Computer EthicsComputer Ethics A branch of philosophy that deals A branch of philosophy that deals
with computing-related moral with computing-related moral dilemmas and defines ethical dilemmas and defines ethical principles for computer principles for computer professionalsprofessionals• PlagiarismPlagiarism• Software PiracySoftware Piracy• Proper Email and Internet useProper Email and Internet use• Unauthorized Computer AccessUnauthorized Computer Access• Computer CrimesComputer Crimes
Computer CrimeComputer Crime Definition:Definition: the act of using a the act of using a
computer to commit an illegal actcomputer to commit an illegal act• Authorized and unauthorized computer Authorized and unauthorized computer
accessaccess• ExamplesExamples
Stealing time on company computersStealing time on company computers Breaking into government Web sitesBreaking into government Web sites Stealing credit card information Stealing credit card information
Computer CrimeComputer Crime Federal and State LawsFederal and State Laws
• Stealing or compromising dataStealing or compromising data• Gaining unauthorized computer accessGaining unauthorized computer access• Violating data belonging to banksViolating data belonging to banks• Intercepting communicationsIntercepting communications• Threatening to damage computer systemsThreatening to damage computer systems• Disseminating virusesDisseminating viruses
Computer CrimeComputer Crime Hacking and CrackingHacking and Cracking
• Hacker – one who gains unauthorized Hacker – one who gains unauthorized computer access, but without doing damagecomputer access, but without doing damage
• Cracker – one who breaks into computer Cracker – one who breaks into computer systems for the purpose of doing damagesystems for the purpose of doing damage
Computer CrimeComputer Crime Types of computer crimeTypes of computer crime
• Data diddlingData diddling: modifying data: modifying data• Salami slicingSalami slicing: skimming small amounts of money: skimming small amounts of money• PhreakingPhreaking: making free long distance calls: making free long distance calls• CloningCloning: cellular phone fraud using scanners : cellular phone fraud using scanners • CardingCarding: stealing credit card numbers online: stealing credit card numbers online• PiggybackingPiggybacking: stealing credit card numbers by : stealing credit card numbers by
spyingspying• Social engineeringSocial engineering: tricking employees to gain : tricking employees to gain
accessaccess• Dumpster divingDumpster diving: finding private info in garbage : finding private info in garbage
canscans• SpoofingSpoofing: stealing passwords through a false login : stealing passwords through a false login
pagepage
Computer CrimeComputer Crime Software piracySoftware piracy
• North America – 25%North America – 25%• Western Europe – 34%Western Europe – 34%• Asia / Pacific – 51%Asia / Pacific – 51%• Mid East / Africa – 55%Mid East / Africa – 55%• Latin America – 58%Latin America – 58%• Eastern Europe – 63%Eastern Europe – 63%
Laws related to Information Laws related to Information SecuritySecurity
Privacy Act of 1974Privacy Act of 1974• Makes a blanket statement that no Makes a blanket statement that no
records at an agency can be disclosed records at an agency can be disclosed without that individual’s written consent.without that individual’s written consent.
Electronic Communications Privacy Electronic Communications Privacy Act of 1988Act of 1988• Prohibits unauthorized monitoring of Prohibits unauthorized monitoring of
electronic communications by individuals electronic communications by individuals businesses and the government.businesses and the government.
Laws related to Information Laws related to Information Security (II)Security (II)
Computer Matching and Privacy Computer Matching and Privacy Protection Act of 1988Protection Act of 1988• Amends the Privacy Act of 1974 by Amends the Privacy Act of 1974 by
adding new regulations that deal with adding new regulations that deal with computer matching.computer matching.
• Computer matching is the process of Computer matching is the process of linking records together by a common linking records together by a common element like a social security number.element like a social security number.
Laws related to Information Laws related to Information Security (III)Security (III)
Computer Fraud and Abuse Act 1986Computer Fraud and Abuse Act 1986• Passed in 1986 to combat hacking. It primarily Passed in 1986 to combat hacking. It primarily
applies to four activities:applies to four activities: Knowingly access without authorization (or in excess Knowingly access without authorization (or in excess
of authorization) any computer system and in doing so of authorization) any computer system and in doing so obtaining restricted or classified government obtaining restricted or classified government information.information.
