Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Risk Analysis

advertisement 
Information Systems Risk
Analysis and Management
Spyros Kokolakis
University of the Aegean
IPICS 2005, Chios, 18-29 July 2005
Much about technology…
• Information and Communication
Technologies Security
–
–
–
–
–
–
–
–
–
Networks
Wireless
Databases
Internet
Smart cards
Keys
Cryptography
Intrusion detection
…..
Real world…
IS or ICT Security?
• Information and Communication
Technologies Security
– Confidentiality, Integrity, Availability etc.
• Information System
– An Information System comprises five
interdependent elements: hardware,
software, data, procedures, and people.
These elements interact for the purpose of
processing data and delivering information.
– An IS exists to serve an enterprise or
organization and, consequently, it may only
be studied in the context of the organization
it serves.
Information Systems overview
How to fit security in the
picture
• Having people as part of the system
we can forget any simple solutions.
• IS security has no strict definition
• Security is a kind of …feeling
– “Are you secure?” or “Do you feel secure?”
What’s the right question?
Example: Airport security
List of possible measures
1. Scissors etc. not allowed
2. ID check (photo ID must be presented)
3. Only the person named on the ticket can
travel
4. X-rays
5. Lighters are not allowed anywhere in the
airport (…it’s time to quit smoking)
6. Biometrics
7. Boot your laptop to see if it has a battery
8. Lock the captain’s cabin
9. Armed guards on board
10. Interview all passengers before boarding
In such a complex
environment…
• Total security is out of the question
– People’s behaviour is unpredictable
– We cannot account for all possible threats
and we cannot detect all vulnerabilities.
– Security costs money; and also time,
people and other resources.
• So, what shall we do?
Risk analysis & management
• We need to employ methods that will
allow us to measure the risk
associated with the operation of an
IS, in order to take measures
analogous to the level of risk.
• We need risk analysis and
management methods
What is Risk and how to
measure it
• Risk is determined by the following
factors
– Assets (A)
– Impact (I)
– Threats (T)
– Vulnerabilities (V)
R= f(A, I, T, V)
Assets, Impacts, Threats &
Vulnerabilities
• Assets; what needs protection
• Business impact is the outcome of a
failure to protect the assets of the IS.
• Threat is any action or event that may
cause damage to an Information
System.
• Vulnerability is a characteristic of the
IS that may allow a threat to succeed.
Conceptualisation of IS Sec
Risk analysis & management
Risk management methods
• There are more than 100 methods
– CRAMM
– MARION
– SBA
– OCTAVE
SBA (Security By Analysis)
• Developed in Sweden in the early
’80s
• Very popular in Sweden and other
Scandinavian countries
• Focus on people
– People involved in every day operations
have a better chance to identify problems
• A set of methods
– SBA check
– SBA scenario
CRAMM
• CCTA Risk Analysis and Management
Method
• Developed in the UK in the late ’80s
• Used in many countries; it has been
applied in many hundreds of cases
• It includes a ‘countermeasures
library’
CRAMM overview
• Stage 1: Initiation and asset valuation
– Model the IS; Valuate the assets;
Management review
• Stage 2: Risk assessment
– Identify threats; Assess threats and
vulnerabilities; Calculate risks;
Management review
• Stage 3: Risk management
– Select countermeasures; Prioritise
countermeasures and schedule
implementation; Obtain management
approval; Monitor
Octave
®
Operationally Critical Threat, Asset, and
Vulnerability Evaluation®
What is OCTAVE?
• A comprehensive, repeatable
methodology for identifying risks in
networked systems through
organizational self-assessment.
• Helps organizations apply
information security risk
management to secure their existing
information infrastructure and to
protect their critical information
assets.
Goal of OCTAVE
• Plan how to apply good security practices
to address organizational and technical
vulnerabilities that could impact critical
assets
– Two versions: One for large organisations
(> 300 employees) and one for small
organisations
• Organizational issues
– Policies or security practices
• Technical issues
– Technology infrastructure
Information Security Risk
Management Framework
Mind the gap
• Security Practices Gaps Result From an
Organizational Communication Gap
Octave is the bridge
• OCTAVE is an Organizational Approach to
Security Risk Management
The process
OCTAVE Analysis Team
An interdisciplinary team (4-6)
consisting of
• business or mission-related staff
• information technology staff
Phase 1 – Organizational View
• Data gathering of the organizational
perspectives on
– assets
– threats to the assets
– security requirements of the assets
– current protection strategy practices
– organizational vulnerabilities
• The perspectives will come from
– senior managers
– operational area managers (including IT)
– staff (from the operational areas and IT)
Phase 1 Questions
• What are your organization’s critical
information-related assets?
• What is important about each critical
asset?
• Who or what threatens each critical asset?
• What is your organization currently doing
to protect its critical assets?
• What weaknesses in policy and practice
currently exist in your organization?
