520 likes | 545 Views
Risk Analysis. 2001. 7. 5. HackersLab, Consulting Team KIM, JIN-YUL. Agenda. Backgrounds - Why?, What?, How? Relationship – Assets, Risk, Threats, etc Risk Analysis Practices Models Techniques Approaches Procedures Considerations Conclusions. Terms. Risk
E N D
Risk Analysis 2001. 7. 5 HackersLab, Consulting Team KIM, JIN-YUL
Agenda • Backgrounds - Why?, What?, How? • Relationship – Assets, Risk, Threats, etc • Risk Analysis Practices • Models • Techniques • Approaches • Procedures • Considerations • Conclusions HackersLab, Consulting Team
Terms • Risk • The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. • Threat • A potential cause of an unwanted incident which may result in harm to a system or organization. HackersLab, Consulting Team
Terms • Vulnerability • A weakness of an asset or group of assets which can be exploited by one or more threats. • Impact • The result of an unwanted incident. • Asset • Anything that has value to the organization. HackersLab, Consulting Team
Terms • Risk Analysis • The process of identifying security risks, determining their magnitude, and identifying areas needing safeguards. • Risk Management • The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect IT system resources. HackersLab, Consulting Team
Backgrounds: Why ? 공격추적 및 대응의 어려움 공격위협/욕구의 증대 E-Biz 환경의 새로운 사업전략 지원요구 막대한 손실발생 공격기술의 전문화/고도화 정보자산의 가치증대 취약성(CIA)의 증대 정보시스템 의존도 증가 개방형 정보통신망 확대 HackersLab, Consulting Team
Backgrounds: Why ? • 85% of respondents to Computer Security Institute/FBI 2001 survey reported security breaches (70%, 2000; 62% 1999)* • 186 organizations (35%) able to quantify financial loss reported $377.8M (273 organizations [51%], $265.6M in 2000 survey) • theft of proprietary information and financial fraud most serious • 70% cited their Internet connection as a frequent point of attack (59% in 2000 survey) HackersLab, Consulting Team http://www.gocsi.com/prelea_000321.htm
Backgrounds: What ? IT Assets HackersLab, Consulting Team
Backgrounds: What from/by ? Threats & Vulnerabilities HackersLab, Consulting Team
Backgrounds: How ? Objectives HackersLab, Consulting Team
Relationship: Risk Relationship Model Threats Vulnerabilities increase increase Safeguards Risks Assets reduce increase indicate increase Protection Requirements Impacts HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Relationship: Assets/Impacts View Risks Assets Impacts Protection Requirements HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Relationship: Threats View Threats Risks Assets Impacts Protection Requirements HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Relationship: Vulnerabilities View Vulnerabilities Risks Assets Impacts Protection Requirements HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Relationship: Safeguards View Threats Vulnerabilities Safeguards Risks Assets Protection Requirements HackersLab, Consulting Team
Relationship: Risk Analysis vs Security Consulting 종료/ 사후관리 대책 수립 위험 분석 현상 분석 기본/상세위험분석 계획 수립 사전위험분석 HackersLab, Consulting Team
Relationship: Risk Analysis vs Risk Management Risk Management Business Continuity Planning Change Management Configuration Management Monitoring Security Awareness Safeguard Selection Risk Analysis HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Baseline Approach Detailed Risk Analysis Informal Approach Corporate IT Security Policy IT Security Objectives and Strategy IT Security Objectives, Strategy and Policy Corporate Risk Analysis Strategy Options Combined Approach Risk Acceptance Selection of Safeguards IT System Security Policy IT Security Plan High Level Risk Analysis Detailed Risk Analysis Baseline Approach Combined Approach Relationship: RA vs SM Implementation of the IT Security Plan Training Awareness Safeguards Accreditation Follow-Up Security Compliance Checking Monitoring Maintenance Change Management Incident Handling HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 3
Relationship: RA vs RM vs SM Risk Analysis IT Security Management Risk Management HackersLab, Consulting Team
Security Practices Structures HackersLab, Consulting Team
Risk Analysis Practices • Risk Analysis Models ? • Risk Analysis Techniques ? • Risk Analysis Approaches ? • Risk Analysis Procedures ? HackersLab, Consulting Team
Risk Analysis Model:TR 13335(GMITS) Establishment of Review Boundary Risk Analysis Identification of Assets Valuation of Assets and Establishment of Dependencies Between Assets Threat Assessment Vulnerability Assessment Identification Of Existing/ Planned Safeguards Assessment of Risks HackersLab, Consulting Team
Risk Analysis Model:TTA(한국정보통신기술협회) 사전위험분석 보안 정책 방법론선택 및 분석기준 기본통제로 가능한가? Y 기본통제 상세위험분석 N 자산분석 위협분석 취약성분석 대응책분석 보안정책반영 위험산출 보안상의 각종 제약,규제적용 대응책도출 위험분석 잔류위험평가 N HackersLab, Consulting Team Y
Risk Analysis Techniques • Quantitative Techniques • Qualitative Techniques HackersLab, Consulting Team
