risk analysis - albanyberg/risk_analysis/lectures/risk analysis1.pdf · •risk analysis is the...
TRANSCRIPT
Sanjay Goel 1
Risk Analysis
University at Albany, SUNYSpring 2004
Sanjay Goel 2
Administrivia
• The schedule for the remainingsessions– Thursday, March 18th, 1-4 PM– Tuesday, March 23rd, 8:30 - 11:30.
• Both meetings will be in BA-349.
Sanjay Goel 3
• Information security is the– concepts,– techniques,– technical measures, and– administrative measures
used to protect information assets from– deliberate or inadvertent unauthorized acquisition,– damage,– disclosure,– manipulation,– modification,– loss, or– use.
Information SecurityProtection of Information Assets
Sanjay Goel 4
• There are three elements of informationsecurity– Confidentiality
• Information is only available to authorized individuals– Integrity
• Information can only be entered, changed or destroyed byauthorized individuals.
– Availability• Information is provided to authorized users when it is
requested or needed.
Information SecurityProtection of Information Assets
Sanjay Goel 5
• Vulnerability: A characteristic (including a weakness)of an information asset or group of information assetswhich can be exploited by a threat.– A weakness in a system that can potentially be exploited.
• Threat: The potential cause of an unwanted event thatmay result in harm to the agency and its assets.– An actual way of exploiting a vulnerability.
Source: (http://www.oit.nsw.gov.au/pdf/4.4.16.IS1.pdf)
Threats & VulnerabilitiesDefinitions
Sanjay Goel 6
• Threats exploit vulnerabilities in order to cause damage– a threat is the manifestation of vulnerabilities;– vulnerabilities are consequences of weaknesses in controls
over assets and data.
Threats & VulnerabilitiesInterdependence
threaten
Sanjay Goel 7
• Destruction (facilities, data, equipment,communications, personnel);
• Corruption or modification (data, applications);• Theft, removal or loss (equipment, data, applications);• Unwanted Disclosure (data);• Inappropriate use or acceptance (unlicensed software,
repudiated or false data);• Interruption of services.
Threats & VulnerabilitiesImpact
Sanjay Goel 8
• Threats to data– Breach of confidentiality– Loss of data integrity– Denial of service
• Threats to the organization– Loss of trust– Embarrassment– Management failure
• Threats to infrastructure– Tampering with computer controls can physically
damage infrastructure (e.g. power plants, electricgrid, chemical leaks)
Threats & VulnerabilitiesSegregated Based on Impact
Sanjay Goel 9
• External hackers with malicious intent– (e.g. espionage, intent to cause damage, terrorism)
• External hackers seeking thrill• Insiders with malicious intent
– e.g. anger at company, competition with co-worker etc.• Accidental deletion of files and data
– User errors• Environmental damage
– e.g. floods, earthquakes• Equipment and Hardware failure
– e.g. Hard Disk crashes
Sources of ThreatsNot all threats are malicious
Sanjay Goel 10
• Software Design Flaws• Software Implementation Errors• System Mis-configuration
– In many companies firewalls are mis-configuredresulting in poor protection
• Inadequate Security Policies• Poor System Management• Lack of Physical Protections• Lack of employee training
– employees still write all passwords on a sheet ofpaper and stick it in a drawer
Risk EnablersHuman Errors Behind most Risk Enablers
Sanjay Goel 11
• Risks of an organization are evaluated bythree distinguishing characteristics:– A loss associated with an event, e.g.,
disclosure of confidential data, lost time, lostrevenues.
– The likelihood that the event will occur, i.e.probability of occurrence of event
– The degree to which the risk outcome can beinfluenced, i.e. controls that will influence theevent.
Security RiskA measure of failure to counter a threat
Sanjay Goel 12
• Various forms of threats exist.• Different stakeholders have different
perception of risk.• Several sources of threats exist
simultaneously.
Security RiskA measure of failure to counter a threat
Sanjay Goel 13
• Risk Analysis is the process of examininga system and its operational context todetermine possible exposures and thepossible harm they can cause.– A study of risk that a business or system is
subject to.– A process to determine exposure and
potential loss.
