1 / 65

Qualitative Risk Analysis Sanjay Goel University at Albany, SUNY

Qualitative Risk Analysis Sanjay Goel University at Albany, SUNY. Course Outline. > Unit 1: What is a Security Assessment? Definitions and Nomenclature Unit 2: What kinds of threats exist? Malicious Threats (Viruses & Worms) and Unintentional Threats

randles
Download Presentation

Qualitative Risk Analysis Sanjay Goel University at Albany, SUNY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Qualitative Risk Analysis Sanjay Goel University at Albany, SUNY

  2. Course Outline > Unit 1: What is a Security Assessment? • Definitions and Nomenclature Unit 2: What kinds of threats exist? • Malicious Threats (Viruses & Worms) and Unintentional Threats Unit 3: What kinds of threats exist? (cont’d) • Malicious Threats (Spoofing, Session Hijacking, Miscellaneous) Unit 4: How to perform security assessment? • Risk Analysis: Qualitative Risk Analysis Unit 5: Remediation of risks? • Risk Analysis: Quantitative Risk Analysis

  3. Qualitative Risk AnalysisOutline for this unit Module 1: Qualitative Risk Analysis Module 2: Matrix Based Approach Module 3: Determine Assets and Vulnerabilities Module 4: Determine Threats and Controls Module 5: Case Study

  4. Module 1Risk Analysis: Qualitative Risk Analysis

  5. Risk AnalysisOutline • What are the difficulties with risk analysis? • What are the two different approaches? • What is the methodology for qualitative risk analysis?

  6. Risk AnalysisRisk Analysis Definition • Risk analysis involves the identification and assessment of the levels of risks calculated from the known values of assets and the levels of threats to, and vulnerabilities of, those assets. • It involves the interaction of the following elements: • Assets • Vulnerabilities • Threats • Impacts • Likelihoods • Controls

  7. Risk AnalysisConcept Map • Threats exploit system vulnerabilities which expose system assets. • Security controls protect against threats by meeting security requirements established on the basis of asset values. Source: Australian Standard Handbook of Information Security Risk Management – HB231-2000

  8. Risk AnalysisDifficulties with Information Security Risk Analysis • Relatively new field • Lack of formal models • Lack of data • Evolving threats • Constantly changing information systems and vulnerabilities • Human factors related to security • No standard of practice

  9. Risk AnalysisApproaches • Two Risk Analysis Approaches • Qualitative: Based on literal description of risk factors and risk is expressed in terms of its potential. Threats and vulnerabilities are identified and analyzed using subjective judgment. Uses checklists to determine if recommended controls are implemented and if different information systems or organizations are secure. • Quantitative: Relating to, concerning, or based on the amount or number of something, capable of being measured or expressed in numerical terms.

  10. Risk Analysis: QualitativeMethodology • Qualitative risk analysis methodologies involve relative comparison of risks and prioritization of controls • Usually associate relationships between interrelated factors • Things of value for the organization • Threats: things that can go wrong  • Vulnerabilities: Weaknesses that make a system more prone to attack or make an attack more likely to succeed   • Controls: These are the countermeasures for vulnerabilities • More practical since it is based on user inference and follows current processes better. It capitalizes on user experience and doesn’t resort to extensive data gathering. • Probability data is not required and only estimated potential loss may be used

  11. Risk Analysis: QualitativeQuestions 1, 2, and 3 1) What is the difference between quantitative and qualitative risk analysis? • Why would one be performed instead of another? • What are the benefits to using a matrix based methodology for qualitative risk analysis?

  12. Module 2Determine Assets and Vulnerabilities

  13. Determine Assets and VulnerabilitiesOutline • What are tangible assets? • What are non-tangible assets? • How to assign value to assets? • What questions should be asked? • Example • Lemonade Stand • How to determine vulnerabilities? • What questions should be asked?

