Slide #1Risk AnalysisCS498SH – Information AssuranceFall 2006Slide #2Overview•Definition and Purpose Of Risk Analysis–Elements of Risk Analysis–Quantitative vs Qualitative Analysis•Quantitative Example•Qualitative ExampleSlide #3Reading Material•Information Security Risk Analysis, by Thomas R. Peltier–Soon to be on reserve at the library–Identifies basic elements of risk analysis and reviews several variants of qualitative approaches•“Information Security Risk Assessment: Practices of Leading organizations”, By GAO–http://www.gao.gov/special.pubs/ai99139.pdf–Case studies of risk analysis procedures for four companies•“Risk Management Guide for Information Technology Systems”, NIST–http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf–Outlines steps for risk assessmentSlide #4What is Risk?• The probability that a particular threat will exploit a particular vulnerability• Need to systematically understand risks to a system and decide how to control them.Slide #5Risk Management CycleFrom GAO/AIMD-99-139Slide #6What is Risk Analysis?•The process of identifying, assessing, and reducing risks to an acceptable level–Defines and controls threats and vulnerabilities–Implements risk reduction measures•An analytic discipline with three parts:–Risk assessment: determine what the risks are–Risk management: evaluating alternatives for mitigating the risk–Risk communication: presenting this material in an understandable way to decision makers and/or the publicSlide #7Benefits of Risk Analysis•Assurance that greatest risks have been identified and addressed•Increased understanding of risks•Mechanism for reaching consensus•Support for needed controls•Means for communicating resultsSlide #8Basic Risk Analysis Structure•Evaluate–Value of computing and information assets–Vulnerabilities of the system–Threats from inside and outside–Risk priorities•Examine–Availability of security countermeasures–Effectiveness of countermeasures–Costs (installation, operation, etc.) of countermeasures•Implement and MonitorSlide #9Who should be Involved?•Security Experts•Internal domain experts–Knows best how things really work•Managers responsible for implementing controlsSlide #10Identify Assets• Asset – Anything of value• Physical Assets–Buildings, computers• Logical Assets–Intellectual property, reputationSlide #11Example Critical Assets•People and skills•Goodwill•Hardware/Software•Data•Documentation•Supplies•Physical plant•MoneySlide #12Threats•An expression of intention to inflict evil injury or damage•Attacks against key security services–Confidentiality, integrity, availabilitySlide #13Example Threat List•T01 Access (Unauthorized to System - logical)•T02 Access (Unauthorized to Area - physical)•T03 Airborne Particles (Dust)•T04 Air Conditioning Failure•T05 Application Program Change(Unauthorized)•T06 Bomb Threat•T07 Chemical Spill•T08 Civil Disturbance•T09 Communications Failure•T10 Data Alteration (Error)•T11 Data Alteration (Deliberate)•T12 Data Destruction (Error)•T13 Data Destruction (Deliberate)•T14 Data Disclosure (Unauthorized)•T15 Disgruntled Employee•T16 Earthquakes•T17 Errors (All Types)•T18 Electro-Magnetic Interference•T19 Emanations Detection•T20 Explosion (Internal)•T21 Fire, Catastrophic•T22 Fire, Major•T23 Fire, Minor•T24 Floods/Water Damage•T25 Fraud/Embezzlement•T26 Hardware Failure/Malfunction•T27 Hurricanes•T28 Injury/Illness (Personal)•T29 Lightning Storm•T30 Liquid Leaking (Any)•T31 Loss of Data/Software•T32 Marking of Data/Media Improperly•T33 Misuse of Computer/Resource•T34 Nuclear Mishap•T35 Operating System Penetration/Alteration•T36 Operator Error•T37 Power Fluctuation (Brown/Transients)•T38 Power Loss•T39 Programming Error/Bug•T40 Sabotage•T41 Static Electricity•T42 Storms (Snow/Ice/Wind)•T43 System Software Alteration•T44 Terrorist Actions•T45 Theft (Data/Hardware/Software)•T46 Tornado•T47 Tsunami (Pacific area only)•T48 Vandalism•T49 Virus/Worm (Computer)•T50 Volcanic EruptionSlide #14Characterize Threat-SourcesBlackmailMalicious codeInput of falsified dataSystem bugsEgo, Revenge, Monetary gainInsiderInformation warfareSystem attackSystem tamperingBlackmail, Destruction, RevengeTerroristHackingSocial engineeringSystem intrusionUnauthorized accessChallenge, ego, rebellionHackerThreat ActionsMotivationThreat-sourceSlide #15Vulnerabilities•Flaw or weakness in system that can be exploited to violate system integrity.–Security Procedures–Design–Implementation•Threats trigger vulnerabilities–Accidental–MaliciousSlide #16Example Vulnerabilities•Physical•V01 Susceptible to unauthorized building access•V02 Computer Room susceptible to unauthorizedaccess•V03 Media Library susceptible to unauthorizedaccess•V04 Inadequate visitor control procedures•(and 36 more)•Administrative•V41 Lack of management support for security•V42 No separation of duties policy•V43 Inadequate/no computer security plan policy•V47 Inadequate/no emergency action plan•(and 7 more)•Personnel•V56 Inadequate personnel screening•V57 Personnel not adequately trained in job•...•Software•V62 Inadequate/missing audit trail capability•V63 Audit trail log not reviewed weekly•V64 Inadequate control over application/programchangesCommunications•V87 Inadequate communications system•V88 Lack of encryption•V89 Potential for disruptions•...•Hardware•V92 Lack of hardware inventory•V93 Inadequate monitoring of maintenancepersonnel•V94 No preventive maintenance program•…•V100 Susceptible to electronic emanationsSlide #17Controls•Mechanisms or procedures for mitigating vulnerabilities–Prevent–Detect–Recover•Understand cost and coverage of control•Controls follow vulnerability and threat analysisSlide #18Example Controls•C01 Access control devices - physical•C02 Access control lists - physical•C03 Access control - software•C04 Assign ADP security and assistant in writing•C05 Install-/review audit trails•C06 Conduct risk analysis•C07Develop backup plan•C08 Develop emergency action plan•C09 Develop disaster recovery plan•...•C21 Install walls from true floor to true ceiling•C22 Develop visitor sip-in/escort procedures•C23 Investigate backgrounds of new employees•C24 Restrict numbers of
View Full Document
Unlocking...