Risk AnalysisAnalyzing the potential loss due to events
Sanjay Goel 14
• Risk is the probability that a specific threat willsuccessfully exploit a vulnerability causing aloss.
• By quantifying the risk, we can justify thebenefit of spending money to implementcontrols
• For risk analysis:– RISK = LOSS ($) x PROBABILITY
Risk AnalysisAnalyzing the potential loss due to events
Sanjay Goel 15
• Risk usually measured as dollars per annum.– ALE: Annual Loss Expectancy, expressed as
$/year .• Suppose an event is associated with a loss.
– This loss is the risk impact, measured in dollars.• There is a probability of occurrence, a number
in the range 0 (if not possible) to 1 (if certain).– Essentially a probability.
Risk ExposureRisk Exposure
Sanjay Goel 16
• Quantifying the effects of a risk by multiplyingthe risk impact by the risk probability yields riskexposure.– i.e. Risk-exposure = Risk-impact x Risk-probability– e.g., if the likelihood of virus attack is 0.3 and the
cost to clean up the affected systems and files is$10,000, then the risk exposure is $3,000.
• $3,000 = $10,000 x 0.3
Risk ExposureRisk Exposure
Sanjay Goel 17
• A Hard Disk Failure on your PC.– Hard Disks fail about every three years.
• So, the Likelihood/Probability is 1/3 per year .– The hardware cost is $300 to buy a new disk .– But also, add 10 hours of effort to reload the OS,
software, and restore from the last backup.• And 4 more hours to recreate things since the backup.
– Assume $10.00 per hour for your effort– Total loss = $300 + 10 x (10 + 4) = $440
• Annual loss expectancy(440 x 1/3) $pa = $147 pa
Risk AnalysisExample
Sanjay Goel 18
• A virus attack on the same system– You frequently swap files with other people,
but have no ant-viral software running.– Assume an attack every 6 months
• That’s a Probability of 2 per annum– No need to buy a new disk– Rebuild effort (10 + 4) hours,– Total loss = 10 x(10+4) = $140– ALE = ( 140 x 2 ) $pa = $280 pa
Risk AnalysisExample
Sanjay Goel 19
• There are three strategies for risk reduction:– Avoiding the risk, by changing requirements for
security or other system characteristics.– Transferring the risk, by allocating the risk to other
systems, people, organizations assets or bybuying insurance.
– Assuming the risk, by accepting it, controlling itwith available resources.
Risk MitigationStrategies for Reduction
Sanjay Goel 20
• Costs are associated with not only the risk’spotential impact but also with reducing it.
• Risk leverage is the difference in riskexposure divided by the cost of reducingthe risk.Leverage =
(risk exposure before reduction) – (risk exposure after reduction)
(cost of risk reduction)
Risk AnalysisRisk Leverage
Sanjay Goel 21
• The security risks in a computing system canbe analyzed by the following well-definedsteps:– Identify assets.– Determine their value, including costs of
recreating any data– Determine the vulnerabilities– Estimate the likelihood of exploitation.– Compute expected annual losses.– Survey applicable controls and their costs.– Perform cost/benefit analysis.
Risk AnalysisSteps
Sanjay Goel 22
A Generic Example
Sanjay Goel 23
• Consider a Gym Locker that is used by its members tostore clothes and other valuables.
• The lockers themselves cannot be locked; howeverlocks can be purchased for the lockers.
• You need to determine the risk exposure for themembers of the gym and then use certain controls toreduce the risks.
Risk AnalysisExample: Gym Locker
Sanjay Goel 24
• Identify the assets and determine their value– clothes $50– wallet $200– glasses $100– sports equipment $30– drivers license $5– car keys $20– house keys $25– tapes and walkman $70
• Find vulnerabilities– theft– accidental loss– disclosure of information (e.g. read contents of wallet)– vandalism
Risk AnalysisExample: Gym Locker
Sanjay Goel 25
• Find a way to estimate the likelihood ofexploitation.