  14. Determine AssetsTangible • Assets- Something that the agency values and has to protect. Assets include all information and supporting items that an agency requires to conduct business. • Hardware • Processors, boards, monitors, keyboards, terminals, drives, cables, connections, controllers, communications media, etc. • Software • Source programs, object programs, purchased programs, operating systems, systems programs, diagnostic programs, etc. • Information/Data • Data used during execution, stored data on various media, archival records, audit data, files with payment details, voice records, image files, product information, continuity plans. • Services • Provided by the company. (e.g. computing and communication services, service providers and utilities) • Documentation • On programs, hardware, systems, administrative procedures and the entire system, contracts, completed forms.

  15. Determine AssetsNon-Tangible • People and their knowledge (Employees) • Integral function/skills which the employee provides (e.g. technical, operational, marketing, legal, financial, contractors/consultants, outsourced providers) • Reputation and Image • Value attributed to an organization as a result of its general estimation in the public eye. (e.g. political standing in the case of government agencies) • Trust • Value consistent with public opinion on the integrity and character of an organization. • Intellectual Property • Any product of the human intellect that is unique, novel, and unobvious (and has some value in the marketplace) Source: http://www.uta.edu/tto/ip-defs.htm

  16. Determine AssetsValuation • Asset values are used to identify the appropriate protection of assets and to determine the importance of the assets to the business. • Values can be expressed in terms of: • Potential business impacts affecting loss of confidentiality, integrity and availability. • Valuation of some assets different for small and large organizations • Intangible assets hard to quantify • Hidden costs of damages to recovery (often underestimated) • Borrow from litigation • Iterative to find ways of valuation

  17. Determine AssetsValuation, cont’d. • In this step, ramifications of computer security failure on organization are determined. • Often inaccurate • Costs of human capital required to recover from failure undervalued e.g. cost of restoring data • Indirect consequences of an event unknown until the event actually happens • Catastrophic events that cause heavy damage are so infrequent that correct data unavailable • Non-tangible assets hard to quantify • The questions on the next slide prompt us to think about issues of explicit and hidden cost related to security. • The answers may not produce precise cost figures, but help identify sources of various types of costs.

  18. Determine AssetsGuiding Questions to Reflect on Intangible Assets • What are the legal obligations in preserving confidentiality or integrity of data? • What business requirements and agreements cover the situation? • Could release of a data item cause harm to a person or organization? • Could unauthorized access to data cause loss of future business opportunity? • What is the psychological effect of lack of computer service? • What is the value of access to data or programs? • What is the value of having access to data or programs to someone else? • What other problems would arise from loss of data?

  19. Determine AssetsGeneral Example #1: Lemonade Stand Billy sells lemonade outside of his house every weekend for 3 hours a day. Every week he makes about $40. The wooden stand has a cardboard sign which reads, “Lemonade for SALE, 25 cents each”. Supplies he receives from his mother are paper cups and a glass pitcher and spoon to stir with. For one pitcher of lemonade, he needs 4 lemons, 2 cups of sugar, 1 quart of water, and a secret ingredient and 10 minutes. The special recipe is located in a small space within the lemonade stand. He has a general crowd of about 10 neighbors who buy from him because they enjoy the taste of his lemonade and his personality.

  20. Determine AssetsGeneral Example #1: Lemonade Stand, cont’d. Listing of Intangible Assets: • People • Billy • Billy’s Mother • Intellectual Property • Special recipe • Trust • Reputation • Customer base Listing of Tangible Assets: • Establishment • Lemonade stand: $5 • Advertising • Sign: $1 • Supplies • Pitcher: $7 • Paper cups: $2/25 pack • Spoon: $1.50 • Lemons: $3/10 pack • Sugar: $1/1 lb. • Water: $1/gallon • Secret ingredient: $1/1 lb.

  21. Determine VulnerabilitiesSpecific to Organizations • Predict damage that might occur and source of damage • Information • is an asset that has a value to an agency and must therefore be appropriately protected. • The objective of informationsecurity is to preserve the agency’s information assets and the business processes they support in the context of: • Confidentiality Information is only available to authorized individuals • Integrity Information can only be entered, changed or destroyed by authorized individuals. • Availability Information is provided to authorized users when it is requested or needed.