Knowingly access without authorization to obtain Knowingly access without authorization to obtain financial information.financial information.
Intentionally and without authorization access any Intentionally and without authorization access any computer of a department or agency of the US.computer of a department or agency of the US.
Knowingly, and with intent to defraud, traffic in any Knowingly, and with intent to defraud, traffic in any password or similar information without authorizationpassword or similar information without authorization
How the Laws effect youHow the Laws effect you
Knowing the previous laws effects you Knowing the previous laws effects you quite profoundly. quite profoundly.
If you were to break into a government If you were to break into a government computer a release a virus, you are computer a release a virus, you are responsible for all of the damage and responsible for all of the damage and downtime in addition to the actual downtime in addition to the actual breaking in of the computer. This could breaking in of the computer. This could mean large penalties and jail time even for mean large penalties and jail time even for a simple offense.a simple offense.
Computer Crimes – The people Computer Crimes – The people who commit themwho commit them
Amateurs (Script Kiddies)Amateurs (Script Kiddies)• Temptation is there if access is available.Temptation is there if access is available.• You wouldn't ask a stranger to hold your You wouldn't ask a stranger to hold your
wallet while you went around the corner to wallet while you went around the corner to move your car.move your car.
• Disgruntled employeesDisgruntled employees• Oh Yeah! I'll show you!Oh Yeah! I'll show you!
Crackers and HackersCrackers and Hackers• Often the challenge or CuriosityOften the challenge or Curiosity• West German group (Cliff Stoll)West German group (Cliff Stoll)• Desert Shield / Desert StormDesert Shield / Desert Storm
Computer Crimes – The people Computer Crimes – The people who commit them (II)who commit them (II)
Corporate RaidersCorporate Raiders• Trade SecretsTrade Secrets• Inside InformationInside Information• Financial predictionsFinancial predictions
TerroristsTerrorists• No major incidents have occurred yet!No major incidents have occurred yet!• This is a potential nightmare waiting to This is a potential nightmare waiting to
happen.happen.• Potential Economic disaster. Potential Economic disaster.
Categories of Computer misuseCategories of Computer misuse Human ErrorHuman Error
• Hard to controlHard to control Abuse of AuthorityAbuse of Authority
• White collar crimeWhite collar crime Direct ProbingDirect Probing
• Rattling doorknobsRattling doorknobs Probing With Malicious SoftwareProbing With Malicious Software
• Trojan horsesTrojan horses Direct PenetrationDirect Penetration
• Exploiting system bugsExploiting system bugs Subversion of MechanismSubversion of Mechanism
• Trap doorsTrap doors
Outline for Today’s ClassOutline for Today’s Class
Basic DefinitionsBasic Definitions What is Security Risk ManagementWhat is Security Risk Management Generic Security Risk Management Generic Security Risk Management
MethodologyMethodology Security Risk AnalysisSecurity Risk Analysis
What is Security?What is Security?
Security is a Security is a processprocess, not a product. , not a product. Security products will not save you – Security products will not save you – Bruce SchneierBruce Schneier
ProcessProcess is composed of technology, is composed of technology, people, and tools. This is important people, and tools. This is important because processes involve time and because processes involve time and interaction between entities and many interaction between entities and many of the hard problems in security stem of the hard problems in security stem from this inherent interaction.from this inherent interaction.
What is RISK MANAGEMENT?What is RISK MANAGEMENT?
• The process concerned with identification, The process concerned with identification, measurement, control and minimization of measurement, control and minimization of security risks in information systems to a level security risks in information systems to a level commensurate with the value of the assets commensurate with the value of the assets protected.protected.
(Definition from National Information Systems Security
(INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
RISKRISK
- The likelihood that a particular - The likelihood that a particular threat using a specific attack, will exploit a threat using a specific attack, will exploit a particular vulnerability of a system that particular vulnerability of a system that results in an undesirable consequence.results in an undesirable consequence.
(Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
THREATTHREAT
Any circumstance or event with the Any circumstance or event with the potential to cause harm to an information potential to cause harm to an information system in the form of destruction, system in the form of destruction, disclosure, adverse modification of data, disclosure, adverse modification of data, and/or the denial of service.and/or the denial of service.
(Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
Definition of LikelihoodDefinition of Likelihood
• LIKELIHOOD of the threat occurring is the LIKELIHOOD of the threat occurring is the estimation of the probability that a threat will estimation of the probability that a threat will succeed in achieving an undesirable event.succeed in achieving an undesirable event.
Considerations in Assessing the Considerations in Assessing the
Likelihood of ThreatLikelihood of Threat
• Presence of threatsPresence of threats• Tenacity of threatsTenacity of threats• Strengths of threatsStrengths of threats• Effectiveness of safeguardsEffectiveness of safeguards
Two Schools of Thought on Two Schools of Thought on Likelihood CalculationLikelihood Calculation
AssumeAssume
Don’t Don’t AssumeAssume
ATTACKATTACK
• An attempt to gain unauthorized access to an An attempt to gain unauthorized access to an information system’s services, resources, or information system’s services, resources, or information, or the attempt to compromise an information, or the attempt to compromise an information system’s integrity, availability, or information system’s integrity, availability, or confidentiality, as applicable.confidentiality, as applicable.
(Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
VULNERABILITYVULNERABILITY
Weakness in an information system, Weakness in an information system, cryptographic system, or other cryptographic system, or other components (e.g... , system security components (e.g... , system security procedures, hardware design, internal procedures, hardware design, internal controls) that could be exploited by a controls) that could be exploited by a threat.threat.
(Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
RISK ASSESSMENTRISK ASSESSMENT
A process of analyzing THREATS to A process of analyzing THREATS to and VULNERABILITIES of an and VULNERABILITIES of an information system and the POTENTIAL information system and the POTENTIAL IMPACT the loss of information or IMPACT the loss of information or capabilities of a system would have. capabilities of a system would have. The resulting analysis is used as a The resulting analysis is used as a basis for identifying appropriate and basis for identifying appropriate and cost-effective counter-measures.cost-effective counter-measures.
(Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
Benefits of Risk AssessmentBenefits of Risk Assessment
• Increased awarenessIncreased awareness• Assets, vulnerabilities, and Assets, vulnerabilities, and
controlscontrols• Improved basis for Improved basis for
decisionsdecisions• Justification of expendituresJustification of expenditures
Risk Assessment ProcessRisk Assessment Process
• Identify assetsIdentify assets• Determine vulnerabilitiesDetermine vulnerabilities• Estimate likelihood of exploitationEstimate likelihood of exploitation• Compute expected lossCompute expected loss
What is a risk (generic)What is a risk (generic)
A definable eventA definable event Probability of OccurrenceProbability of Occurrence Consequence (impact) of occurrenceConsequence (impact) of occurrence
A risk is not a problem …. A problem A risk is not a problem …. A problem is a risk whose time has comeis a risk whose time has come
What is a security riskWhat is a security risk
Threat – is any potential danger to Threat – is any potential danger to information, or systems (e.g. fire)information, or systems (e.g. fire)
Vulnerability – is a software, hardware, or Vulnerability – is a software, hardware, or procedural weakness that may provide an procedural weakness that may provide an attacker the open door to enter a system. attacker the open door to enter a system. (e.g. lack of water)(e.g. lack of water)
Risk – loss potential (probability) that a Risk – loss potential (probability) that a threat will exploit a vulnerability. threat will exploit a vulnerability.
CIA ModelCIA Model
ConfidentialityConfidentiality - - The protection of The protection of information assets from unauthorized information assets from unauthorized access, leakage or copying. (losing trade access, leakage or copying. (losing trade secrets, unauthorized access, etc.) secrets, unauthorized access, etc.)
IntegrityIntegrity - The protection of information - The protection of information from unauthorized modification. (accuracy from unauthorized modification. (accuracy of data, sensitivity to fraud, etc.) of data, sensitivity to fraud, etc.)
AvailabilityAvailability - Ensuring that information - Ensuring that information assets are available to authorized users assets are available to authorized users when they need and expect themwhen they need and expect them. .
