Ri$k Analysis Christina Kong Nicole Lei Agenda zIntroduction zRisk Analysis zNIST Risk Management Guide zElectronic Commerce Security Assessment zThreat Tree Workshop zTerm Project zConclusion What is Risk Analysis zQuantify the impact of potential threats {Put $$ value on Assets {Identify potential threats and vulnerabilities {Cost/Benefit How much $$$ z Asset Value {Corporate world ($$) {Government (National Security) z Exposure Factor (EF) z Single Loss Expectancy (SLE) {$$ * EF z Annualized Rate of Occurrence (ARO) z Annualized Loss Expectancy (ALE) {SLE * ARO Quantitative vs. Qualitative zQuantitative {Money, money and more money {Usually in Corporate world zQualitative {Subjective quality rating {Government sector Asset Identification and Valuation zBeware: Always overlooked!! zThe fundamental step in ALL security auditing methodologies zNecessary to perform the cost/benefit analysis zIncorrect value reduce the financial effectiveness Threat Identification z Usually being Categorized, for example: {Criminal {Personnel {Environmental {Information warfare {Application/operational {Computer infrastructure {Data classification {Delayed processing NIST – Risk Assessment Information Gathering zAny or a combination of the following: {Questionnaire {On-Site Interviews {Document Review {Use automated Scanning Risk Mitigation zYour options: {Risk Assumption {Risk Avoidance {Risk Limitation {Risk Transference Risk Mitigation Action Points Difficulty with Data zLack of consistency in content, conduct and coverage of information security data zLack of standardization in terminology, valuation and classifications of security breaches How much we know and how much we don’t know Relevance of Data z What? You said my data is useless : ( {“There are no statistically valid sample applicable to specific vulnerabilities for use in information security risk assessment. Because future frequency is unknown and cannot be adequately estimated, we attempt to use data on past loss experience. But past data consist of a series of known events; they are not a complete or valid sampling set of independent observations – as demanded by the laws of probability” Donn B. Parker, Fighting Computer Crime One Real Life example Pennsylvania Governor’s Office of Information Technology Electronic Commerce Security Assessment zDefinition of Electronic Transaction {“transaction” – an action or set of actions occurring between two or more persons relating to the conduct of business, commercial or governmental affairs {“electronic” – as relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities 8 Steps for Determining Appropriate Application Security Procedures z Step 1: Define the electronic government transaction z Step 2: Identify the type of information necessary for the transaction z Step 3: Evaluate the consequences of a security breach z Step 4: Plot the security breach impact result on the Security Assessment Matrix 8 Steps continued… z Step 5: Evaluate the security breach risk z Step 6: Plot the security breach risk result on the matrix z Step 7: Review the results of the Security Assessment Matrix z Step 8: Create a Network Diagram Threat Tree zOrigins from “fault trees” in system reliability engineering zOne approach to identify threats zIt is an analytical threat derivation technique that has been designed to assist system engineer during the security development of computer systems Basic Threat Tree Structure Threat Tree How-To zWhen using threat trees normally the threats are categorized into three different types: {Disclosure Threats zConfidentiality {Integrity Threats {Denial of Service Threats zAvailability Wake up!! Let’s do some work! zSimple Threat Tree Example {Unauthorized Account Access z??? • ??? • ??? z??? • ??? • ??? z??? • ??? • ??? Conclusion zAny Questions? zHomework Assignment