  22. Determine VulnerabilitiesImpact to Assets • Vulnerability- A weak characteristic of an information asset or group of assets which can be exploited by a threat. Consequence of weaknesses in controls. • To organize threats & assets use the following matrix: • Harder to determine impact to non-tangible assets

  23. Determine VulnerabilitiesGuiding Questions • Each vulnerability may affect more than one asset or cause more than one type of loss • While completing the matrix, answer the following questions: • What are the effects of unintentional errors? e.g. accidental deletion, use of incorrect data • What are the effects of willful malicious insiders? e.g. disgruntled employees, bribery, espionage • What are the effects of outsiders? e.g. hackers, dial-in access, people sifting through trash • What are the effects of natural and physical disasters? e.g. fire, storms, floods, power outage, component failures

  24. Determine Assets and VulnerabilitiesAssignment • Using your own organization, determine the assets and vulnerabilities and fill them into the appropriate matrices.

  25. Module 3Determine Threats and Controls

  26. Determine Threats and ControlsOutline • How do you identify threats? • What types of controls are there? • Organizational and Management • Physical and Environmental • Operational • Technical • What are the functions of controls?

  27. Determine Threats and ControlsIdentification of Threats • Threat- Potential cause of an unwanted event that may result in harm to the agency and its assets. A threat is a manifestation of vulnerability. • Malicious • Malicious Software (Viruses, worms, trojan horses, time bomb logic bomb, rabbit, bacterium) • Spoofing or Masquerading • Sequential or Dictionary Scanning • Snooping (electronic monitoring or “shoulder surfing”) • Scavenging (“dumpster diving” or automated scanning of data) • Spamming • Tunneling • Unintentional • Equipment or Software Malfunction • Human error (back door or user error) • Physical • Power loss, vandalism, fire/flood/lightning damage, destruction Source: http://www.caci.com/business/ia/threats.html

  28. Determine Threats and ControlsFunctions of Controls • Security Controls- Implementations to reduce overall risk and vulnerability • Deter • Avoid or prevent the occurrence of an undesirable event • Protect • Safeguard the information assets from adverse events • Detect • Identify the occurrence of an undesirable event • Respond • React to or counter an adverse effect • Recover • Restore integrity, availability and confidentiality of information assets Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

  29. Determine Threats and ControlsControls • Organizational & Management Controls • Information security policy, information security infrastructure, third party access, outsourcing, mobile computing, telecommuting, asset classification and control, personnel practices, job descriptions, segregation of duties, recruitment, terms and conditions of employment, employee monitoring, job terminations and changes, security awareness and training, compliance with legal and regulatory requirements, compliancy with security policies and standards, incident handling, disciplinary process, business continuity management, system audits • Physical & Environmental Controls • Secure areas, equipment security, clear desk and screen policy, removal of property Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

  30. Determine Threats and ControlsOperational Controls • Operational Controls • Documentation, configuration and change management, incident management, software development and test environment, outsourced facilities, systems planning, systems and acceptance testing, protection against malicious code, data backup, logging, software and information exchange, security of media in transit, electronic commerce security, electronic data interchange, internet commerce, email security, electronic services, electronic publishing, media Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

  31. Determine Threats and ControlsTechnical Controls • Technical Controls • Identification and authentication, passwords, tokens, biometric devices, logical access control, review of access rights, unattended user hardware, network management, operational procedures, predefined user access paths, dial-in access controls, network planning, network configuration, segregation of networks, firewalls, monitoring of network, intrusion detection, internet connection policies, operating system access control, identification of terminals and workstations, secure logon practices, system utilities, duress alarm, time restriction, application access control and restriction, isolation of sensitive applications, audit trails and logs Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

  32. Determine Assets and VulnerabilitiesAssignment • Using your own organization, determine the vulnerabilities and threats and fill them into the appropriate matrices.

