Security Risk Management - York University · Security Risk Management • Security Risk Management...

CSE 4482 Computer Security Management:

Assessment and Forensics

Instructor: N. Vlajic, Fall 2013

Security Risk Management

Required reading: Management of Information Security (MIS), by Whitman & Mattord Chapter 8

Chapter 9

Learning Objectives Upon completion of this material, you should be able to:

• Define risk management and its role in an organization.

• Use risk management techniques to identify and prioritize risk factors for information assets.

• Asses risk based on the likelihood of adverse events and the effect on information assets when events occur.

• Document the results of risk identification.

A company suffered a catastrophic loss one night when its office burned to the ground.

As the employees gathered around the charred remains the next morning, the president asked the secretary if she had been performing the daily computer backups. To his relief she replied that yes, each day before she went home she backed up all of the financial information, invoices, orders ...

The president then asked the secretary to retrieve the backup so they could begin to determine their current financial status.

“Well”, the secretary said, “I guess I cannot do that. You see, I put those backups in the desk drawer next to the computer in the office.” M. Ciampa, “Security+ Guide to Network Sec. Fundamentals”, 3rd Edition, pp. 303

A true story …

Introduction

“Investing in stocks carries a risk …”

“Bad hand hygiene carries a risk …”

“Car speeding carries a risk …”

“An outdate anti-virus software carries a risk …”

• Risk Management – identification, assessment, and prioritization of risks followed by coordinated use of resources to monitor, control or minimize the impact of risk-related events or to maximize the gains.

examples: finances, industrial processes, public health and safety, insurance, etc.

one of the key responsibilities of every manager within an organization

http://en.wikipedia.org/wiki/Risk_management

• Risk – likelihood that a chosen action or activity (including the choice of inaction) will lead to a loss (un undesired outcome)

Introduction (cont.)

Risk in Information Security • Risks in Info. Security – risks which arise from an organization’s use of info. technology (IT)

related concepts: asset, vulnerability, threat

http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter7.html

• Asset – anything that needs to be protected because it has value and contributes to the successful achievement of the organization’s objectives

• Threat – any circumstance or event with the potential to cause harm to an asset and result in harm to organization

• Risk – probability of a threat acting upon a vulnerability causing harm to an asset

• Vulnerability – the weakness in an asset that can be exploited by threat

Risk in Information Security (cont.)


• Asset, Threat, Vulnerability & Risk in Info. Sec. http://en.wikipedia.org/wiki/File:2010-T10-ArchitectureDiagram.png

• Interplay between Risk & other Info. Sec. Concepts


http://blog.patriot-tech.com/

Security Risk Management • Security Risk Management – process of identifying vulnerabilities in an organization’s info. system and taking steps to protect the CIA of all of its components.

two major sub-processes:

Implement Risk Management

Actions

Re-evaluate the Risks

Identify the

Risk Areas

Assess the Risks

Develop Risk Management

Plan

Risk Management

Cycle

Risk Identification & Assessment

Risk Control (Mitigation)

11

Security Risk Management

Risk Management

Risk Identification Risk Control

Identify & Prioritize Assets

Control

Transfer

Avoid

Accept

Cost-Benefit Analysis

Identify & Prioritize Threats

Identify Vulnerabilities between Assets and Threats

(Vulnerability Analysis)

Risk Assessment

Calculate Relative Risk of Each Vulnerability

Mitigate

Risk Identification

Risk Identification • Components of Risk Identification

Whitman, Principles of Information Security, pp. 122

Risk Identification: Asset Inventory

Risk Identification (cont.)

Risk Identification: Asset Inventory • Risk identification begins with identification of information assets, including:

No prejudging of asset values should be done at this stage – values are assigned later!

Risk Identification: Asset Inventory (cont.)

• Identifying Hardware, Software and Networking Assets

Can be done automatically (using specialized software) or manually.

Needs certain planning – e.g. which attributes of each asset should be tracked, such as:

name – tip: naming should not convey critical info to potential attackers

asset tag – unique number assigned during acquisition process

IP address

MAC address

software version

serial number

manufacturer name

manufacturer model or part number

Risk Identification: Asset Inventory (cont.) Example: Network Asset Tracker

http://www.misutilities.com/

http://www.misutilities.com/network-asset-tracker/howtouse.html

Risk Identification: Asset Inventory (cont.) • Identifying People, Procedures and Data Assets

Not as readily identifiable as other assets – require that experience and judgment be used.