Controls to protect AssetsControls to protect Assets
Company data and assets
Administrative controls
Technical Controls
Physical Controls
Administrative Controls
Policies, standards, guidelines, screening
personnel, security awareness training
Technical Controls
Logical access controls,
encryption, security devices, identification and
authentication
Physical Controls
Facility protection, security guards,
locks, monitoring, environmental
controls, intrusion detection
Relationship among different security Relationship among different security componentscomponents
ThreatAgent Threat
Vulnerability
RISK
Asset
ExposureSafeguard
Gives rise to
Exploits
Leads to
Can damage
And causes an
Can be counter measured by a
Directly affects
Security Risk ManagementSecurity Risk Management
Risk Management is the process of Risk Management is the process of identifying, assessing, and reducing identifying, assessing, and reducing a risk(s) to an acceptable level and a risk(s) to an acceptable level and implementing the right mechanisms implementing the right mechanisms to maintain that level of risk. (e.g to maintain that level of risk. (e.g acceptable risk)acceptable risk)
Risk management reduces risks by Risk management reduces risks by defining and controlling threats and defining and controlling threats and vulnerabilities.vulnerabilities.
Generic Security Risk Management MethodologyGeneric Security Risk Management Methodology
Identify Baseline
OrNew Risks
Identify
Classify Risks
EvaluateRisks
PrioritizeRisks
Analyze
AssignResponsibility
DetermineAction Plan
Determine Response Strategy
Plan
TrackRisks
ControlRisks
Tracking & Control
Project Start
Communicate RisksInside and OutsideThe Project Team
Communication
Primary Primary Risk Calculation MethodologiesRisk Calculation Methodologies
QQuantitativeuantitative
&&QQualitativeualitative
Risk AnalysisRisk Analysis
Risk Analysis is a method of identifying and Risk Analysis is a method of identifying and assessing the possible damage that could be assessing the possible damage that could be caused on order to justify security safeguards.caused on order to justify security safeguards.
Two types of risk analysis:Two types of risk analysis:• QuantitativeQuantitative – attempts to assign real numbers to – attempts to assign real numbers to
the costs of safeguards and the amount of damage the costs of safeguards and the amount of damage that can take placethat can take place
• Qualitative Qualitative – An analysis that judges an – An analysis that judges an organization’s risk to threats, which is based on organization’s risk to threats, which is based on judgment, intuition, and the experience versus judgment, intuition, and the experience versus assigning real numbers to this possible risks and assigning real numbers to this possible risks and their potential losstheir potential loss
Steps of Quantitative Risk Steps of Quantitative Risk AnalysisAnalysis
Assign value to information and assets Assign value to information and assets (tangible and intangible)(tangible and intangible)
Estimate potential loss per riskEstimate potential loss per risk Perform a threat analysisPerform a threat analysis Derive the overall loss potential per riskDerive the overall loss potential per risk Choose safeguards / countermeasure for Choose safeguards / countermeasure for
each riskeach risk Determine Risk Response (e.g. mitigation, Determine Risk Response (e.g. mitigation,
avoidance, acceptance)avoidance, acceptance)
Formula for RiskFormula for Risk
dv + zqm/ {2a} bc = wxyz
dv + zqm/ {2a} bc = wxyz
lm +op * dz = tgm\bvd
lm +op * dz = tgm\bvd
2b 2b oror n2b n2b
mkt/40 = 9j*Xmkt/40 = 9j*X
Quantitative Risk AnalysisQuantitative Risk Analysis Exposure FactorExposure Factor ( (EFEF) = Percentage of asset loss caused by ) = Percentage of asset loss caused by
identified threat; ranges from 0 to 100%identified threat; ranges from 0 to 100%
Single Loss ExpectancySingle Loss Expectancy ( (SLESLE) = Asset Value x Exposure factor; ) = Asset Value x Exposure factor; 1,000,000 @ 10% likelihood = $100,0001,000,000 @ 10% likelihood = $100,000
Annualized Rate of OccurrenceAnnualized Rate of Occurrence ( (AROARO) = Estimated frequency ) = Estimated frequency a threat will occur with in a year and is charterized on a a threat will occur with in a year and is charterized on a annual basis. A threat occurring once in 10 years has an ARO annual basis. A threat occurring once in 10 years has an ARO of 0.1; a threat occurring 50 times in a year has an ARO of 50of 0.1; a threat occurring 50 times in a year has an ARO of 50