  33. Module 4Matrix Based Approach

  34. Matrix Based ApproachOutline • What are the steps involved? • How do you fill in the matrices? • Asset/Vulnerability Matrix • Vulnerability/Threat Matrix • Threat/Control Matrix

  35. Matrix Based ApproachMethodology • Consists of three matrices • Vulnerability Matrix: Links assets to vulnerabilities • Threat Matrix: Links vulnerabilities to threats • Control Matrix: Links threats to the controls • Step 1 • Identify the assets & compute the relative importance of assets • Step 2 • List assets in the columns of the matrix. • List vulnerabilities in the rows within the matrix. • The value row should contain asset values. • Rank the assets based on the impact to the organization. • Compute the aggregate value of relative importance of different vulnerabilities

  36. Matrix Based ApproachMethodology • Step 3 • Add aggregate values of vulnerabilities from vulnerability matrix to the column side of the threat matrix • Identify the threats and add them to the row side of the threat matrix • Determine the relative influence of threats on the vulnerabilities • Compute aggregate values of importance of different threats • Step 4 • Add aggregate values of threats from the threat matrix to the column side of control matrix • Identify the controls and add them to the row side of the control matrix • Compute aggregate values of importance of different controls

  37. Matrix Based ApproachDetermining L/M/H • There needs to be a threshold for determining the correlations within the matrices. For each matrix, the thresholds can be different. This can be done in two ways: • Qualitatively • determined relative to other correlations • e.g. asset1/vulnerability1 (L) is much lower than asset3/vulnerability3 (H) correlation. asset2/vulnerability2 correlation is in-between (M) • Quantitatively • determined by setting limits • e.g. if no correlation (0), if lower than 10% correlation (L), if lower than 35% medium (M), if greater than 35% (H)

  38. Matrix Based ApproachExtension of L/M/H • Although the example provided gives 4 different levels (Not Relevant, Low, Medium, and High), organizations may choose to have more levels for finer grained evaluation. • For example: • Not Relevant (0) • Very Low (1) • Low (2) • Medium-Low (3) • Medium (4) • Medium-High (5) • High (6)

  39. Critical Infrastructure Trade Secrets (IP) Client Secrets Reputation (Trust) Lost Sales/Revenue Cleanup Costs Info/ Integrity Hardware Software Services Web Servers Compute Servers Firewalls Routers Client Nodes Databases Matrix Based ApproachAssets and Vulnerabilities Assets & Costs Scale Not Relevant - 0 Low – 1 Medium – 3 High – 9 Relative Impact • Customize matrix to assets & vulnerabilities applicable to case • Compute cost of each asset and put them in the value row • Determine correlation with vulnerability and asset (L/M/H) • Compute the sum of product of vulnerability & asset values; add to impact column Value Vulnerabilities

  40. Web Servers Compute Servers Firewalls Routers Client Nodes Databases … … … … Denial of Service Spoofing and Masquerading Malicious Code Human Errors Insider Attacks Intrusion … Matrix Based ApproachVulnerabilities and Threats Vulnerabilities Scale Not Relevant - 0 Low– 1 Medium – 3 High – 9 Relative Threat Importance • Complete matrix based on the specific case • Add values from the Impact column of the previous matrix • Determine association between threat and vulnerability • Compute aggregate exposure values by multiplying impact and the associations Value Threats

  41. Denial of Service Spoofing Malicious Code Human Errors Insider Attacks Intrusion Spam Physical Damage … … Firewalls IDS Single Sign-On DMZ Training Network Configuration Security Policy Hardening of Environment Matrix Based ApproachThreats and Controls Threats Value of Control Scale Not Relevant - 0 Low – 1 Medium – 3 High – 9 • Customize matrix based on the specific case • Add values from the relative exposure column of the previous matrix • Determine impact of different controls on different threats • Compute the aggregate value of benefit of each control Value Controls

  42. Matrix-Based ApproachReview • This methodology used for qualitative analysis is a matrix-based approach. • The Matrix-based approach: • Brings transparency to risk analysis process • Provides a comprehensive methodology • Easy to use • Allows organizations to work with partial data • More data can be added as made available • Risk posture can be compared to other organization's • Determines controls needed to improve security

  43. Matrix Based ApproachAssignment • Go through the next modules in the unit to appropriately fill in the matrices presented in this module.

