Risk Analysis - PowerPoint PPT Presentation

1 / 81

About This Presentation

Title:

Risk Analysis

Description:

Internal Control System - the whole system of controls, financial ... Public embarrassment. Danger to personal safety. Risk Control Strategy. Risk prevention ... – PowerPoint PPT presentation

Number of Views:181

Avg rating:3.0/5.0

Slides: 82

Provided by: csh36

Category:

more less

Transcript and Presenter's Notes

Title: Risk Analysis

1
Risk Analysis
Dr Chez Ciechanowicz Information Security
Group Room 343, McCrea Tel 01784 443112 E-mail
Z.Ciechanowicz_at_rhul.ac.uk
2
ISACA Auditing Guidelines
The responsibility for the prevention and
detection of irregularities and fraud rests with
the management, who may obtain reasonable
assurance that this responsibility will be
discharged by instituting an adequate system of
internal control. Internal Control System - the
whole system of controls, financial and
otherwise, established by the management in order
to carry on the business of the enterprise in an
orderly and efficient manner, ensure adherence to
management policies, safeguard the assets and
secure as far as possible the completeness and
accuracy of the records.
3
Risk Analysis
Quote from NIST Document - An Introduction to
Computer Security Managers are faced with risks
which arise from the organisations use of
computers which are vulnerable to a wide range of
threats. Computer security helps an organisation
analyse threats and vulnerabilities and make
appropriate steps to reduce or manage the
associated risks in a cost-effective
manner. Whilst computer security helps to manage
risk, it does not eliminate it. In addition, the
exact level of risk can never be known since
there is always some degree of uncertainty.
Ultimately, management must decide on the level
of risk it is willing to accept. Judging what
level can be tolerated, particularly when weighed
against the costs of security controls, can be a
difficult management decision.
4
Risk Assessment
Business Objectives

FOCUS on key assets
PROTECT against likely threats
PRIORITISE future actions
BALANCE cost with benefits
IDENTIFY / JUSTIFY appropriate

5
Risk Assessment
Positive Factors

Enables security risks to be managed
Maximises cost effectiveness
Safeguards information assets
Enables IT risks to be taken more safely

6
Balancing the Risk
Cost of Security
Cost of Insecurity
7
Risks

Unauthorised or accidental disclosure
Unauthorised or accidental modification
Unavailability of facilities / services
Destruction of assets

8
Risk Impact

Monetary losses
Loss of personal privacy
Loss of commercial confidentiality
Legal actions
Public embarrassment
Danger to personal safety

9
Risk Control Strategy

Risk prevention
Reduction of impact
Reduction of likelihood
Early detection
Recovery
Risk transfer

10
Risk Assessment
11
Risk Assessment
Recap.

Risk Assessment is a business requirement
Risk Assessment is part of overall security
management
Can be complex
Methods exist
Approach must suit your organisation

12
Why Risk Assessment Methodologies?

Quality
Consistency
It makes you think through the problem
Credibility
Ability to justify recommendations
Trusted results

13
General Requirements

Fits company culture
Flexible
Easy and quick to use
Modelling capability
Secure

14
Specific Requirements

Use at any stage of Project Life Cycle
Identify all or selected risks
Classify systems and projects
Countermeasure guidance
Audit trail

15
Potential Users of Methodology

Project Managers
Systems Developers
Systems Managers
Systems Audit
Business Managers
Security Managers

16
Choosing Methodologies

Assumed expertise of reviewer
Complexity of environment
When to apply Risk Analysis
Consideration of existing controls
Level of detail
Scope

17
Methods - (1)
Manual v Automated
18
Methods - (2)
Quantitative v Qualitative
19
ALE Approach

Enumerate all (potential) threats to systems
Estimate annual probability of each event (p)
Estimate average loss per event (L)
Annual loss expectancy equals p x L
Choose controls to reduce ALEs

20
Disadvantages of the ALE Approach

Some events may be totally unacceptable
Cost values for certain data valuations may be
too contrived
Subject attribution of cost values and
frequencies
Assume all existing countermeasures justified
Need security expert to choose countermeasures
Onerous and time consuming

21
Dealing with Risk
Contractual
Protection
Accept it!
Insurance
22
Baseline Models
23
CRAMM Objectives

Cope with technical AND non-technical IT security
Compatible with government IT security guidance
Quick reviews
Automated tool
Understandable results
Full threat checklist
Non-specialist
Immature security

24
Risk Analysis and Risk Management

ASSETS
THREATS
VULNERABILITIES
ANALYSIS
RISKS
MANAGEMENT
COUNTERMEASURES
25
The Three Stages of CRAMM

Stage 1 Scope the security problem (value the
assets)
Stage 2 Evaluate the risk
Stage 3 Select suitable countermeasures