Annualized Loss ExpectancyAnnualized Loss Expectancy ( (ALEALE) = Single Loss Expectancy x ) = Single Loss Expectancy x Annualized Rate of Occurrence Annualized Rate of Occurrence
Safeguard cost/benefit analysisSafeguard cost/benefit analysis = (ALE before implementing = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) == value of safeguard to the companycost of safeguard) == value of safeguard to the company
Simple Quantitative ExampleSimple Quantitative ExampleRisk:Risk: Disclosure of company confidential data, computation based Disclosure of company confidential data, computation based on incorrect dataon incorrect data
AmountAmount
Cost to reconstruct correct data:$1,000,000 @ 10% likelihood per Cost to reconstruct correct data:$1,000,000 @ 10% likelihood per yearyear
$100,000$100,000
Effectiveness of access control software: 60%Effectiveness of access control software: 60% - $60000- $60000
Cost of access control softwareCost of access control software + $25000+ $25000
Expect annual costs due to loss and controls: $100,000 - $60000 + Expect annual costs due to loss and controls: $100,000 - $60000 + $25000$25000
$65000$65000
Project Savings $100000 - $65000Project Savings $100000 - $65000 $35000$35000
Risk ResponseRisk Response Mitigation – Mitigation – Minimize lossMinimize loss
Quantitative ExampleQuantitative ExampleRiskRisk AmountAmount
Access to authorized data and programs: $100,000 @ 2% likelihood Access to authorized data and programs: $100,000 @ 2% likelihood per yearper year
$2000$2000
Unauthorized use of computing facilities: $10,000 @ 40% likelihood Unauthorized use of computing facilities: $10,000 @ 40% likelihood per year per year
$4000$4000
Expected annual loss (2000 + 4000)Expected annual loss (2000 + 4000) $6000$6000
Effectiveness of network control: 100%Effectiveness of network control: 100% - $6000- $6000
Safeguard CostsSafeguard Costs
Hardware ($50,000 amortized over 5 years)Hardware ($50,000 amortized over 5 years) + $10000+ $10000
Software ($20,000 amortized over 5 years)Software ($20,000 amortized over 5 years) + $4000+ $4000
Support personnel (each year)Support personnel (each year) + $40000+ $40000
Safeguard Annual Cost (10000 + 4000 + 40000)Safeguard Annual Cost (10000 + 4000 + 40000) $54000$54000
Safeguard Cost Benefit annual cost: $6000 - $6000 + $54000Safeguard Cost Benefit annual cost: $6000 - $6000 + $54000 $54000$54000
Project Savings $6000 - $54000Project Savings $6000 - $54000 - $48000- $48000
Risk ResponseRisk Response ACCEPT -ACCEPT - PassivePassive
Quantitative Risk Summary Quantitative Risk Summary ProsPros
• Uses probability Uses probability concepts – the concepts – the likelihood that an risk likelihood that an risk will occur or will not will occur or will not occuroccur
• The value of The value of information is information is expressed in monetary expressed in monetary terms with supporting terms with supporting rationalerationale
• Risk assessment results Risk assessment results are derived and are derived and expressed in expressed in management speakmanagement speak
ConsCons• Purely quantitative risk Purely quantitative risk
analysis not possible analysis not possible because quantitative because quantitative measures must be measures must be applied to qualitative applied to qualitative elementselements
• Can be less ambiguous Can be less ambiguous but using numbers can but using numbers can give appearance of give appearance of specificity that does not specificity that does not really existreally exist
• Huge amount of data Huge amount of data must be gathered and must be gathered and managedmanaged
Qualitative Risk AnalysisQualitative Risk Analysis
Does not assign numbers and Does not assign numbers and monetary value to components and monetary value to components and losses.losses.
Walks through different scenarios of Walks through different scenarios of risk possibilities and rank the risk possibilities and rank the seriousness of the threats for the seriousness of the threats for the sensitivity of the assets.sensitivity of the assets.
Qualitative Example:Qualitative Example:
““The system is weak in this area and we know The system is weak in this area and we know that our adversary has the capability and that our adversary has the capability and motivation to get to the data in the system so motivation to get to the data in the system so the likelihood of this event occurring is high.”the likelihood of this event occurring is high.”
