1 / 16

Risk Assessment Richard Newman

Risk Assessment Richard Newman. Six Phases of Security Process. 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement defenses 5. Monitor defenses 6. Recover from attacks Continuous Improvement Model – use 5 and 6 to update, revise, improve all phases.

emanuelm
Download Presentation

Risk Assessment Richard Newman

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk AssessmentRichard Newman

  2. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement defenses 5. Monitor defenses 6. Recover from attacks Continuous Improvement Model – use 5 and 6 to update, revise, improve all phases

  3. Systems Engineering Process 1. Planning – • requirements, resources, expectations 2. Trade-off analysis - • Solution development • Solution analysis • Solution comparisons • Solution selection 3. Development and implementation • Realize selected solution 4. Verification • Formal verification, validation, testing 5. Iteration • Use feedback from each stage and from deployment to improve

  4. Deming Cycle (PDCA) 1. Plan – • Objectives, processes 2. Do - • Implement process 3. Check - • Measure results vs. expected results 4. Act - • Analyze differences, find causes, revise processes ISO 27002, used with ISO 27001 for IT A.k.a. Shewhart Cycle (father of statistical quality control) Motorola “Six Sigma” Boyd's OODA Cycle (Observe, Orient, Decide, Act) - Military

  5. Threats Potential source of harm • Knowledge • Resources • Motive Threat classes • Script kiddies/ankle biters • Cracker • Phone phreak • Hacker – Black hat/white hat • Organized crime • Corporate crime • Government group

  6. Risk Level Risk level changes over time • Asset visibility • Asset owner visibility • Resource availability • Access to assets • Motivation changes • Knowledge of vulnerabilities Requires continuous re-evaluation Must also consider consequences of breach

  7. Identifying Assets 1. Hardware • Off-the shelf replacement cost/customization 2. Purchased software • Cost/installation/customization 4. Developed software 5. Statutorily protected data • Health/Financial/Academic/... 6. Organizational data • Work products (designs/analyses/reports/...) • Planning (marketing/engineering/financial/...) • Contacts (customers/vendors/associates/etc.) 7. Activities • Production/communication/...

  8. Implementing Protection Controls - • Hardware • Software • Processes Costs - • Up front cost to buy/develop/train/install/configure • On-going operational costs – inconvenience/monitoring/reconfiguration • Performance costs – CPU slowdown/human delay Cost vs. Effectiveness

  9. Risk Assessment Identify Risks - • Identify assets • Identify threat agents • Identify attacks Prioritize Risks - • Estimate likelihood of attacks • Estimate impact of attacks • Calculate relative significance of attacks

  10. Threat agents revisited Outsiders • Property thieves • Vandals • Identity thieves • Botnet operators • Con artists • Competitors Insiders • Embezzlers • Housemates/coworkers • Malicious acquaintances • Maintenance crews • Administrators “Natural” threats • Hurricane/tornado/earthquake/hail/rain/flooding/terrorism/war/...

  11. Security Properties/Goals Confidentiality • All disclosures only reveal information to authorized recipients in accordance with policy Integrity • All changes are are performed by authorized entities, and are consistent with integrity policy Availability • Assets available to authorized users when needed with performance required

  12. Security Services Confidentiality • Restrict access to information to authorized recipients in accordance with policy Integrity • Only allow changes that are are performed by authorized entities, and are consistent with integrity policy Availability • Ensure assets are available to authorized users when needed with performance required Authentication • Establish that entity that sent message/made access is correctly identified Non-repudiation • Ensure that an entity that performs action/makes statement cannot deny it later

  13. Information Attacks Physical theft • Computing resource physically removed Denial of Service • Use of computing resource is lost Subversion/Modification • Asset modified to act on behalf of attacker (trojan horse) • Authentic artifact modified to suit attacker Masquerade/spoofing • Attacker takes on identity of another when accessing resources Disclosure • Information revealed contrary to policy (passive attack) Forgery/Replay • Attacker produces artifact that appears authentic • Attacker repeats authentic message

  14. NIST Recommendations 1. System Characterization 2. Threat Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Documentation http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf

  15. SEI OCTAVE Process Phase 1 – Build Asset-based Threat Profiles • Identify assets, threats, organizational risks Phase 2 – Identify Infrastructure Vulnerabilities • Analyze infrastructure resources for vulnerabilities Phase 3 – Develop Security Strategy and Plans • Recommend and implement controls http://www.cert.org/octave/

  16. OCTAVE Allegro 1. Establish risk measurement criteria 2. Develop information asset profile 3. Identify information asset containers 4. Identify areas of concern 5. Identify threat scenarios 6. Identify risks 7. Analyze risks 8. Select mitigation approach http://www.cert.org/octave/allegro.html

More Related