Presented By Katherine L. Morse - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

Presented By Katherine L. Morse

Description:

Evaluating all countermeasures against all threat ... Tandem threats. Temporal factors. Expiration of sensitivity. Duration of resistance. Cost vs. value ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 11
Provided by: SAI454
Category:

less

Transcript and Presenter's Notes

Title: Presented By Katherine L. Morse


1
Presented ByKatherine L. Morse
April 22, 1999
The 8-Stage Security Specific Risk
Assessment Methodology
2
Outline
  • Motivation
  • The Eight-Stage Model
  • Methodology
  • Example
  • Lessons Learned
  • Future Research
  • Conclusions

3
Motivation
  • Auditing as a countermeasure
  • Flaws in existing risk assessment methodologies
  • Formulating the chain of events
  • Evaluating all countermeasures against all
    threat/vulnerability pairs
  • Spotlighting high risk threat scenarios

4
The Eight-Stage Model
  • Security Threat
  • Security Breach
  • Resultant Harm

5
The Eight Stage Model (continued)
Security Breach
Threat Recovery
Breach Recovery
Threat Obstruction
Threat Detection
Breach Detection
Resultant Harm
Security Threat
  • Prevention
  • Threat Obstruction
  • Detection
  • Threat Detection
  • Breach Detection
  • Recovery
  • Threat Recovery
  • Breach Recovery

6
Methodology
  • Driven by threats
  • Threat scenario for each threat
  • Improvements to traditional methodology
  • Chain of events
  • Countermeasures act at several stages
  • Only evaluate threats against applicable
    countermeasures

7
Example
  • Warning banner on login prompt
  • Hacker attack
  • Auditing with intrusion detection
  • Firewall, tools for hacker tracking
  • Gain root access
  • Compromise of data
  • Loss of integrity of data and/or system
  • Loss of data and/or resource availability

8
Example (continued)
  • Auditing
  • Hot spare, close net access
  • Harms
  • Failure of business or mission
  • Loss of personnel
  • Loss of resources
  • Loss of dollars
  • Loss of time

9
Lessons Learned
  • Few threat scenarios
  • Types of breaches few in number
  • Many countermeasures meet several threats with
    varying effectiveness
  • Probabilities for detection and recovery from the
    breach are the same regardless of the motivating
    threats
  • The initial result is less numerical analysis
  • The final result is a more readable document with
    a clearer correlation between the real threat and
    the real changes that need to be made in the
    system

10
Future Research
  • Automated tools
  • Integration with existing risk calculation
    methodologies
  • Tandem threats
  • Temporal factors
  • Expiration of sensitivity
  • Duration of resistance
  • Cost vs. value
  • Prevention
  • To attacker

8-Stage Security
Write a Comment
User Comments (0)
About PowerShow.com