Possible attributes:

people – avoid personal names, as they may change, use: ∗ position name ∗ position number/ID ∗ computer/network access privileges

procedures ∗ description ∗ intended purpose ∗ software/hardware/networking elements to which it is tied ∗ location of reference-document, …

data ∗ owner ∗ creator ∗ manager ∗ location, …

Risk Identification: Asset Ranking / Prioritization

Risk Identification: Asset Ranking • Assets should be ranked so that most valuable assets get highest priority when managing risks

Questions to consider when determining asset value / rank:

1) Which info. asset is most critical to overall success of organization?

Example: Amazon’s ranking assets Amazon’s network consists of regular desktops and web servers.

Web servers that advertise company’s products and receive orders 24/7 - critical.

Desktops used by customer service department – not so critical.

Risk Identification: Asset Ranking (cont.)

3) Which info. asset generates highest profitability?

Example: Amazon’s ranking assets At Amazon.com, some servers support book sales (resulting in highest revenue), while others support sales of beauty products (resulting in highest profit).

4) Which info. asset is most expensive to replace?

5) Which info. asset’s loss or compromise would be most embarrassing or cause greatest liability?

2) Which info. asset generates most revenue?

Risk Identification: Asset Ranking (cont.)

Example: Weighted asset ranking (NIST SP 800-30)

Not all asset ranking questions/categories may be equally important to the company. A weighting scheme could be used to account for this …

Data asset / information transmitted: Each criteria is assigned a weight (0 – 100), must total 100!

Each asset is assigned a

score (0.1-1.0) for each critical

factor.

Risk Identification: Threat Identification

& Prioritization

Risk Identification: Threat Identification • Any organization faces a wide variety of threats. • To keep risk management ‘manageable’ …

realistic threats must be identified and further investigated, while unimportant threats should be set aside

Example: CSI/FBI survey of types of threats/attacks

Risk Identification: Threat Identification (cont.)

• Threat Modeling/Assessment – practice of building an abstract model of how an attack may proceed and cause damage

Attacker-centric – starts from attackers, evaluates their motivations and goals, and how they might achieve them through attack tree.

http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf

• Threat Modeling/Assessment

System-centric – starts from model of system, and attempts to follow model dynamics and logic, looking for types of attacks against each element of the model.




• Threat Modeling/Assessment

Asset-centric – starts from assets entrusted to a system, such as a collection of sensitive personal information, and attempts to identify how CIA security breaches can happen.


• Questions used to prioritize threats:

Which threats present a danger to organization’s assets in its current environment? ( ‘pre-step’ )

Goal: reduce the risk management’s scope and cost.

Examine each category from CSI/FBI list, or as identified through threat assessment process, and eliminate any that do not apply to your organization.

Which threats represent the most danger … ?

Goal: provide a rough assessment of each threat’s potential impact given current level of organization’s preparedness.

‘Danger’ might be a measured of: 1) severity, i.e. overall damage that the threat could create 2) probability of the threat attacking this particular organization

Risk Identification: Threat Prioritization

• Other questions used to assess/prioritize threats:

How much would it cost to recover from a successful attack?

Which threats would require greatest expenditure to prevent?

Risk Identification: Threat Prioritization (cont.)

• Once threats are prioritized, each asset should be reviewed against each threat to create a specific list of vulnerabilities.

• Threat ranking can be quantitative or qualitative.

Risk Identification: Vulnerability Analysis

Vulnerability Analysis • Vulnerability – flaw or weakness in an info. asset, its design, control or security procedure that can be exploited accidentally or deliberately

sheer existence of a vulnerability does not mean harm WILL be caused – threat agent is required vulnerabilities are characterized by the level of tech. skill required to exploit them

vulnerability that is easy to exploit is often a high-danger vulnerability

Threat Vulnerability

Asset

http://www.clipsahoy.com/clipart/as0982tn.gif

Vulnerability Analysis (cont.)

Example: Vulnerability assessment of critical files

Deliberate Software Attack –

Virus Attack

Asset Threat Vulnerability

people open suspicious e-mail

attachments

[procedural / control weakness]

antivirus software not up-to-date &

file copying off USBs allowed

[procedural / control weakness]

desktop (files)


Example: Vulnerability assessment of critical files

DDoS Attack


NIC can support data-rates of up to 50 Mbps

[design weakness]

server

CPU ‘freezes’ at 10,000 packets/sec

[design/implementation flaw]


Example: Vulnerability assessment of a router

Act of Human Error or Failure


temperature control in router/server room is not adequate ⇒ router

overheats and shuts downs

[control weakness, design flaw]

net. administrator allows access to unauthor. user ⇒

unauthor. user uploads a virus, router crashes

[control / procedural weakness]

router


Example: Vulnerability assessment of a DMZ router Asset !!!

http://technet.microsoft.com/en-us/library/cc723507.aspx#XSLTsection123121120120

• TVA Worksheet – at the end of risk identification procedure, organization should derive threats-vulnerabilities- assets (TVA) worksheet

this worksheet is a starting point for risk assessment phase

TVA worksheet combines prioritized lists of assets and threats

prioritized list of assets is placed along x-axis, with most important assets on the left

prioritized list of threats is placed along y-axis, with most dangerous threats at the top

resulting grid enables a simplistic vulnerability assessment


If one or more vulnerabilities exist between T1 and A1, they can be categorized as: T1V1A1 – Vulnerability 1 that exists between Threat 1 and Asset 1 T1V2A1 – Vulnerability 2 that exists between Threat 1 and Asset 1, …

If intersection between T2 and

A2 has no vulnerability,

the risk assessment team

simply crosses out that box.


