CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A...
-
date post
19-Dec-2015 -
Category
Documents
-
view
214 -
download
2
Transcript of CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A...
RISK 1
CST 481/598
Many thanks to Jeni Li
Risk
Potential negative impact to an asset Probability of a loss A function of three variables
The probability of a threat The probability of a vulnerability The potential impact
A measurable quantity
Types of Risk
o Technicalo Information Securityo Business
o Where measuredo How Measuredo Who cares – stakeholders
regulatory requirements, corporate governance
o CIA – Confidentiality, Integrity, Availability
Asset
"An asset is a resource controlled by the enterprise as a result of past events and from which future economic benefits are expected to flow to the enterprise.”
IOW, the stuff that has value to your company and its ability to conduct its business operations
Asset (examples)
Information Customer records Sales leads Intellectual property Business transaction records
Systems Workstations, servers, network infrastructure
People Staff, clientele
Products (may be outside our scope)
Impact
The magnitude of a potential loss The seriousness of an event
Vulnerability
A weakness that provides the opportunity for a threat to occur
Examples Operating system vulnerabilities Exploitable Web applications Staff members susceptible to social
engineering Server room located directly below the
bathrooms?
Threat
A possible danger that might exploit a vulnerability
Anything that could cause harm to your assets
May be accidental or intentional
Types of threats
Accidental Natural disasters
Earthquake, fire, flood, lightning True accidents
Unintentional misuse or damage by employees Other unintended threats
Power grid outage
Types of threats
Intentional (aka, malicious) Caused by a threat agent Examples
Corporate espionage Terrorist attack Hacktivism
Threat agent
An individual or group that will implement the threat. Needs the following factors: Motivation
Why does the attacker want to attack? Capability
Skills and resources Opportunity
Physical or electronic access to the target Catalyst
Something that causes the attacker to act
Types of threat agents
Nation state sponsored Terrorist Pressure (activist) group Commercial organization Criminal group Hacker group Disgruntled insider
Threat vector
The path or tool used by a threat agent Examples
Spam, instant messaging, a specific worm Sniffer, keystroke logger, dumpster diving Pipe bomb, truck bomb
Threat inhibitors
Factors that influence the threat agent not to carry out the attack against the target
Threat amplifiers
Factors that encourage the threat agent to carry out the attack against the target
Controls
Measures taken to eliminate or mitigate risk Examples
Physical security (e.g., locks, barriers) Personnel security (e.g., background checks,
training) Procedural security (e.g., policies/other
documents) Technical security (hardware, software)
Must be cost-effective Sometimes the best control is no control at
all
The general process
Identification Assessment Treatment plan
Development Implementation Review/evaluation
Identification
Assets Vulnerabilities Threats Threat vectors Threat agents
Assessment
Estimate or measure the risk Can be qualitative or quantitative
Qualitative is good for comparing risks Quantitative is good for determining ROI
(probability of event) x (impact of event) = risk
Australian standard technical risk assessment
EC: Adequacy of Existing Controls1 (excellent) to 7 (none)
L: Likelihood of the Risk Occurring1 (may never occur) to 5 (is expected to occur)
I: Impact/Consequence1 (minimal to no impact) to 5 (total destruction)
Risk = (7*EC + 3*L + 4*I)/84
Cost Effectiveness Analysis
Asset value (AV) Exposure factor (EF) Single loss expectancy (SLE) Annualized rate of occurrence (ARO) Annualized loss expectancy (ALE)
Estimate
Asset value: What’s it worth to you? Tangible and intangible If we lost this asset, we would lose $...
Exposure factor: How bad would it be? Percentage of asset loss caused by a threat 0 to 100%
Annualized rate of occurrence How many times per year could it happen? Once in 5 years = 1/5
Calculate
Single loss expectancy SLE = AV x EF
Annualized loss expectancy ALE = ARO x SLE
Compare
ALE before safeguard/control ALE after safeguard/control Cost to deploy safeguard/control
ALEb – ALEa – Cost = Value of safeguard
Careful how you define those costs!
Risk treatment plan
How will you handle each risk? Avoidance (get out of the business) Mitigation (apply a safeguard/control) Retention (live with it) Transfer (buy insurance)
Other approaches exist
Multi-Attribute Risk Assessment, Security Attribute Evaluation Method Monte Carlo analysis CCTA Risk Analysis/Management Method
(CRAMM) Enterprise risk management … and so on
What’s important about each asset?
Confidentiality Integrity Availability Non-repudiability
Infosec Assessment Method(ology)
Uses the CIA model Identify information assets
Build an information criticality matrix Identify systems
Build a systems criticality matrix Determine most critical systems Identify safeguards/controls