1Security Threats Severity AnalysisJanuary 22, 2014© Abdou Illia – Spring 20142What is Severity Analysis? Accessing security threats occurrence likelihood Accessing threats’ potential damage3Key Questions to be asked What resources do I need to protect? What is the risk associated with potential threats? How do I protect the valuable resources? At what cost?24What resources do I need to protect? Do an inventory Do risk assessment Quantitative risk assessment NIST Guide: http://www.nist.gov/itl/csd/risk-092011.cfm Assessment Template: http://www.eiu.edu/~a_illia/MIS4850/RiskAssmt_Template_07112007.doc Qualitative risk assessmentExternal server using internal SQL database to provide sales over the internetInternal email serverRemote Access server for dial-upBackup/File serverInternal eCommerce Web serverDomain controllerSales, customers, inventory, HR dataCompany’s network including routers, firewalls, etc.…………………….5Accessing potential damage Determining extent to which a threat could Modify critical corporate data Delete critical corporate data Allow unauthorized access to confidential info. Allow misdirection of confidential info. Allow message alteration Slow down network services Jeopardize network service availability Lead to loss of customers’ faith and trust Lead to loss of employees or customers’ privacy6Example: Risk assessmentTreat Vulnerability DamageLoss of power High Loss of data accessPossible data lossComputer virus High Loss of access to systemPossible data lossNatural disaster Low Loss of access to systemLoss of data, hardwareDenial of service attack High Loss of access to systemEavesdropping Medium Access to customers info ………………37How do I protect the valuable resources? Policies Acceptable use policy Firewall policies Confidential info policy Password policy Remote Access policy Security Awareness policy … Methods of protection Antivirus 128-key encryption Two-factor authentication …..8Threat Severity AnalysisStep Threat12345Cost if attack succeedsProbability of occurrenceThreat severityCountermeasure costValue of protectionApply countermeasure?Priority67A$500,00080%$400,000$100,000$300,000Yes1B$10,00020%$2,000 $3,000 ($1,000) NoNAC$100,0005%$5,000 $2,000 $3,000 Yes2D$10,00070%$7,000 $20,000($13,000)NoNA9Exercise Visit the www.sophos.com web site in order to gather information about a worm called W32/SillyFDC-FA and answer the following two questions.1) Using bullets, list specific malicious actions that W32/SillyFDC-FA could take to potentially damage or disturb a computer system.2) Use the questionnaire provided by the instructor to access the potential risk posed by W32/SillyFDC-FA.A complete In-class Exercise will be given in class with more details.4 Realities Can never eliminate risk “Information assurance” is impossible Risk Analysis Goal is reasonable risk Risk analysis weighs the probable cost of compromises against the costs of countermeasures Also, security has negative side effects that must be weighed10Copyright Pearson Prentice Hall 2013Single Loss Expectancy (SLE)Annualized Loss Expectancy (ALE) Asset Value (AV) X Exposure Factor (EF) Percentage loss in asset value if a compromise occurs = Single Loss Expectancy (SLE) Expected loss in case of a compromise SLE X Annualized Rate of Occurrence (ARO) Annual probability of a compromise = Annualized Loss Expectancy (ALE) Expected loss per year from this type of compromiseCopyright Pearson Prentice Hall 20131112Base CaseCountermeasureAAsset Value (AV) $100,000 $100,000Exposure Factor (EF) 80% 20%Single Loss Expectancy (SLE): = AV*EF $80,000 $20,000Annualized Rate of Occurrence (ARO) 50% 50%Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $10,000ALE Reduction for Countermeasure NA $30,000Annualized Countermeasure Cost NA $17,000Annualized Net Countermeasure Value NA $13,000Countermeasure A should reduce the exposure factor by 75%Copyright Pearson Prentice Hall 20135132.4: Classic Risk Analysis Calculation (Figure 2-14) (continued)Base CaseCountermeasureBAsset Value (AV) $100,000 $100,000Exposure Factor (EF) 80% 80%Single Loss Expectancy (SLE): = AV*EF $80,000 $80,000Annualized Rate of Occurrence (ARO) 50% 25%Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $20,000ALE Reduction for Countermeasure NA $20,000Annualized Countermeasure Cost NA $4,000Annualized Net Countermeasure Value NA $16,000Countermeasure B should cut the frequency of compromises in halfCopyright Pearson Prentice Hall 2013142.4: Classic Risk Analysis Calculation (Figure 2-14) (continued)Base CaseCountermeasureABAsset Value (AV) $100,000 $100,000 $100,000Exposure Factor (EF) 80% 20% 80%Single Loss Expectancy (SLE): = AV*EF $80,000 $20,000 $80,000Annualized Rate of Occurrence (ARO) 50% 50% 25%Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $10,000 $20,000ALE Reduction for Countermeasure NA $30,000 $20,000Annualized Countermeasure Cost NA $17,000 $4,000Annualized Net Countermeasure Value NA $13,000 $16,000Although Countermeasure A reduces the ALE more,Countermeasure B is much less expensive.The annualized net countermeasure value for B is larger.The company should select countermeasure B.Copyright Pearson Prentice Hall 2013 Uneven Multiyear Cash Flows For both attack costs and defense costs Must compute the return on investment (ROI) using discounted cash flows Net present value (NPV) or internal rate of return (ROI)152.4: Problems with Classic Risk Analysis CalculationsCopyright Pearson Prentice Hall 20136 Total Cost of Incident (TCI)◦ Exposure factor in classic risk analysis assumes that a percentage of the asset is lost◦ In most cases, damage does not come from asset loss◦ For instance, if personally identifiable information is stolen, the cost is enormous but the asset remains◦ Must compute the total cost of incident (TCI)◦ Include the cost of repairs, lawsuits, and many other factors16Copyright Pearson Prentice Hall 2013 Many-to-Many Relationships between Countermeasures and Resources Classic risk analysis assumes that one countermeasure protects one resource Single countermeasures, such as a firewall, often protect many resources Single resources, such as data on a server, are often protected by multiple countermeasures Extending classic risk analysis is difficult172.4: Problems