Risk Assessment

Threat

Vulnerability

Asset

People Procedure Data Software Hardware Networking

Act of human error or failure Deliberate act of trespass Deliberate act of extortion Deliberate act of sabotage Deliberate software attacks Technical software failures Technical hardware failures Forces of nature Etc.

flaw or weakness in asset’s design, implementation, control or security procedure

exploit

cause damage (loss)

Risk Assessment • Summary of Vulnerability Analysis


• (Security) Risk – quantifies: 1) possibility that a threat successfully acts upon a vulnerability and 2) how severe the consequences would be

P = probability of risk-event occurrence

V = value lost / cost to organization

• Risk Assessment – provides relative numerical risk ratings (scores) to each specific vulnerability

in risk management, it is not the presence of a vulnerability that really matters, but the associated risk!

R = P * V

Risk Assessment (cont.)


Weighted score indicating the

relative importance (associated loss) of the given asset.

Should be used if concrete

$ amounts are not available.


• Extended Risk Formula v.1.

Pa = probability that an attack/threat (against a vulnerability) takes place

Ps = probability that the attack successfully exploits the vulnerability

V = value lost by exploiting the vulnerability

R = Pa ⋅ Ps ⋅ V

Threat

Vulnerability

Asset

P



• Extended Risk Formula v.2.

Pe = probability that the system’s security measures effectively protect against the attack

(reflection of system’s security effectiveness)

R = Pa ⋅ (1-Pe) ⋅ V

Ps

Ps = probability that the attack is successfully

executed

Pe = probability that the attack

is NOT successfully executed, i.e.

system defences are effective


• Extended Whitman’s Risk Formula *

P = probability that certain vulnerability (affecting a particular asset) get successfully exploited

V = value of information asset ∈ [1, 100]

CC = current control = percentage of risk already mitigated by current control

UK = uncertainty of knowledge = uncertainty of current knowledge of the vulnerability (i.e. overall risk)

R = P ⋅ V – CC [%] + UK [%] LE = Loss Expectancy

(i.e. Potential Loss)

* One of many risk models. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.211.7952

• Extended Whitman’s Risk Formula (cont.)

CC = current control = fraction of risk already mitigated by current control

UK = uncertainty of knowledge = fraction of risk that is not fully known


R = P ⋅ V – CC ⋅ (P ⋅ V) + UK ⋅ (P ⋅ V) =

= P ⋅ V ⋅ [ 1 – CC + UK ]

Mathematically more sound expression!

• Extended Whitman’s Risk Formula (cont.)


R = P * V – CC [%] + UK [%]

If a vulnerability is fully managed by an existing control, it can be set aside.

(In this case, R≤0.)

It is not possible to know everything about a vulnerability, respective threat, or how great an impact a successful attack

would have. A factor that accounts for uncertainty of estimating the given

risk should always be added to the equation.

For many vulnerabilities respective probabilities are known. E.g. the likelihood that any given email will contain a virus or worm and those get ‘activated’ by the user.


Example: Risk determination Asset A Has a value of 50. Has one vulnerability, with a likelihood of 1.0. No current control for this vulnerability. Your assumptions and data are 90% accurate.

Asset B Has a value of 100. Has two vulnerabilities: * vulnerability #2 with a likelihood of 0.5, and a current control that addresses 50% of its risk; * vulnerability #3 with a likelihood of 0.1 and no current controls. Your assumptions and data are 80% accurate. Which asset/vulnerability should be dealt with first ?!

A

B

V = 50

P = 1

P = 0.5 P = 0.1

V = 100


Example: Risk determination (cont.) The resulting ranked list of risk ratings for the three vulnerabilities is as follows: Asset A: Vulnerability 1 rated as 55 = (50×1.0) – 50*0 + 50*0.1 Asset B: Vulnerability 2 rated as 35 = (100×0.5) – 50*0.5 + 50*0.2 Asset B: Vulnerability 3 rated as 12 = (100×0.1) – 10*0 + 10*0.2


• Documenting Results – 5 types of documents ideally created

1) Information asset classification worksheet

2) Weighted asset worksheet

3) Weighted threat worksheet

4) TVA worksheet

5) Ranked vulnerability risk worksheet

extension of TVA worksheet, showing only the assets and relevant vulnerabilities

assigns a risk-rating ranked value for each uncontrolled asset-vulnerability pair

Of Risk Assessment

Risk Assessment (cont.) A: vulnerable

assets AI: weighted asset value

V: each asset’s vulnerability

VL: likelihood of vulnerability

realization AI x VL

Customer service email has relatively low value

but represents most pressing issue due to

high vulnerability likelihood.


