600 likes | 1.01k Views
Information Security Threat Assessment. The C-I-A Triad. Confidentiality (sensitivity, secrecy) Integrity (accuracy, authenticity, etc) Availability (fault tolerance, recovery, etc) Authentication Non-Repudiation. Basic Overview. Value of information Threats Vulnerabilities Risk
E N D
The C-I-A Triad • Confidentiality (sensitivity, secrecy) • Integrity (accuracy, authenticity, etc) • Availability (fault tolerance, recovery, etc) • Authentication • Non-Repudiation
Basic Overview • Value of information • Threats • Vulnerabilities • Risk • Risk Analysis
The Value of Information • Information has value • May be defined or perceived • Value may change • Business model (way its used..) • Different reasons to target information • Value • Use • Destruction
Threats • Activity that represents possible danger • Can come in different forms • Can come from different places • Can’t protect from all threats • Protect against most likely or most worrisome such as: • Business mission • Data (integrity, confidentiality, availability)
The Concept of Threats and Threat Agents* • Threat elements • Natural threats and accidents • Malicious threats • Malicious threat agents • Capability • Ability to mount and sustain an effective attack • Motivation • Political, secular, personal gain, religious, revenge, power, curiosity, etc. • Access • Physical or logical access to the target • Catalyst • Something that causes the threat agent to select the target • Inhibitors • Events, actions, countermeasures, etc. that prevent the threat agent from mounting an attack • Amplifiers • Events, actions, etc. that encourage a threat agent to mount an attack
Relationships of Malicious Threats threat agent capability catalysts motivation access inhibitors amplifiers threat
Threat Agents • Nation-states • Terrorists • Pressure groups • Commercial organizations • Criminal groups • Hacker groups • Disaffected staff
Vulnerabilities • A condition, weakness, or absence of security procedures, technical controls, physical controls, or other controls that could be exploited by a threat. • Often analyzed in terms of missing safeguards • Contribute to risk because they allow a threat to harm a system
Classes of Vulnerabilities • Hard vulnerabilities - • bugs, • misconfigurations, etc. • Soft vulnerabilities - • Systems not configured to company policy • Lack of underlying policies, procedures or configuration/change management • Insufficient logging • Company policies go against best practices
Vulnerabilities • Hardware • Software • Infrastructure • Processes
Known Vulnerabilities • Design Flaws • Software Development (SDLC) • Innovative Misuse • Incorrect Implementation • Documentation • Social Engineering
Risk • A potential for loss or harm • An exposure to a threat • Risk is Subjective • Dependent on situation and circumstances • Impossible to fully measure
Concepts of Risk • Generalized risk model – components of risk • Assets • Threats • Vulnerabilities • Impacts • Countermeasures • Many types of risk analysis • Qualitative • Quantitative • Hybrid • Simple risk analysis model • ALE = VL • Annualized Loss Expectancy = Value of the Asset times Likelihood of the Threat • Too simplistic for most practical uses
Concepts of Risk - Definitions • Assets – • Things to be protected • Physical, logical, human • Threats – • Events with the potential to cause unauthorized access, modification, disclosure or destruction of an asset • Vulnerabilities – • Weaknesses in an asset or associated countermeasure that can be exploited to realize upon a threat • Impacts – • Outcome of a threat acting upon a vulnerability • Usually measured as money losses • Countermeasure (safeguards) – • Protective measures implemented to counter threats and mitigate vulnerabilities • Risk – • The probability that a threat will exploit a particular set of vulnerabilities successfully – Peltier • The likelihood that a threat agent will successfully exploit a vulnerability to create and unwanted or adverse impact – Jones • Exposure Factor (EF) • Percentage of loss a successful threat event would have on a single specific asset • Single Loss Expectancy (SLE) • Dollar figure assigned to single event: SLE = AV ( Asset Value in $) X EF • Annualized Rate of Occurrence (ARO) • Estimated frequency in which a threat is expected to occur • Annualized Loss Expectancy (ALE) • Total computed estimated loss per year (ALE=AV X ARO)
Handling Risk • Eliminate it • Minimize It • Accept it • Transfer it
Common Risk Analysis Fallacies • Vulnerabilities = Risks • The Truth: vulnerabilities = vulnerabilities • Vulnerability assessment or penetration testing does not, by itself, identify or quantify risk • Threats are not an element of risk • The Truth: threats are (arguably) the most important element of risk • Tools = Countermeasures • The Truth: tools are just tools. Many countermeasures are administrative or a combination of tools and administration • The best countermeasures are layered (defense in depth) • All risks must be mitigated • The Truth: don’t waste money protecting garbage. There is a valid concept of “acceptable risk”.