  44. Module 5Case Study

  45. Case StudyOutline • What is the case about? • What would fit into the categories of: • Assets • Vulnerabilities • Threats • Controls • Filling in the matrices • Asset/Vulnerability • Vulnerability/Threat • Threat/Control

  46. Case StudyExample • Use the information that you have learned in the lecture in the following case study of a government organization. • Remember these key steps for determining ALE • Identify and determine the value of assets • Determine vulnerabilities • Estimate likelihood of exploitation • Compute ALE • Survey applicable controls and their costs • Perform a cost-benefit analysis

  47. Case StudyCase An organization delivers service throughout New York State. As part of the planning process to prepare the annual budget, the Commissioner has asked the Information Technology Director to perform a risk analysis to determine the organization’s vulnerability to threats against its information assets, and to determine the appropriate level of expenditures to protect against these vulnerabilities. The organization consists of 4,000 employees working in 200 locations, which are organized into 10 regions. The average rate of pay for the employees is $20/hr. Cost benefit analysis has been done on the IT resource deployment, and the current structure is the most beneficial to the organization, so all security recommendations should be based on the current asset deployment. Each of the 200 locations has approximately 20 employees using an equal number of desktop and laptop computers for their fieldwork. These computers are used to collect information related to the people served by the organization, including personally identifying information. Half of each employee’s time is spent collecting information from the clients using shared laptop computers, and half is spent processing the client information at the field office using desktop computers. Replacement cost for the laptops is $2,500 and for the desktop is $1,500. Each of the 10 regions has a network server, which stores all of the work activities of the employees in that region. Each server will cost $30,000 to replace, plus 80 hours of staff time. Each incident involving a server costs the organization approximately $1,600 in IT staff resources for recovery. Each incident where financial records or personal information is compromised costs the organization $15,000 in lawyers time and settlement payouts. Assume that the total assets of the organization are worth 10 million dollars. The organization has begun charging fees for the public records it collects. This information is sold from the organization website at headquarters, via credit card transactions. All of the regional computers are linked to the headquarters via an internal network, and the headquarters has one connection to the Internet. The headquarters servers query the regional servers to fulfill the transactions. The fees collected are approximately $10,000 per day distributed equally from each region, and the transactions are uniformly spread out over a 24-hour period.

  48. Case StudyExample- Assets (Tangible) • Transaction Revenue- amount of profit from transactions • Data- client information • Laptops- shared, used for collecting information • Desktops- shared, used for processing client information • Regional Servers- stores all work activities of employees in region • HQ Server- query regional servers to fulfill transactions

  49. Case StudyExample- Asset Valuations (Cost per Day) Transaction Revenue $10,000 per day Data (Liability) $10 million (total assets of organization) Laptops ½ x 200 (locations) x 20 (employees) x $2,500 (laptop cost) = $5,000,000 Desktops ½ x 200 (locations) x 20 (employees) x $1,500 (desktop cost) = $3,000,000 Regional Servers $30,000 (server cost)x 10 (regions) + 80 (hours) x $20 (pay rate) x 10 (regions)+ $10,000 (transaction revenue) = $326,000 HQ Server $10,000 (transaction revenue) + $100,000 (cost of HQ server) + 80 (hours) x $20 (pay rate) x 10 (regions) = $126,000

  50. Case StudyExample- Vulnerabilities • Vulnerabilities are weaknesses that can be exploited • Vulnerabilities • Laptop Computers • Desktop Computers • Regional Servers • HQ server • Network Infrastructure • Software • Computers and Servers are vulnerable to network attacks such as viruses/worms, intrusion & hardware failures • Laptops are especially vulnerable to theft

More Related