• At the end of risk assessment process, the TVA and/or ranked-vulnerability worksheets should be used to develop a prioritized list of tasks.


• Automated Risk Assessment Tools: SKYBOX

http://www.skyboxsecurity.com/resources/product-demos/product-demo-skybox-risk-control-vulnerability-management

Risk Control

Risk Control Strategies

Computer Security, Stallings, pp. 487

Once all vulnerabilities/risks are evaluated, the company has to decide on the ‘course of action’ – often influenced by $$$ …

risk low, cost high

risk high, cost low

• Basic Strategies to Control Risks

Avoidance

do not proceed with the activity or system that creates this risk

Reduced Likelihood (Control)

by implementing suitable controls, lower the chances of the vulnerability being exploited

Transference

share responsibility for the risk with a third party

Mitigation

reduce impact should an attack still exploit the vulnerability

Acceptance

understand consequences and acknowledge risks without any attempt to control or mitigate

Risk Control Strategies (cont.)


• Avoidance – strategy that results in complete abandonment of activities or systems due to overly excessive risk

usually results in loss of convenience or ability to preform some function that is useful to the organization

the loss of this capacity is traded off against the reduced risk profile

Recommended for vulnerabilities with very high risk factor

that are very costly to fix.

Risk Control Strategies (cont.) • Reduced – risk control strategy that attempts to prevent exploitation of vulnerability by means of following techniques:

application of technology

implementation of security controls and safeguards, such as: anti-virus software, firewall, secure HTTP and FTP servers, etc.

policy

e.g. insisting on safe procedures

training and education

change in technology and policy must be coupled with employee’s training and education

Likelihood

Recommended for vulnerabilities with high risk factor that are moderately costly to fix.


• Transference – risk control strategy that attempts to shift risk to other assets, other processes or other organizations

if organization does not have adequate security experience, hire individuals or firms that provide expertise

‘stick to your knitting’!

e.g., by hiring a Web consulting firm, risk associated with domain name registration, Web presence, Web service, … are passed onto organization with more experience

Recommended for vulnerabilities with high risk factor that are moderately costly to fix

if employing outside require expertise.


• Mitigation – risk control strategy that attempts to reduce the likelihood or impact caused by a vulnerability – includes 3 plans:

(1)

(2)

(3)


• Acceptance – strategy that assumes NO action towards protecting an information asset – instead, accept outcome …

should be used only after doing all of the following

assess the probability of attack and likelihood of successful exploitation of a vulnerability

approximate annual occurrence of such an attack

estimate potential loss that could result from attacks

perform a thorough cost-benefit analysis assuming various protection techniques

determine that particular asset did not justify the cost of protection!

steps to be

discussed

How do we know whether risk control techniques gave worked / are sufficient?!


Example: Risk tolerance vs. residual risk

Time

Risk

vulnerability risk before controls

Company’s Risk Tolerance

vulnerability risk after controls

Residual Risk

• Residual Risk – risk that has not been completely removed, reduced or planned for, after (initial) risk-mitigation controls have been employed

goal of information security is not to bring residual risk to 0, but to bring it in line with companies risk tolerance

risk-mitigation controls may (have to) be reinforced until residual risk falls within tolerance

• Risk Tolerance – risk that organization is willing to accept after implementing risk-mitigation controls


• Risk Handling – helps choose one among four risk control strategies Decision Process

Is system Is vulnerability

risk tolerance

Attacker not likely to attack.

Initial estimated risk below risk tolerance.

acceptance


• Risk Control – after control has been selected & implemented, control should be monitored and (if needed) adjusted on an on-going basis

Cycle



• Four groups that bear responsibility for effective management of security risks, each with unique roles:

Information Security Management – group with leadership role – most knowledgeable about causes of security risks (security threats and attacks)

IT Community / Management – group that helps build secure systems and ensure their safe operation

General Management – must ensure that sufficient resources (money & personnel) are allocated to IT and info. security groups to meet organizational security needs

Users – (when properly trained) group that plays critical part in prevention, detection and defence against security threats/attacks

Security Risk Management - York University · Security Risk Management • Security Risk Management...

Documents

Transcript of Security Risk Management - York University · Security Risk Management • Security Risk Management...