Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security...
Transcript of Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security...
![Page 1: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/1.jpg)
Security Risk Assessment I
Ketil Stølen
1
![Page 2: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/2.jpg)
Overview of today
What is security? What is risk? What is risk management? What is the relationship to cyber security? What is CORAS?
2
![Page 3: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/3.jpg)
What is Security Risk Assessment?
Security risk assessment is a specialized form of risk assessment focusing on security risks
3
![Page 4: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/4.jpg)
What is Security?security
integrity availability accountabilityconfidentiality
Only authorised actors have access to information
Only authorised actors can change, create or delete information
Authorised actors haveaccess toinformation they need whenthey need it
It is possible to audit the sequence of events in the system
4
![Page 5: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/5.jpg)
Security is more than Technology
What good is security if no one can use the systems? Requires more than technical
understanding Incidents often of non-technical origin Requires uniform description of the whole how it is used, the surrounding organisation,
etc.
5
![Page 6: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/6.jpg)
Security should not be an “afterthought”
Security issues solved in isolation Costly redesign Security not completely integrated
6
![Page 7: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/7.jpg)
What is Risk?
Many kinds of risk Contractual risk Economic risk Operational risk Environmental risk Health risk Political risk Legal risk Security risk
7
![Page 8: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/8.jpg)
Definition of Risk from ISO 31000
Risk: Effect of uncertainty on objectives NOTE 1 An effect is a deviation from the expected — positive and/or
negative NOTE 2 Objectives can have different aspects (such as financial, health
and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process)
NOTE 3 Risk is often characterized by reference to potential eventsand consequences, or a combination of these
NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence
NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood
8
![Page 9: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/9.jpg)
What is Risk Management? Risk management:
Coordinated activities to direct and control an organization with regard to risk
9
Com
mun
icat
e an
d co
nsul
t
Establish the context
Identify risks
Estimate risks
Evaluate risks
Treat risks
Mon
itor a
nd re
view
Ris
k as
sess
men
t
![Page 10: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/10.jpg)
Risk Assessment Involves Determining what can
happen, why and how Systematic use of
available information to determine the level of risk
Prioritization by comparing the level of risk against predetermined criteria
Selection and implementation of appropriate options for dealing with risk
10
Com
mun
icat
e an
d co
nsul
t
Establish the context
Identify risks
Estimate risks
Evaluate risks
Treat risks
Mon
itor a
nd re
view
Ris
k as
sess
men
t
![Page 11: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/11.jpg)
Terms
11
Asset Vulnerability
Threat
Risk
Need to introduce risk treatment
Reduced risk
![Page 12: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/12.jpg)
12
Terms
Risk
Threat
Vulnerability
Unwanted incident
Worm
Computer running Outlook
Internet
- Infected twice per year- Infected mail send to all
contacts
Infected PC
V
Install virus scanner
Treatment
![Page 13: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/13.jpg)
13
Cyberspace, Cybersecurityand Cyber-risk
What is new with "cyber"?
![Page 14: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/14.jpg)
14
Cyberspace
The term cyberspace first appeared in science fiction (novel by William Gibson)
![Page 15: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/15.jpg)
15
Cyber-system
![Page 16: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/16.jpg)
16
Cyber-physical system
![Page 17: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/17.jpg)
17
Summary
![Page 18: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/18.jpg)
Cybersecurity
18
![Page 19: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/19.jpg)
Cyber-risk
19
![Page 20: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/20.jpg)
Summary
CORAS 20
![Page 21: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/21.jpg)
Security Risk AsessmentUsing CORAS
21
![Page 22: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/22.jpg)
Overview
What is CORAS? Main concepts Process of eight steps Risk modeling Semantics Calculus Tool support Further reading
22
![Page 23: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/23.jpg)
The CORAS Method
Asset-driven defensive risk analysis method Operationalization of ISO 31000 and ISO
27005 risk analysis process in 8 steps Detailed guidelines explaining how to
conduct each step in practice Modeling guidelines for how to use the
CORAS language
23CORAS
![Page 24: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/24.jpg)
The 8 Steps of the CORAS Method
CORAS 24
Establish context
