1 / 34

Risk Analysis (RA) and Security Planning

Risk Analysis (RA) and Security Planning. The slides are derived from John Carpenter’s notes. Risk Analysis (RA) and Security Planning. Risk Analysis (RA) Benefits of Risk Analysis Some Homely Examples Steps to Complete a RA Security Planning

bazyli
Download Presentation

Risk Analysis (RA) and Security Planning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Analysis (RA) and Security Planning The slides are derived from John Carpenter’s notes

  2. Risk Analysis (RA) and Security Planning • Risk Analysis (RA) • Benefits of Risk Analysis • Some Homely Examples • Steps to Complete a RA • Security Planning • Content of a Security PlanPfleeger(2ed) Ch 10.4 10.5 10.6Pfleeger(3ed) Ch 8.1 8.2 8.3

  3. Company‘s computer systems Computer Security and Industries Government and private intelligence communities Internal threats (dishonest employees, software failures etc.) Business partners(customers, competitors,suppliers, etc.) Hackers, investigator,reporters etc.

  4. Security facts – believe it or not! • Bank robbery through computers • Industrial espionage on corporate information • Loss of individual privacy (files, emails, chats, video conferencing, ...) • Information vandalism (destroy backup, delete files, vandalise web pages, …) • Computer viruses • (more can be found in “comp.risks” and other websites)

  5. Is Computer Threat Real? • 1997 survey of 61 large companies that had firewalls – (site had > 1000 pc’s & Internet servers) • 44% reported probes by outsiders • 23% IP spoofing (used to break in hosts on the Internet) • 10% email bombs • 8% denial of service attacks • 8% sendmail probes • 89% reported that the firewall responded adequately Internet sources

  6. Computer Threat Computer Security Institute/FBI Survey • 35% annual increases in data sabotage incidents from 1997 to 1999 • 25 % annual increases in financial fraud penetrated on-line • Abuse of network access increased over 20% resulting losses of $8 millions • Security breaches caused US$15 billions losses in 2000 Internet sources

  7. Other Surveys • Poll of 1,400 companies with > 100 employees • About 90% are confident with their firm’s network security • But 50% failed to report break-ins • 58% increased in spending on security • 1997-2001,fortune firms lost US$45 billions; high-tech firms most vulnerable Internet sources

  8. Risk Analysis Assets Threats Vulnerabilities Analysis Risks Management Counter Measures

  9. Risk Analysis (RA-1) • A study of the risk that a business or system is subject to. • A process to determine exposure and potential loss • RISK: the probability that a specific threat will successfully exploit a vulnerability causing a loss

  10. Risk Analysis (RA-2) • Suppose an event is associated with a loss -this loss is the risk impact (sometime simply called risk), measured in $’s • There is a probability (risk probability) of occurrence, a number in the range 0 (if not possible) to 1 (if certain) • Risk exposure is the $ amountRisk-exposure = Risk-impact x Risk-probability • As things change, so can these values (!)

  11. Risk Analysis (RA-3) • For risk analysis: RISK = LOSS ($) x PROBABILITY Usually measured as $ per annum. • Expressed as Annual Loss Expectancy (ALE) expressed as: $ per annum • By quantifying the risk, we can justify the benefit of spending money to implement controls

  12. Benefits of Risk Analysis • Improved awareness by users and management • Documentation of assets and their vulnerabilities and possible controls • Provides an accountable basis for decision making • Provides accountable justification for expenditure on counter measures

  13. Example (1) • Hard Disk Failure on your PC • Hard Disks fail about every three years;Probability of failure is 1/3 per year • Intrinsic cost say $600 – to buy a new disk • But also, say 10 hours of your effort to reload O/sys and software and • Say 4 hours to re-key assignments from last backup. • Assume $10.00 per hour for your effort • Total loss = $600 + 10 x( 10 + 4) = $740 • Annual loss expectancy = (740 x 1/3) $pa = $246.66 pa

  14. Example (2) • What about a virus attack on the same system? • You frequently swap stuff with other people, but have no ant-viral software running. • Assume an attack every 6 months; Probability is 2 per annum • No need to buy a new disk • Assume the same rebuild effort = (10 + 4)hours, Total loss = 10 x(10+4) = $140 • ALE = ( 140 x 2 ) $pa = $280 pa

  15. Steps to Complete a RA • List the Assets • Determine their value, including costs of recreating data files • Vulnerabilities • Probability of Loss • Computation • Possible Controls • Cost of Applied Controls • Cost/Benefit

  16. Assets and their value • Asset Valuation Worksheet • Asset: (name, serial number) • Asset Intrinsic value: $ • Which value is the intrinsic value ? • physical, insured, depreciated, replacement, value or • Asset Acquired value: which includes the cost of the loss of: • Integrity $ • Availability $ • Confidentiality $

  17. Valuations • Work quickly, using scale values (1,10,100,100 or 1, 2, 5, 10, 20, 50, 100, 200, 500, 1000 etc) or use scale (1 to 5) or low, medium or high scales. • Completeness is most important.ALL the assets and ALL the acquired values, and cost of loss of acquired values • Let others argue over the detail and accuracy.