Identifying Qualitative RisksIdentifying Qualitative Risks
Expert InterviewsExpert Interviews Wideband Delphi TechniqueWideband Delphi Technique BrainstormingBrainstorming Nominal Group TechniqueNominal Group Technique Affinity DiagramAffinity Diagram Analogy TechniquesAnalogy Techniques
100%
4
12Example Qualitative Risk Matrix
Hostage / KidnapStrike / WalkoutHostile Takeover
Major Explosion
TerrorismIndustrial Espionage
0% Sabotage Comm. Disease
Flood
SuicideTelecomm Failure.
Maj. Operator Error
Child Care IncidentTransportation Incident
Minor Explosion
Neighbor Issue
Civil Unrest
Employee Violence
Tornado
Breach IT Security
Organized Crime
Blizzard
Bribery / Extortion
ProtestersInjury / DeathAccusation / Libel / Slander
Fog
Bomb ThreatEquipment Malfunc.Power Failure
Ice Storm
Media Investigation
Chemical Spill / Contamination
Major Fire
Class Action Lawsuit
Management Issues
Security Breach
Loss of IT / Virus
Major Electrical Storm
HIGH RISK
LOW RISK
MEDIUM HIGH
MEDIUM LOW
Qualitative Risk Summary Qualitative Risk Summary ProsPros
• Is simple and Is simple and readily understood readily understood and executed.and executed.
• Provides a general Provides a general indication of indication of significant areas of significant areas of risk that should be risk that should be addressedaddressed
ConsCons• Is difficult to enforce Is difficult to enforce
in uniformity and in uniformity and consistency but consistency but provides some order provides some order of measurementof measurement
• Is subjective in both Is subjective in both process and metrics.process and metrics.
• Can not provide Can not provide cost/benefit analysiscost/benefit analysis
Quantitative versus QualitativeQuantitative versus Qualitative
Quant.Quant. AttributesAttributes Qual.Qual.
++ Independent & Objective MetricsIndependent & Objective Metrics --
++ Cost / Benefit analysisCost / Benefit analysis --
++ Monetary basedMonetary based --
-- Amount of work, cost, timeAmount of work, cost, time ++
-- Amount of information requiredAmount of information required ++
++ Easily automatedEasily automated --
-- Degree of guessworkDegree of guesswork ++
++ Value of information understoodValue of information understood --
-- Threat frequency and impact data Threat frequency and impact data requiredrequired
--
Key Elements for Managing RisksKey Elements for Managing Risks
* Source: Modeling Security Risks by Vernon H Guthrie and David Walker
Total Risk versus Residual RiskTotal Risk versus Residual Risk
Residual Risk – after countermeasure is Residual Risk – after countermeasure is installed, there is still some risk, which is installed, there is still some risk, which is the residual riskthe residual risk
(threats x vulnerability x asset value) x control gap = residual (threats x vulnerability x asset value) x control gap = residual riskrisk
Total risk – when a company chooses not Total risk – when a company chooses not to implement any type of safeguard. to implement any type of safeguard. Reasoning for this would be because of the Reasoning for this would be because of the cost/benefit analysis results.cost/benefit analysis results.
Threats x vulnerability x asset value = total riskThreats x vulnerability x asset value = total risk
Threat and Vulnerability Threat and Vulnerability RevisitedRevisited
The capability or intention to exploit, or any The capability or intention to exploit, or any circumstance or event with the potential to circumstance or event with the potential to cause harm such as a hacker. cause harm such as a hacker.
A weakness in a system that can be A weakness in a system that can be exploited.exploited.
• A countermeasure is an action, device, A countermeasure is an action, device, procedure, or technique used to eliminate or procedure, or technique used to eliminate or reduce one or more vulnerabilities.reduce one or more vulnerabilities.
COUNTERMEASURECOUNTERMEASURE
• Procedures:Procedures: security policies and proceduressecurity policies and procedures trainingtraining personnel transferpersonnel transfer
• Hardware:Hardware: doors, window bars, fencesdoors, window bars, fences paper shredderpaper shredder alarms, badgesalarms, badges
• Manpower:Manpower: guard forceguard force
Examples of CountermeasuresExamples of Countermeasures
• A consequence is that which logically or A consequence is that which logically or naturally follows an action or condition.naturally follows an action or condition.