Assess risk
Treat risk
![Page 25: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/25.jpg)
Main Concepts
CORAS 25
Asset
Vulnerability
Threat
Consequence
Unwanted incident
Likelihood
Risk
Party
Treatment
![Page 26: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/26.jpg)
Definitions Asset: Something to which a party assigns value and hence for which the
party requires protection Consequence: The impact of an unwanted incident on an asset in terms of
harm or reduced asset value Likelihood: The frequency or probability of something to occur Party: An organization, company, person, group or other body on whose
behalf a risk analysis is conducted Risk: The likelihood of an unwanted incident and its consequence for a
specific asset Risk level: The level or value of a risk as derived from its likelihood and
consequence Threat: A potential cause of an unwanted incident Treatment: An appropriate measure to reduce risk level Unwanted incident: An event that harms or reduces the value of an asset Vulnerability: A weakness, flaw or deficiency that opens for, or may be
exploited by, a threat to cause harm to or reduce the value of an asset
CORAS 26
![Page 27: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/27.jpg)
Risk Modeling The CORAS language consists of five kinds of diagrams
Asset diagrams Threat diagrams Risk diagrams Treatment diagrams Treatment overview diagrams
Each kind supports concrete steps in the risk analysis process
In addition there are three kinds of diagrams for specific needs High-level CORAS diagrams Dependent CORAS diagrams Legal CORAS diagrams
CORAS 27
![Page 28: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/28.jpg)
Example: Threat Diagram
CORAS 28
Server is infectedby computer virus
[possible]
Virus protection not up to date
Servergoes down[unlikely] Availability
of serverComputer
virus
Likelihood
Virus creates back door to server[possible]
Hacker
Hacker gets access to server[unlikely]
Integrity of server
Confidentialityof information
0.2
0.1
Vulnerability
Threat
Threat scenario Unwanted incident
Asset
Likelihood
Consequence
![Page 29: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/29.jpg)
Semantics How to interpret and understand a CORAS
diagram? Users need a precise and unambiguous
explanation of the meaning of a given diagram
Natural language semantics CORAS comes with rules for systematic
translation of any diagram into sentences in English
Formal semantics
CORAS 29
![Page 30: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/30.jpg)
Example Elements
Computer virus is a non-human threat. Virus protection not up to date is a vulnerability. Threat scenario Server is infected by computer virus occurs with
likelihood possible. Unwanted incident Server goes down occurs with likelihood unlikely. Availability of server is an asset.
Relations Computer virus exploits vulnerability Virus protection not up to date to
initiate Server is infected by computer virus with undefined likelihood. Server is infected by computer virus leads to Server goes down with
conditional likelihood 0.2. Server goes down impacts Availability of server with consequence
high.
CORAS 30
![Page 31: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/31.jpg)
Tool Support The CORAS tool is a diagram editor Supports all kinds of CORAS diagrams Suited for on-the-fly modeling during
workshops Ensures syntactic correctness May be used during all the steps of a risk
analysis Documents input to the various tasks Selection and structuring of information during
tasks Documentation of analysis results
CORAS 31
![Page 32: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/32.jpg)
Screenshot
CORAS 32
Pull-down menu
Palette
Tool bar
Outline
Canvas
Properties window
![Page 33: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/33.jpg)
Where to Find the Tool
http://coras.sourceforge.net/ Open source
CORAS 33
![Page 34: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/34.jpg)
Criticism from System Developers
The CORAS language is too simplistic It is too cumbersome to use graphical
icons
CORAS 34
![Page 35: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/35.jpg)
Criticism from Risk Analysts
What’s new with the CORAS language? We have been using something similar for
years, namely VISIO!
CORAS 35
![Page 36: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/36.jpg)
Exercise I
Discuss the statements made by thecritics? Argue why the critics are wrong.
CORAS 36
![Page 37: Security Risk Assessment I - Universitetet i oslo · What is Security Risk Assessment? Security risk assessment is a specialized form of risk assessment focusing on ... Process of](https://reader030.fdocuments.in/reader030/viewer/2022040116/5f045d1f7e708231d40d9ca7/html5/thumbnails/37.jpg)
Mandatory Reading
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: Chapter 3 "A Guided Tour of the CORAS Method" in the book "Model-Driven Risk Analysis: The CORAS Approach", 2011. Springer. The chapter can be downloaded freely.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: Risk Analysis of Changing and Evolving Systems Using CORAS, 2011. LNCS 6858, Springer. Pages 231-274.
Le Minh Sang Tran, Bjørnar Solhaug, Ketil Stølen. An approach to select cost-effective risk countermeasures exemplified in CORAS. SINTEF A24343, SINTEF ICT, July 2013.
CORAS 37