1

Oppliger: Ch. 15

Risk Management

2

Outline

• Introduction

• Formal risk analysis

• Alternative risk analysis approaches/technologies– Security scanning– Intrusion detection

• True or false?Risks are everywhere!

A new risk may be introduced (or triggered) by a solution.

3

Risk

• A risk is an expectation of loss.– Usually represented as the probability that a particular threat will

exploit a particular vulnerability with a particular harmful result

• Risk = prob (T, V, R)

• Example:– Let T = “port scanning”

– Let V = “No firewall exists between the public Internet and the private network”

– Let R = “An unauthorized connection is established between a computer in the private network and a remote (potentially malicious) computer”

• Other examples of risk?

4

Risk Analysis

• Aka. Risk Assessment

• A systematical process that a) identifies valuable system resources and threats to those

resources;

b) quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence;

c) (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure

• A process that identifies risks and their respective potential cost (and countermeasures)

5

Risk Analysis (cont.)

• Example of risk analysis ?– Let T = “port scanning”

– Let V = “No firewall exists between the public Internet and the private network”

– Let R = “An unauthorized connection is established between a computer in the private network and a remote (potentially malicious) computer”

– Factors affecting the potential cost ? Cost per incident, frequency of incident

• Other examples of risk analysis?

• Other definitions of risk analysis ?

6

Risk Analysis (cont.)

• Other definitions of risk analysis ?

– Risk analysis (in business) is a technique to identify and assess factors that may jeopardize the success of a project or achieving a goal.

source: http://en.wikipedia.org/wiki/Risk_analysis_(Business)

– Risk analysis (in engineering) is the science of risks and their probability and evaluation.

Source: http://en.wikipedia.org/wiki/Risk_analysis_(engineering)

c.f., Risks with respect to project failure;

Risks with respect to a system’s being breached;

Other risks ??

7

Risk Management• A process of identifying, controlling, and eliminating or

minimizing uncertain events that may affect system resources

Threat model The attackers (who) The attacks (how) The resources (what) …

8

Formal Risk Analysis

• A formal process/tool(s) for performing risk analysis

• Examples: – British CCTA’s CRAMM (CCTA Risk Analysis &

Management Methodology)– French CLUSIF’s MARION

• Steps:– Establish an inventory of all assets– Quantifying loss exposures based on estimated

frequencies and costs of occurrence• Quantitative risk analysis is complex! • It’s difficult to quantify (due to complexities and

lack of models).

9

Qualitative risk analysis• Differs from formal/quantitative risk analysis in the

quantification step

• Qualitative risk analysis only identifies the existence of risks, but does not try to quantify the estimated frequency and the costs of occurrence in order to calculate the loss potential.

• Examples: – A Web site connected to the Internet could be hacked.

– A computer connected to the Internet is subject to port scanning.

Note: The definition may be arguable.

See http://www.anticlue.net/archives/000817.htm, for example.

The qualitative risk analysis outlined in that article include a quantification step.

10

Other approaches of risk analysis

• Security scanning– The process of performing vulnerability analyses

using a security scanner.

– Security scanner: a tool that scans the system to identify vulnerabilities

• Intrusion Detection– The process of identifying and responding to

intrusions to a system.

– An intrusion is “a sequence of related actions by a malicious adversary that results in the occurrence of unauthorized security threats …”

The Network Security

Process model

11