CONSEQUENCECONSEQUENCE
• ““The worse the consequence of a threat The worse the consequence of a threat harming the system, the greater the risk”harming the system, the greater the risk”
AttackAttack ConsequenceConsequence SuccessSuccess
Determination of the Determination of the Consequence of the AttackConsequence of the Attack
• determine:determine: the threatthe threat the vulnerabilitythe vulnerability the likelihood of attackthe likelihood of attack the consequence of an attackthe consequence of an attack
• apply this formula by: apply this formula by: postulating attackspostulating attacks estimating the likelihood of a successful attackestimating the likelihood of a successful attack evaluating the consequences of those evaluating the consequences of those
successful attackssuccessful attacks
Risk Calculation ProcessRisk Calculation Process
• Developed in the NSA Information Systems Developed in the NSA Information Systems Security Organization (ISSO)Security Organization (ISSO)
• Used for INFOSEC Products and SystemsUsed for INFOSEC Products and Systems• Can Use During Entire life CycleCan Use During Entire life Cycle• Not Widely Used Outside of the ISSONot Widely Used Outside of the ISSO
NSA ISSO NSA ISSO Risk Assessment MethodologyRisk Assessment Methodology
• Understanding the systemUnderstanding the system• Developing attack scenariosDeveloping attack scenarios• Understanding the severity of the Understanding the severity of the
consequencesconsequences• Creating a risk planeCreating a risk plane• Generating a reportGenerating a report
The NSA ISSO The NSA ISSO Risk Assessment ProcessRisk Assessment Process
X -axisX -axis
The likelihood of a successful attackThe likelihood of a successful attack
Y -axisY -axis
The severity of theConsequences ofthat successful attack.
The Risk PlaneThe Risk Plane
Risk Index, as defined by the “Yellow Risk Index, as defined by the “Yellow Book”, is the disparity between the Book”, is the disparity between the minimum clearance or authorization minimum clearance or authorization of system users and the maximum of system users and the maximum sensitivity of data processed by a sensitivity of data processed by a system.system.
Risk IndexRisk Index
• Minimum User Clearance=RminMinimum User Clearance=Rmin
• Maximum Data Sensitivity=RmaxMaximum Data Sensitivity=Rmax
• Risk Index=Rmax - RminRisk Index=Rmax - Rmin
Risk IndexRisk Index
MINIMUM USER CLEARANCE RATING(Rmin)
Uncleared (U) 0Not Cleared but Authorized Access to Sensitive UnclassifiedInformation (N)
1
Confidential (C) 2Secret (S) 3Top Secret (TS)/Current Background Investigation (BI) 4Top Secret (TS)/Current Special Background Investigation(SBI)
5
One Category (1C) 6Multiple Categories (MC) 7
Rating Scale for Minimum Rating Scale for Minimum User Clearance (Rmin)User Clearance (Rmin)
Maximum DataSensitivity RatingsWithout Categories
Rating(Rmax)
Maximum Data Sensitivity With Categories Rating(Rmax)
Unclassified (U) 0 N/ANot Classified But
Sensitive1 Unclassified but Sensitive With One or More
Categories2
Confidential (C) 2 Confidential With One or More Categories 3Secret (S) 3 Secret With No More Than One Category
Containing Secret Data
Secret With Two or More CategoriesContaining Secret Data
4
5Top Secret (TS) 5 Top Secret With One or More Categories
With No More Than one CategoryContaining Secret or Top Secret Data
Top Secret With Two or More CategoriesContaining Secret or Top Secret Data
6
7
Rating Scale for Maximum Rating Scale for Maximum Data Sensitivity (Rmax)Data Sensitivity (Rmax)
RISKINDEX
MODE MINIMUM CRITERIA FOROPEN ENVIRONMENTS
MINIMUM CRITERIA FORCLOSED ENVIRONMENTS
0 Dedicated None None0 System High C2 C21 Compartmented
MultilevelB1 B1
2 CompartmentedMultilevel
B2 B2
3 Multilevel B3 B24 Multilevel A1 B35 Multilevel * A16 Multilevel * *7 Multilevel * *
* = Security Requirements Beyond State of the Art
Computer Security Computer Security RequirementsRequirements
Examples of documented Examples of documented risk assessment systemsrisk assessment systems
• Aggregated Countermeasures Effectiveness (ACE) Aggregated Countermeasures Effectiveness (ACE) ModelModel
• Risk Assessment Tool Risk Assessment Tool • Information Security Risk Assessment Model (ISRAM)Information Security Risk Assessment Model (ISRAM)• Dollar-based OPSEC Risk Analysis (DORA)Dollar-based OPSEC Risk Analysis (DORA)• Analysis of Networked Systems Security Risks Analysis of Networked Systems Security Risks