  18. DSTO Model • This DSTO paper provides guidelines for assessing information security risk within a computer system. This risk is primarily a function of: • the sensitivity of the information to be processed; • the architecture of the computer system; • and the clearance levels of the system’s users.

  19. DSTO Model The DSTO Risk Analysis model is primarily directed at accidental and deliberate actions by authorised users. It is also possible to include deliberate acts by unauthorised users, however in a number of Defence installations, physical and administrative security safeguards are used to counter these threats.

  20. Vulnerabilities • A vulnerability is a weakness. • The way things work indicate the ways they are likely to fail • Computers need electricity - so they are vulnerable to power failures • Hard disks are easy to overwrite, so they are vulnerable to been inappropriately overwritten

  21. Probability of Loss • Directly not computable, but either • apply frequency probability by using observed data for a specific system • Estimate (by an expert based on his knowledge) the number of occurrences of each security breaches in a given time period.

  22. Compute the expected loss • For each asset, (total) risk = (risks) = Sum(risks)=Sum( Loss x Probability per annum) $pa • For ALL assets we can derive a total sum,the Annual Loss Expectancy, $ per annum • Price-Waterhouse study: For Australian organisations with no security plan in place, 8% of turnover is lost each year (!)

  23. Making sense ? • REALITY CHECK: If a company is still in business, the Annual Loss Expectancy (ALE) has to be a lot less than the annual turnover

  24. Possible Controls • Match each vulnerability with at least one appropriate security technique • Use the expected loss estimate to decide which controls, alone or in concert with others are the most effective for a given situation • Example: Risk of losing data • several controls – such as periodic backups, redundant data storage, access control to prevent unauthorised deletion, physical security from stealing disks, program development standards to limit the effect of programs on the data. • Probably periodic backup may override redundant data storage on cost and operational considerations.

  25. Cost of Applying Controls • Actual cost of control include • software purchase price • Installation cost • training cost • Effective cost of a control = actual cost – any expected loss from using the control (such as admin or maintenance costs) • e.g: Cost to reconstruct data: $1M at 10% probability of loss = $100K Effectiveness of access control software: (say) 60% = $60K Cost of the access control software = $25K Expected annual cost due to loss and controls = (40+25) = $65K Effective cost the control (100-65) = -$35K • Note that the effective cost of a control can be positive (when the control is expensive to administer or introduces new risks in another area) or negative (when the reduction in risk is greater than the cost of the control)

  26. 1 Convenience (services) = ------------------------------------- Security controls But Control are not inherently desirable; most of them either cost money, impair function, reduce performance. degrade useability or maintainability or some combination of both

  27. Some Criticisms of Risk Analysis • Although many large organisations use RA, there are some criticisms of both the idea and the methods of RA • It may not appear sensible to talk of a probable loss of a specific number of dollars, • only when the loss occurs will we know how much it costs to fix, and bringing that cost to a one-year base is artificial. • There is so much uncertainty in the method of calculation, that any numerical figure is meaningless • However, Risk Management is seen as a valid undertaking, and using figures to attempt to quantify risk does give us an accountable basis for spending resources on controls

  28. Security Planning

  29. Security Plan • A document that describes how an organisation will address its security needs. • As the needs of the organisation evolve, ongoing review and revision of the security plan is important. • Everything we see is transient (Buddha) • Mission, Strategy, Tactics, Personnel, Environmentcan all change • An effective security plan is a living document.

  30. Content of a Security Plan (1) • Policy • Current Situation • Requirements • Recommendations • Accountable Personnel • Plans and Schedules • Evaluation and Review

  31. Policy • Policy (what are we on about) • State goals • State responsibilities - who is responsible for what • State resources to be committed • To answer the question “Who can access What resources in What manner”

  32. Current Situation • Present the Risk Analysis and assumptions • May need the ‘latest’ status, including who is responsible for what • Comment on the status of current controls

  33. Requirements • What should be accomplished, not How to do it? • We seek: • Completeness • Consistency • Correctness(as for all types of Requirement analysis)

  34. Recommendations • From the Risk Analysis, at least consider: • greatest risk • largest potential loss • loss of greatest frequency • Identify controls • Comment on status of existing controls • which to maintain? • which to enhance?

More Related