26
Stage 1 Value the Assets - (1)
Unavailability Impacts

Less than 15 minutes
1 hour
3 hours
12 hours
1 day

2 days
1 week
2 weeks
1 month
2 months and over

27
Stage 1 Value the Assets - (2)

Physical destruction impact
Destruction (of data) impact- Loss of data since
last successful backup- Total loss of data
including backups
Disclosure impact- Disclosure to insiders-
Disclosure to contracted service providers-
Disclosure to outsiders

28
Stage 1 Value the Assets - (3)
Modification Impacts

Small scale errors
Widespread errors
Deliberate modification
Repudiation of origin
Repudiation of receipt
Non-delivery

Replay
Mis-routing
Traffic monitoring
Out-of-sequence
Insertion of false messages

29
Stage 1 Value the Assets - (4)

Value the Physical Assets- Type in the cost
Value the Data Assets- Worst case realistic
scenarios- Use questionnaires and tables-
Ignore existing countermeasures

30
Stage 1 Value the Assets - (5)

Personal safety
Personal information
Legal and regulatory obligations
Law enforcement
Commercial and economic interests
Financial loss / disruption to activities

Public order
International relations
Defence
Security and intelligence
Policy and operations of public service
Loss of goodwill

31
Stage 1 Value the Assets - (6)
Legal and Regulatory Obligations Assignment of
Values
32
Stage 1 Value the Assets - (7)
Financial Loss / Disruption to Activities Assignm
ent of Values
33
Assets, Threats and Vulnerabilities
LAN
Dial-in
Vulnerability
Hacker Threat
34
Theoretical Model
There are 36 generic threats ( T1 .. T36
) There are 27 impacts ( I1 .. I27 ) Value
each asset / impact pair Ai Ij Identify valid
triples Ti Ij Ak Evaluate threats (Very Low,
Low, Medium, High, Very High) and vulnerabilities
(Low, Medium, High) Calculate the measure of
risk for each triple Ti Vi Ij Ak
35
Stage 2 Evaluate the Risk

Step 1 Identify threat, asset, and impact
relationships (and group together assets)
Step 2 Measure threats and vulnerabilities
Step 3 Calculate the measures of risk
Step 4 Review the measures of risk

36
Stage 3 Select Appropriate Countermeasures

Step 1 Identify required countermeasures
Step 2 Compare required with installed
countermeasures
Step 3 Recommend and confirm new
countermeasures

37
The Three Stages of CRAMM

Stage 1 Scope the security problem (value the
assets)
Stage 2 Evaluate the risk
Stage 3 Select suitable countermeasures

38
Stage 1 Scope the Security Problem

Step 1 Prepare the project framework
Step 2 Value the assets
Step 3 Review data results

39
Stage 1 Step 1
Prepare Project Framework

Arrange initial management meeting
Prepare functional description of system
Agree review boundary
Document system assets and configuration
Document organisational structure
Identify data users
Prepare project schedule

40
Stage 1 Step 1
Prepare Project Framework (continued) Identify
Physical Assets and Location Identify Data Assets

Gather together related data
Identify software assets
Create asset model

41
End-User Services
Types of Services

Electronic Mail
Application to Application Messaging
Electronic Document Interchange
Ad-hoc file transfer

Interactive Session
Batch Processing
Voice
Video
Other

42
Asset Models - An Example
STOCK ORDER DATA
Order Processing Facilities
Central Server
Server Room
Central Disk Driver
Server Room
Laser Printers
Order Processing PCs
Orders Room
Ethernet LAN
Ordering Application Software
Central Server
Server Room
43
Valuing Data - (1)
Realistic Scenarios

Last day of the month network down, cant do our
CHAPS payment - big interest charges say
Malicious software modifications to crucial
software, lose confidence in software, rewrite
software (meanwhile the business has gone down
the plug)
LAN down for two hours, cant deal with telephone
enquiries efficiently, possibly lose one sale
()

44
Valuing Data - (2)
Unrealistic Scenarios

If all our Operations Staff simultaneously went
sick - go out of business
If everybody had free access to the cheque
printing machine
If all 300 of our PCs suddenly blew up
If we couldnt use a telephone for three months -
go out of business

45
An Impact Assessment Report
46
Management Review

Generate some CRAMM reports
Dont give any to management
Write your own report
Agree all asset valuations

47
Problems with Stage 1

Takes time
Bad data grouping possible
Relies on good interviewees
Relies on skilled interviewers
Can get bogged down in detail

48
Stage 2 Evaluate the Risk

Stage 1 Identify threat asset and impact
relationships (and group together assets)
Stage 2 Measure threats and vulnerabilities
Stage 3 Calculate the measures of risk
Stage 4 Review the measures of risk

49
Stage 2 Step 1
CRAMM has 35 generic threats Find all meaningful
Threat / Asset combinations Save time by
grouping together assets
50
Threat Scenarios - (1)