(ANSSR)(ANSSR)• ProfilesProfiles• National Security Agency (NSA) Information Systems National Security Agency (NSA) Information Systems
Security Organization (ISSO) INFOSEC Risk Security Organization (ISSO) INFOSEC Risk Assessment ToolAssessment Tool
ConclusionConclusion Why should I bother doing security risk Why should I bother doing security risk
management?management?• Risk Management and assessment prepares Risk Management and assessment prepares
you with deciding what to do about a riskyou with deciding what to do about a risk• Allows you to identify assets, vulnerabilities, Allows you to identify assets, vulnerabilities,
and controlsand controls• Helps you understand what you do & do not Helps you understand what you do & do not
know – improve basis for decisionsknow – improve basis for decisions• Assists in justifying expenditures for Assists in justifying expenditures for
securitysecurity
Risk ResponseRisk ResponseRiskResponseDevelopment
Knowledge /research
Acquire Investigate
Strategies Reserves
Mitigation
MinimizeProbability
MinimizeLoss
Avoidance Acceptance
Active Passive
* Source: Software Risk Management by ESI International
CRR ToolCRR Tool
Risk A Risk A
Risk B Risk B
Risk C Risk C
Risk D Risk D
A3
B1
A2
C2
B3
C1
C2
D2
B2
D2
A3
D1
• Each risk is compared with all other risks• Team votes on which is more significant• Scores are tallied for priority list of risks
Risk A = 3+2+3 = 8Risk B = 1+3+2 = 6Risk C = 2+1+2 = 5Risk D = 1+2+2 = 5
The Business Case For SecurityThe Business Case For Security
Perfect security is much too expensive, and not
worth it No security causes breaches that are too
expensive, and not worth it Adequate security, at a reasonable cost, is
worth it• Ability to offer new services• Ability to expand into new markets• Ability to attract, and retain, customers
Preventive CountermeasuresPreventive Countermeasures
Computer security is sold as preventive technology:• Firewalls prevent unauthorized network access• Encryption prevents eavesdropping• PKI prevents impersonation
This model doesn’t work in the real world:• No one ever sells a door lock with the slogan
“This lock prevents burglaries”
• Safes are rated by time and materials
Prevention, Detection and Prevention, Detection and ResponseResponse
Most of the time, prevention is not perfect• When you install a preventive countermeasure,
you are buying two things:• A barrier to overcome• The time it takes to overcome that barrier
Without detection and response, the preventive countermeasure is only of limited value
Most of the time, detection and response is more effective, and more cost-effective• Real-time detection acts as a preventive
The Risks Will Always Be With UsThe Risks Will Always Be With Us
The downside of being in a global, highly connected network—you are attached to the best and worst of society
Security products will not “solve” the problems of Internet security, any more than they “solve” the security problems in the real world
The best we can do is manage the risk• Close the window of exposure• Enable e-business• Thrive on the Internet
Effective Security Comes From Effective Security Comes From Human InterventionHuman Intervention
Automatic security is necessarily flawed• Smart attackers bypass the security• New attacks fool products
Humans can recognize, and respond to, new attacks and new threats
Expert monitoring is the most cost-effective way to provide security
Human minds are the attackers: human minds need to be the defenders
Humans can share information to aid defense:• Hackers collaborate; victims isolate
ReferencesReferences Information Security Management Handbook, 4Information Security Management Handbook, 4thth edition by edition by
Harold F. Tipton and Micki KrauseHarold F. Tipton and Micki Krause Software Risk Management by ESI InternationalSoftware Risk Management by ESI International Software Engineering Institute, (SEI)Software Engineering Institute, (SEI) Risk Management Guide for Information Technology Risk Management Guide for Information Technology
Systems by NIST (National Institute of Standards and Systems by NIST (National Institute of Standards and Technology), special publication 800-30Technology), special publication 800-30