150 likes | 259 Views
A Preamble into Aligning Systems Engineering and Information Security Risk. Dr. Craig Wright GSE May 2012 GIAC GSE, GSM, GSC. Controls are countermeasures for vulnerabilities. Controls need to be economically viable to be effective. There are four types: Deterrent controls
E N D
A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig Wright GSE May 2012 GIAC GSE, GSM, GSC SANS Technology Institute - Candidate for Master of Science Degree
Controls are countermeasures for vulnerabilities Controls need to be economically viable to be effective. There are four types: • Deterrent controls • Preventative controls • Corrective controls • Detective controls SANS Technology Institute - Candidate for Master of Science Degree
System Survival • Network reliability requires us to model the various access paths and survival times for not only each system, but for each path to the system. SANS Technology Institute - Candidate for Master of Science Degree
Mapping Vulnerabilities within Software • Now let E stand for the event where a vulnerability is discovered within the Times T and T+h for n vulnerabilities in the software SANS Technology Institute - Candidate for Master of Science Degree
Mapping Vulnerabilities within Software • Where a vulnerability is discovered between time T and T+h use Bayes’ Theorem to compute the probability that n bugs exist in the software: SANS Technology Institute - Candidate for Master of Science Degree
Mapping Vulnerabilities within Software • From this it can be seen that: SANS Technology Institute - Candidate for Master of Science Degree
Exponential Failure • The reliability function (also called the survival function) represents the probability that a system will survive a specified time t. SANS Technology Institute - Candidate for Master of Science Degree
Exponential Failure • The reliability function is a probabilistic calculation. • We cannot forecast the exact time of any compromise. • We can estimate the behaviour of systems that are constructed of many components. SANS Technology Institute - Candidate for Master of Science Degree
Reliability • Reliability is expressed as either MTBF (Mean time between failures) and MTTF (Mean time to failure). • The choice of terms is related to the system being analyzed. • For system security, it relates to the time that the system can be expected to survive when exposed to attack. SANS Technology Institute - Candidate for Master of Science Degree
Modelling Failure Rate • The failure rate for a specific time interval can also be expressed as: SANS Technology Institute - Candidate for Master of Science Degree
Modelling Failure Rate • The time to failure of a system under attack can be expressed as an exponential density function: SANS Technology Institute - Candidate for Master of Science Degree
Modelling Failure Rate • Here is the mean survival time of the system when in the hostile environment • t is the time of interest • Reliability function, R(t) can be expressed as: SANS Technology Institute - Candidate for Master of Science Degree
Modelling Failure Rate • The mean ( ) or expected life of the system under hostile conditions can hence be expressed as: SANS Technology Institute - Candidate for Master of Science Degree
No Absolutes • There are no absolutes but data can be modelled. • Security remains a risk and economic function. • No comparison to levels of security can be made other than to a relative measure (no absolute level of security). SANS Technology Institute - Candidate for Master of Science Degree
Conclusion • Before we invest our valuable resources into protecting the information assets it is vital to address concerns such as: • the importance of information or the resource being protected, • the potential impact if the security is breached, • the skills and resources of the attacker and • the controls available to implement the security. SANS Technology Institute - Candidate for Master of Science Degree