Masquerading of user identify by insiders
Masquerading of user identity by contracted
service providers
Masquerading of user identity by outsiders
Unauthorised use of an application
Introduction of damaging or disruptive software
Misuse of system resources
Communications infiltration by insiders

Communications infiltration by contracted service
providers
Communications infiltration by outsiders
Accidental misrouting
Technical failure of non-network host
Technical failure of network host
Technical failure of storage facility
Technical failure of print facility
Technical failure of network distribution
component

51
Threat Scenarios - (2)

Technical failure of network gateway
Technical failure of network management or
operation host
Technical failure of network interface
Technical failure of network services
Power failure
Air conditioning failure
Systems or network software failure
Application software failure
Operations error

Hardware maintenance error
Software maintenance error
User error
Fire
Water damage
Natural disaster
Staff shortage
Theft by insiders / outsiders
Wilful damage by insiders
Wilful damage by outsiders
Terrorism

52
Threat / Impact Table
53
Stage 2 Step 2
Measure Threats and Vulnerabilities Threat
Rating The likelihood it will occur e.g. Has
it happened before? Who is interested? etc.
Vulnerability Rating Does the system make a
successful threat occurrence any easier or
increase the extent of likely
damage? e.g. How easy is it to
eavesdrop? What redundancy is there? etc.
54
Example Questionnaire
55
Example Questionnaire
56
Example Questionnaire
57
Example Questionnaire
58
Example Questionnaire
59
Calculating Measures of Risk
Risk Matrix
60
Calculation of the Measure of Risk
61
Problems with Stage 2

Large number of questions (approximately 800)
Bored interviewees
Answers are sometimes subjective

62
Stage 3
Select Appropriate Countermeasures

Step 1 Identify required countermeasures
Step 2 Compare required with installed
countermeasures
Step 3 Recommend and confirm new
countermeasures

63
Stage 3 Step 1
Identify Required Countermeasures

Security requirement is a pointer to a set of
applicable countermeasures
Select sufficiently powerful countermeasures

64
CRAMM Countermeasure Database - (1)

60 countermeasure groups
Categorised according to- Category- Security
level range- Cost- Security aspect- Type of
countermeasure

65
CRAMM Countermeasure Database - (2)
Countermeasure Hierarchy Category 1 High level
security objectives Category 2 Detailed
security functions that help achieve the
security objective Category 3 Implementation
examples
66
CRAMM Countermeasure Database - (3)
Security Aspect

Hardware
Software
Communications
Procedural

Physical
Personnel
Environmental

67
CRAMM Countermeasure Database - (4)
Type of Countermeasures

Reduce threat
Reduce vulnerability
Reduce impact
Detect
Recover

68
Countermeasure Groups

Identification and authentication
Logical Access Control
Accounting
Audit
Object Reuse
System Testing
Natural Disaster Protection
Power Protection
Environmental Protection
Personnel
Security Education and Training
Security Policy
Security Infrastructure
Incident Handling
Compliance Checks
Media Controls

Physical Media Transportation
Recovery Option for Hosts
Recovery Options for Network Interfaces
Recovery Options for Network Services
Recovery Options for Accommodation
Recovery Options for Media
Business Continuity Planning
Back-up data
Capacity Planning
Equipment Failure Protection
Site / Building Physical Security
Accommodation Moves
Room / Zone Physical Security
Theft Protection
Physical Equipment Protection
Terrorist / Extremist Warnings
Delivered Item (DI) Protection

69
Countermeasure Groups - (continued)

Improvised Explosive Device (IED) Protection
Internal and External Improvised Explosive Device
Fire Protection
Water Protection
Software Integrity
Protection against Malicious Software
Software Change Controls
Software Distribution
System Input / Output Controls
Network Security Management
Non-repudiation
Data Confidentiality over Networks
Network Access Controls

Physical Network Protection
Message Security
Data Integrity over Network
Preservation of Message Sequencing
Traffic Padding
Operations Controls
System Administration Controls
Application Development Controls
Application Programmer Controls
Software Maintenance Controls
Hardware Maintenance Controls
User Control
Application Input / Output Controls
Financial Accounting

70
Countermeasure Library - (1)
71
Countermeasure Library - (2)
72
Countermeasure Library - (3)
73
Countermeasure Library - (4)
74
Countermeasure Library - (5)
75
Problems with Stage 3

Generates a lot of output
Hard to Identify installed countermeasures-
Interviewees knowledge inadequate- Not truly
installed
Recommended list needs further analysis

76
Typical Timescales - (1)
Assuming Small Small network, 1
Application - Single Site Medium Mini
with 5 Applications - Single Site Large
Mainframe, 5 different geographical locations
77
Typical Timescales - (2)

Figures (in days) depend on chosen granularity
78
Problems with CRAMM - (1)