Asset
• Something of value to the organization that
includes one or more of the following:
–
–
–
–
information
systems
services and applications
people
• Critical when there will be a large adverse
impact to the organization if
– the asset is disclosed to unauthorized people.
– the asset is modified without authorization.
– the asset is lost or destroyed.
– access to the asset is interrupted.
Asset protection
requirements
• Prioritize the qualities of an asset that
are important to the organization:
– confidentiality
– integrity
– availability
• Example for availability: Internet
access should be provided 24x7x365,
97% of the time.
Threat
• An indication of a potential
undesirable event involving a critical
asset
• Examples
– A disappointed student could set a fire.
– A virus could interrupt access to the
university network.
– An operator may set the firewall to deny
all access without noticing
Threat Properties
• Critical Asset
• Actor (human, system, other)
• Motive (deliberate or accidental) – human
actor only
• Access (network or physical) – human
actor only
• Outcome
– Disclosure or viewing of sensitive information
– Modification of important or sensitive
information
– Destruction or loss of important information,
hardware, or software
– Interruption of access to important information,
software, applications, or services
Asset-based risk profile
Phase 2 – Technology View
• Identify technology vulnerabilities
that provide opportunities for
impacting critical assets
Methods / Tools
• You can use a variety of methods and
tools:
– Interviews with people
– Documentation analysis
– Network scanners
– Log analysers
– Vulnerability assessment tools
– etc.
Phase 2 Questions
• How do people access each critical
asset?
• What infrastructure components are
related to each critical asset?
• What technological weaknesses
expose your critical assets to
threats?
Phase 3 – Risk Analysis
– Establish the risks to the organization’s
critical assets.
– Define mitigation plans to protect the
critical assets.
– Characterize the organization’s
protection strategy.
– Identify the next steps to take after the
evaluation to ensure progress is made.
Impact Evaluation Criteria
• Define the organization’s tolerance
for risk.
• Standard areas of impact considered
include:
– reputation/customer confidence
– life/health of customers
– productivity
– fines/legal penalties
– financial
– other
Expression of Risk
• A risk is expressed using
– a threat scenario (a branch on a threat
tree)
– the resulting impact on the organization
Example
• Viruses can interrupt staff members
from accessing the network. They will
not prepare their lectures on time.
• Impact value: medium
Threat scenario
disclosure
modification
loss/destruction
interruption
High
Low
deliberate
disclosure
modification
loss/destruction
interruption
Medium
High
High
Low
accidental
disclosure
modification
loss/destruction
interruption
deliberate
disclosure
modification
loss/destruction
interruption
accidental
inside
asset
network
outside
asset
access
actor
motive
outcome
Medium
High
High
Low
impact
Phase 3 Questions
• What is the potential impact on your
organization due to each threat? What are
your organization’s risks?
• Which are the highest priority risks to your
organization?
• What policies and practices does your
organization need to address?
• What actions can your organization take to
mitigate its highest priority risks?
• Which technological weaknesses need to
be addressed immediately?
Outputs of Octave
Protection
Strategy
Defines
organizational
direction
Mitigation
Plan
Plans
designed to
reduce risk
Action
List
Near-term
action items
Protection Strategy
• Structured around the catalog of practices
and addresses the following areas:
–
–
–
–
–
–
–
–
–
Security Awareness and Training
Security Strategy
Security Management
Security Policies and Regulations
Collaborative Security Management
Contingency Planning/Disaster Recovery
Physical Security
Information Technology Security
Staff Security
Mitigation Plan
• Defines the activities required to remove or
reduce unacceptable risk to a critical
asset.
• Focus is on activities to
– recognize or detect threats when they occur
– resist or prevent threats from occurring
– recover from threats if they occur
• Mitigations that cross many critical assets
might be more cost effective as protection
strategies
OCTAVE-S
• Defines a more structured method for
evaluating risks in small (less than 100
employees) or simple organizations
– requires less security expertise in analysis
team
– requires analysis team to have a full, or nearly
full, understanding of the organization and
what is important
– uses “fill-in-the-blank” as opposed to “essay”
style
• Will also be defined with procedures,
guidance, worksheets, information
catalogs, and training
OCTAVE Information
• Visit http://www.cert.org/octave
– Introduction to the OCTAVE Approach
– OCTAVE Method Implementation Guide
– OCTAVE-S (version 0.9)
• Book: Managing Information Security
Risks: The OCTAVE Approach by
Christopher Alberts and Audrey
Dorofee from Addison-Wesley.
Related documents
OCTAVE…
OCTAVE…
Tutorial 4SD3043TutorsAnswers
Tutorial 4SD3043TutorsAnswers
Examples of Community Asset Mapping
Examples of Community Asset Mapping
Asset
Asset
2 Octave Scale Grid
2 Octave Scale Grid
Integrated Concurrent Asset Monitoring System in
Integrated Concurrent Asset Monitoring System in
Addition to existing asset
Addition to existing asset
Risk Management: Assessing and Controlling Risk
Risk Management: Assessing and Controlling Risk
Download
advertisement