PV(Benefits) PV(Costs) Risk Analysis Techniques:Quantitative • ALE(Annual Loss Expectancy Value) = Value X Exposure Factors X Tf • Scoring(Ranking) • Present Value(PV) Analysis • NPV = PV(Benefits) – PV(Costs) • Benefit-Cost Ratio = • IRR(Internal Rate of Return) • Payback Method HackersLab, Consulting Team
Example:Ranking of Threats by Measures of Risk HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 3
Risk Analysis Techniques:Qualitative • Questionnaire • Delphi • Matrix • Ranking Matrix = Matrix + Delphi + Ranking • Fuzzy • Tree Analysis HackersLab, Consulting Team
Example:Matrixwith predefined values HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 3
Combined Approach Risk Analysis Approaches Methods Pre-Risk Analysis Post-Risk Analysis Baseline Detailed HackersLab, Consulting Team
Baseline Approach • Apply baseline security to all IT systems by selecting standard safeguards. • Advantages • Only a minimum amount of resource is needed for RA and RM for each safeguard implementation. • Less time and effort, and cost-effective • Disadvantages • If the baseline level is set too high or too low,… • Difficulties in managing security relevant changes. HackersLab, Consulting Team
Detailed Approach • Conduct detailed risk analysis reviews for all IT system in the organization. • Advantages • Appropriate safeguards are identified for all systems. • Used in the management of security changes. • Disadvantages • Requires a considerable amount of time and effort, and expertise to obtain results. HackersLab, Consulting Team
Combined Approach • First conduct an initial high level risk analysis (pre-risk analysis) for all IT systems: business value and risk level. • Advantages • An initial quick and simple approach is likely to gain acceptance of the risk analysis programme. • Resources and money can be applied where they are most beneficial. • The only potential disadvantage is • If the initial risk analyses are at a high level, and potentially less accurate, some systems may not be identified as requiring detailed risk analysis. HackersLab, Consulting Team
Risk Analysis Procedures HackersLab, Consulting Team
Risk Analysis Procedures:(1) Assets Assessment 핵심업무도출 자산범위설정 범위설정기준 자산식별 자산항목별분류 자산목록작성 업무처리별분류 자산분석 가치산정기준 자산가치산정 정량산정 정성산정 HackersLab, Consulting Team 자료출처: TTAS.KO-12.0007
Review: Assets/Impacts View Risks Assets Impacts Protection Requirements HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Risk Analyis Procedures: (2) Threats Assessment 위협유형 알려진위협 위협파악 위협조사 위협시나리오 위협주기조사 자산과의관계 위협분석 위협속성 취약성과의관계 대응책과의관계 위협순위 HackersLab, Consulting Team 자료출처: TTAS.KO-12.0007
Review: Threat View Threats Risks Assets Impacts Protection Requirements HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Risk Analysis Procedures: (3) Vulnerabilities Assessment 취약성유형 취약성파악 취약성조사 자산과의관계 취약성분석 취약성속성 위협과의관계 대응책과의관계 취약성수준산출 HackersLab, Consulting Team 자료출처: TTAS.KO-12.0007
Review: Vulnerabilities View Vulnerabilities Risks Assets Impacts Protection Requirements HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Risk Analysis Procedures:(4) Safeguards Assessment 대응책유형 대응책파악 대응책조사 자산과의관계 대응책분석 대응책속성 취약성과의관계 위협과의관계 대응책수준 HackersLab, Consulting Team 자료출처: TTAS.KO-12.0007
Review: Safeguards View Threats Vulnerabilities Safeguards Risks Assets HackersLab, Consulting Team
Risk Analysis Procedures:(5) Risks Assessment 취약성수준산출 ALE 산출 위험순위 위험평가 필요대응책도출 비용효과분석 종합평가 HackersLab, Consulting Team 자료출처: TTAS.KO-12.0007
Review: Risk Relationship Model Threats Vulnerabilities increase increase Safeguards Risks Assets reduce increase indicate increase Protection Requirements Impacts HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Automated RA Tools:RA(BSI) HackersLab, Consulting Team
Post-Risk Analysis Procecures 시스템 보안정책 작성 부문별 보안계획 수립 대응책 구현 관련교육 결과평가 재분석여부결정 HackersLab, Consulting Team 자료출처: TTAS.KO-12.0007
Review: Risk Management Risk Management Business Continuity Planning Change Management Configuration Management Monitoring Security Awareness Safeguard Selection Risk Analysis HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Security Consulting Methodology 계획수립 현상분석 위험분석 대책수립 사후관리 요구사항 분석 업무현황 분석 자산 식별 단기대책수립 보안교육/ 기술이전 지 속 적 인 보 안 관 리 중 장 기 대 책 수 립 해 결 과 제 도 출 추 진 계 획 수 립 위협 파악 정보보호 체계설계 보 안 수 준 측 정 위 험 도 측 정 보안요구수준 보안관리 체계분석 보안시스템 구축 취약성 파악 보안시스템 구축계획 추진전략수립 보안수준 분석 위험 평가 마스터플랜 수립 보안관리 HackersLab, Consulting Team
Conclusions Objectives HackersLab, Consulting Team
QuestionsThe less questions, the better ! HackersLab, Consulting Team
References • 한국정보통신기술협회, “공공정보시스템 보안을 위한 위험분석 표준 – 위험분석 방법론 모델”, 2000.3 • 한국정보통신기술협회, “공공기관 정보시스템을 위한 비상계획 및 재해복구에 관한 지침서”, 2000.3 • BSI, “Guide to BS Risk Assessment and Risk Management”, 1999 • CSE, “Threat and Risk Assessment Working Guide”, 1999 • ISO/IEC JTC 1/SC 27 TR 13335, “GMITS – Part 1: Concepts and models for IT Security”, 2001.4 • ISO/IEC JTC 1/SC 27 TR 13335, “GMITS – Part 3: Techniques for the Management of IT Security”, 2001.4 • SRV, “CISSP Exam: Theory”, SRV Professional Publication, 2000 • Harold F. Tipton, “Information Security Management HandBook, 4th ed.”, AUERBACH Publications, 2000 HackersLab, Consulting Team