Assessment • Takes a security “snapshot” of a computing environment at any given time. • Evaluates the information security policies and procedures • Establishes a baseline for operations • Can be “Formal” or Informal” • Can be “Quantitative” or “Qualitative” in nature
The Name Game Risk Assessments go by many names: • Security Baseline Assessment • Penetration Study (“Ethical Hacking) • Vulnerability Scan • Policy consulting • Audits
Why use a Risk Assessment? • To gauge the security posture of a given resource- Division, Department, or Organization • Help Justify cost of security controls • To understand shortcomings in current technology environment • To prepare for doing business on the Internet
Quantitative Characteristics • Relies on statistical measurement for rationality • Generally used on mature environments • Security posture is “rated” based on collection of weighted data findings
Qualitative Characteristics • Subjective in Nature • Generally used on Immature environments • Interviews and observation key part of assessment • Recommendations based on “best practices”
Audit vs. Assessment • An audit is a formal process used to measure the high-level aspects of an infrastructure’s security from an organizational point of view. • Limited in scope • No low-level technical details • Check-list style methodology
Risk Based Audit Approach • Audit risk can be defined as the risk that the information / financial report may contain material error or that the IS Auditor may not detect an error that has occurred. • Inherent Risk • Control Risk • Detection Risk • Overall Audit Risk
Audit vs. Assessment • Security Assessments are attempts to measure as many technical details of an infrastructure’s security posture as possible. • Less formal • More detailed / broader in scope • Considered an “Art form”
Why use Quantitative? • If your organization has implemented basic security countermeasures, and wants to improve its posture • If upper management respond well to presentations of findings based on numerical representation • If statistically-based facts will help “Sell” security to executives
Why use Qualitative? • If your security policy is brand new • If your culture works well with “consulting” type approaches • If “best practices” can be used to sell upper management on the proper security controls • If your expectations involve a shorter assessment cycle
Do Not use an Assessment… • If your organization does not have a security policy defined • If your organization is experiencing high turn-over • If upper management does not “sponsor” security expenditures
Network Security Assessment Expected results: • Identify security vulnerabilities • Provide corrective action knowledge base • Recommend corrective action • Continuous “realtime” monitoring • Repeatable and measurable • Used to justify security controls to upper management
Basic Formula Threat x Vulnerability Risk = -------------------------------- x Value Countermeasures Asset Value x exposure factor = Single Loss Expectancy (SLE) SLE x annualized rate of occurrence (ARO) = Annualized Loss Expectancy (ALE)
RA methodology Examples Qualitative: • CRAMM • RAM-X • IAM • OSG • Quantitative: • Courtney • RAM-X
Courtney – quantitative L=annualized loss expectancy i= impact rating f= Threat frequency CRAMM – qualitative “CCTA Risk Analysis and Management Methodology” Not mathematical – subjective Attempts to take a holistic view Gathers information through structured interviews L = 10(i+f-3) 3 Stage 1: Establish boundaries of the review (assets) Stage 2: Establish threat context Stage 3: Establish necessary countermeasures Representative Risk Analysis Methods
Risk Management Cycle Assess Risk and Determine Needs Monitor and Evaluate Central Focal Point Implement Policies and Controls Promote Awareness Initial Entry Point
Basic Risk Analysis Steps • Estimate potential losses to assets by determining their value(s) • Analyze potential threats to the assets • Define the Annualized Loss Expectancy (ALE)
10-Step Qualitative Risk Analysis Approach • Develop scope • Assemble team • Identify threats • Prioritize threats • Estimate impact priority • Calculate total threat impact • Identify safeguards • Cost-benefit analysis • Rank safeguards by priority • Write the report
The CRAMM Qualitative Method • CRAMM analysis may be done using a packaged software application • cost is about $4,200 plus about $1,200 per year maintenance • Interview format tool with large databases of questions, threats, vulnerabilities and impacts • A qualitative approach that is useful both for risk analysis and risk management
The CRAMM Qualitative Method – Risk Model • Assets • Threats • Vulnerabilities • Impacts • Information disclosure • Accidental or intentional destruction of data • Data modification • Denial of service • Countermeasures • Reduction of threat • Reduction of vulnerability • Reduction of impact • Detection • Recovery • Risks • A risk arises when a threat is able to exploit a vulnerability in an important asset to cause an unacceptable impact
The CRAMM Qualitative Method - Stages • Three stages • Establish scope – asset based • Establish threat context and vulnerabilities for assets identified in stage 1 • Identifies security requirements for each relevant group of assets • Establish countermeasures • Output is a security plan • Good idea to perform a cost-benefit analysis in this stage although this is not part of the formal CRAMM method • Baseline review approach curtails CRAMM activities in unimportant areas
Courtney Quantitative Method • Asset based • Uses loss expectancy formula: • Impact categories • Disclosure • Modification • Destruction • Lack of availability • Impact $ (i) taken from an impact rating table • Threat frequency (f) taken from a threat frequency table L = 10(i+f-3) 3
Courtney Impact Rating Table (i) Impact ($) Rating 10 100 1,000 10,000 100,000 1,000,000 1 2 3 4 5 6
Courtney Threat Frequency Table (f) Frequency Frequency Rating Once in: 1 2 3 4 5 6 7 8 300 years 30 years 3 years 100 days 10 days 1 day 10 times per day 100 times per day
Asset Under Review: i f L Accidental Disclosure Modification Destruction Deliberate Disclosure Modification Destruction Exposure if unable to Process for: 2 hours 4 hours 8 hours 12 hours 18 hours Typical Courtney Collection Form L = 10(4+3-3) 3 L = 104 3 L = 10,000 3 L = $3,333 4 $3,333 3
NSA IAM Qualitative project management framework Pre-Assessment On-Site Post-Assessment Pre Assessment Contact Analysis Recommendations Final Report Project Coordination Data Collection
RAM-X • Put together by Sandia Labs, along with the FBI, Military, Corps of Engineers, and others • Designed to be a quantitative measurement of risks associated with Critical Infrastructure
RAM-X Formula • PA * C * (1-PE) = R PA= Analyze Threat C = Critical Assets PE = System Effectiveness PE < 1 C < 1
OSG • Developed a way to utilize Qualitative and quantitative methods through its “Thessaly” framework • Current State • Desired State • Gap Analysis • Solution recommendations • Security Maturity Grid