RISK 1

CST 481/598

Many thanks to Jeni Li

Risk

Potential negative impact to an asset Probability of a loss A function of three variables

The probability of a threat The probability of a vulnerability The potential impact

A measurable quantity

Types of Risk

o Technicalo Information Securityo Business

o Where measuredo How Measuredo Who cares – stakeholders

regulatory requirements, corporate governance

o CIA – Confidentiality, Integrity, Availability

Asset

"An asset is a resource controlled by the enterprise as a result of past events and from which future economic benefits are expected to flow to the enterprise.”

IOW, the stuff that has value to your company and its ability to conduct its business operations

Asset (examples)

Information Customer records Sales leads Intellectual property Business transaction records

Systems Workstations, servers, network infrastructure

People Staff, clientele

Products (may be outside our scope)

Impact

The magnitude of a potential loss The seriousness of an event

Vulnerability

A weakness that provides the opportunity for a threat to occur

Examples Operating system vulnerabilities Exploitable Web applications Staff members susceptible to social

engineering Server room located directly below the

bathrooms?

Threat

A possible danger that might exploit a vulnerability

Anything that could cause harm to your assets

May be accidental or intentional

Types of threats

Accidental Natural disasters

Earthquake, fire, flood, lightning True accidents

Unintentional misuse or damage by employees Other unintended threats

Power grid outage

Types of threats

Intentional (aka, malicious) Caused by a threat agent Examples

Corporate espionage Terrorist attack Hacktivism

Threat agent

An individual or group that will implement the threat. Needs the following factors: Motivation

Why does the attacker want to attack? Capability

Skills and resources Opportunity

Physical or electronic access to the target Catalyst

Something that causes the attacker to act

Types of threat agents

Nation state sponsored Terrorist Pressure (activist) group Commercial organization Criminal group Hacker group Disgruntled insider

Threat vector

The path or tool used by a threat agent Examples

Spam, instant messaging, a specific worm Sniffer, keystroke logger, dumpster diving Pipe bomb, truck bomb

Threat inhibitors

Factors that influence the threat agent not to carry out the attack against the target

Threat amplifiers

Factors that encourage the threat agent to carry out the attack against the target

Controls

Measures taken to eliminate or mitigate risk Examples

Physical security (e.g., locks, barriers) Personnel security (e.g., background checks,

training) Procedural security (e.g., policies/other

documents) Technical security (hardware, software)

Must be cost-effective Sometimes the best control is no control at

all

The general process

Identification Assessment Treatment plan

Development Implementation Review/evaluation

Identification

Assets Vulnerabilities Threats Threat vectors Threat agents

Assessment

Estimate or measure the risk Can be qualitative or quantitative

Qualitative is good for comparing risks Quantitative is good for determining ROI

(probability of event) x (impact of event) = risk

Australian standard technical risk assessment

EC: Adequacy of Existing Controls1 (excellent) to 7 (none)

L: Likelihood of the Risk Occurring1 (may never occur) to 5 (is expected to occur)

I: Impact/Consequence1 (minimal to no impact) to 5 (total destruction)

Risk = (7*EC + 3*L + 4*I)/84

Cost Effectiveness Analysis

Asset value (AV) Exposure factor (EF) Single loss expectancy (SLE) Annualized rate of occurrence (ARO) Annualized loss expectancy (ALE)

Estimate

Asset value: What’s it worth to you? Tangible and intangible If we lost this asset, we would lose $...

Exposure factor: How bad would it be? Percentage of asset loss caused by a threat 0 to 100%

Annualized rate of occurrence How many times per year could it happen? Once in 5 years = 1/5

Calculate

Single loss expectancy SLE = AV x EF

Annualized loss expectancy ALE = ARO x SLE

Compare

ALE before safeguard/control ALE after safeguard/control Cost to deploy safeguard/control

ALEb – ALEa – Cost = Value of safeguard

Careful how you define those costs!

Risk treatment plan

How will you handle each risk? Avoidance (get out of the business) Mitigation (apply a safeguard/control) Retention (live with it) Transfer (buy insurance)

Other approaches exist

Multi-Attribute Risk Assessment, Security Attribute Evaluation Method Monte Carlo analysis CCTA Risk Analysis/Management Method

(CRAMM) Enterprise risk management … and so on

What’s important about each asset?

Confidentiality Integrity Availability Non-repudiability

Infosec Assessment Method(ology)

Uses the CIA model Identify information assets

Build an information criticality matrix Identify systems

Build a systems criticality matrix Determine most critical systems Identify safeguards/controls