goal oriented Can a specific security attribute be violated? Deliverable: A report of how security was breached in order to reach the agreed-upon goal Recommend remedy Source: http://danielmiessler.com/writing/vulnerability_assessment_penetration_test/ Vulnerability Assessment Exploratory: Identification and prioritization of vulnerabilities In terms of severity It terms of likelihood of occurrence Fault tree analysis Fault tree analysis (FTA) is a top down, deductive failure analysis in which an undesired state of a system is analyzed using Boolean logic to combine a series of lower-level events. a x e le p m key-logger password cracked phishing hardware stolen not deployed password guessed ineffective two-factor authorization unauthorized access to email Note: FTA is a general purpose technique used for system reliability and safety engineering, risk assessment eLearning task: Read http://en.wikipedia.org/wiki/Fault_tree_analysis Attack trees Conceptual diagrams showing how an asset, or target, might be attacked, possibly qualifying an attack in multiple dimensions Motivation: e.g., Opportunistic versus motivated Access: e.g., insider attack/external hack/… Skills and resources of attacker: uses ready-made rootkit, crafts customized attacks, has money for special equipment … Risk-aversion: Will send phishing mail, but won’t pick pocket … Note: Attack trees are closely related to, but not the same as fault trees, see http://en.wikipedia.org/wiki/ Attack_tree for more discussions Attack trees Represent the attacks and countermeasures as a tree structure Root node is the goal of the attack Complex systems will have many targets (modeled as separate roots) Leaf nodes are the attacks Source: https://www.schneier.com/paper-attacktrees-ddj-ft.html Attack trees Two kinds of intermediate nodes “Or” nodes: different ways to achieve same goal “And” nodes: multiple steps required together to achieve a goal (And) is indicated explicitly Attack trees Breaking into house pick pocket lost from office desk key logger password cracked password guessed phishing hardware stolen not deployed AND exa le p m 2FA ineffective unauthorized access to email Attack trees Breaking into house pick pocket lost from office desk password cracked p2 p3 ?? password guessed phishing hardware stolen not deployed AND e Qualified with additional attributes, e.g., probability p1 le key logger p xam 2FA ineffective unauthorized access to email Attack trees Qualified with additional attributes, e.g., time 3 months le key logger p m a x e 20 hours 1 day pick pocket 1 day lost not possible from office desk not possible 2 months password guessed phishing hardware stolen not deployed not applicable AND Breaking into house password cracked 2FA ineffective unauthorized access to email Attack trees device cost-effective layered defence Its possible to combine multiple qualifiers (e.g., time, money, probability) Can be used to identify the “preferred” attack vectors. Can be made as detailed as possible, but also, templates of attack sub-trees can be reused Event tree analysis Event tree analysis (ETA) is a forward, bottom up, logical modeling technique for both success and failure that explores responses through a single initiating event and lays a path for assessing probabilities of the outcomes and overall system analysis a x e successful phishing attacked yes to obtain login credential le p m 2FA ineffective no unauthorized access to email unauthorized access to email keylogger infected password cracked unauthorized access to email NO unauthorized access to email NO unauthorized access to email Note: ETA is also a general purpose technique, and allows probabilistic risk assessment eLearning task: Read http://en.wikipedia.org/wiki/Event_tree_analysis Probabilistic risk assessment Event tree can be used for probabilistic risk assessment a x e le p m eLearning task: Read http://en.wikipedia.org/wiki/Probabilistic_risk_assessment Failure mode and effects analysis (FMEA) FMEA is an inductive reasoning (forward logic) single point of failure analysis to review as many components, assemblies, and subsystems as possible to identify failure modes, and their causes and effects Each failure mode gets a numeric score that quantifies: likelihood (probability) that the failure will occur likelihood that the failure will not be detected the amount of harm or damage the failure mode may cause to a person or to equipment (severity) Note: FMEA originated from the literature of reliability analysis, but is used in ISO 27k eLearning task: Read http://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis FMEA Risk Priority Number (RPN) RPN=sev*prob*det eLearning task: Understand www.iso27001security.com/ISO27k_FMEA_spreadsheet.xlsx exa le p m k from 27 O IS FMEA in ISO27k Source: www.iso27001security.com/ISO27k_FMEA_spreadsheet.xlsx FMEA in ISO27k FMEA in ISO27k The only constant is change Risk analysis needs to be “current” ISCM Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. NIST publication SP800-137 (statutory under FISMA) “continuous” frequent Frequency determined by criticality of issues Source: http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf ISCM Tier 1 risk management activities address highlevel information security governance policy as it relates to risk to the organization as a whole, to its core missions, and to its business functions. ISCM Tier 2 criteria for continuous monitoring of information security are defined by how core mission/business processes are prioritized with respect to the overall goals and objectives of the organization, the types of information needed to successfully execute the stated mission/business processes, and the organization-wide information security program strategy. ISCM ISCM activities at Tier 3 address risk management from an information system perspective. These activities include ensuring that all system-level security controls (technical, operational, and management controls) are implemented correctly, operate as intended, produce the desired outcome with respect to meeting the security requirements for the system, and continue to be effective over time. Wrap-up: Risk Assessment No perfect security Limited resources Identify and prioritize risks Consequences and costs Different approaches to explore There’s no marauder’s map!!