• This can be the hardest part of the analysis.• A lot of the information may not be available, or
not lend itself to making ready estimates.
Risk AnalysisExample: Gym Locker
Sanjay Goel 26
• For the gym locker example, one possibility is to use ascale.– Find a measure that people can estimate.
• Estimate how often a threat will occur:– 10: More than once a day– 9: Once a day– 8: Once every three days– 7: Once a week– 6: Once every two weeks– 5: Once a month– 4: Once every four months– 3: Once a year– 2: Once every three years– 1: Less than once every three years
Risk AnalysisExample: Gym Locker
Sanjay Goel 27
• For example, the loss associated with a locker theft.• On the scale, theft might have an estimated likelihood of 7.
– That is, on average, about once per week.• Figure the annual loss
– Assume the entire contents of the locker get cleaned out.• ~$500 dollars worth of expected loss each time (once a week).
– ~$26,000 dollars per year• = $500 x 52 times/year.
Risk AnalysisExample: Gym Locker
Sanjay Goel 28
• Determine the cost of added security– To get a new lock would cost 5 dollars.– It would cost another 10 dollars to break the lock whenever a
key is lost.– Assume that on average a member loses a key twice a month
• Estimate likelihood of exploitation under added security– The new likelihood of theft could be estimated at a 4.
• Once every four months.
• Cost Benefit Analysis– Revised Losses (including cost of controls) = 500 * 3 + 15*24
= $1860– Net savings = 26,000 – 1,860 = $24,140
Risk AnalysisExample: Gym Locker
Sanjay Goel 29
A Security Example
Sanjay Goel 30
• Hardware– Processors,– boards,– monitors,– keyboards,– terminals,– drives,– cables,– connections,– controllers,– communications media,– etc.
Identification of AssetsTangible
Sanjay Goel 31
• Software– Source programs,– Executable programs,– purchased programs,– operating systems,– systems programs,– diagnostic programs,– etc.
Identification of AssetsTangible
Sanjay Goel 32
• Data– Data used during execution,– Stored data on various media,– Archival records,– Audit data,– Etc.
Identification of AssetsTangible
Sanjay Goel 33
• Documentation– On programs,– hardware,– systems,– Administrative procedures and– Spanning the entire system,– Etc.
Identification of AssetsTangible
Sanjay Goel 34
• People– Skills needed to run the computing systems, etc.
• Supplies– e.g. paper, forms, laser cartridges, magnetic media
• Reputation• Trust• Political Fallout
• In case of government agencies, contractors, etc.
Identification of AssetsNon-Tangible
Sanjay Goel 35
• VAM – Vulnerability Assessment and Mitigation– It is a process supported by a tool that helps in identification of
assets, vulnerabilities and countermeasures.• VAM methodology includes additional assets, such as
– The enabling infrastructure.– The building or vehicle in which the systems will reside.– The power, water, air, and other environmental conditions
necessary for proper functioning.– Human and social assets, such as policies, procedures, &
training.
Identification of AssetsVAM Methodology (RAND Corp.)
Sanjay Goel 36
• Predict the damage that might occur and its source.• Vulnerabilities are derived to ensure the three goals of
information security– Confidentiality, Integrity and Availability
• To organize threats & assets use the following matrix:
Determine VulnerabilitiesSpecific to Organizations
SuppliesDocumentationPeopleDataSoftwareHardware
AvailabilityIntegrityConfidentialityAsset
Sanjay Goel 37
• Each vulnerability may affect more that one asset orcause more than one type of loss
• While completing the matrix answer the followingquestions:– What are the effects of unintentional errors?
e.g. accidental deletion, use of incorrect data– What are the effects of willfully malicious insiders?
e.g. disgruntled employees, bribery, espionage– What are the effects of outsiders?
e.g. hackers, dial-in access, people sifting through trash– What are the effects of natural and physical disasters?
e.g. fire, storms, floods, power outage, component failures
Determine VulnerabilitiesGuiding Questions
Sanjay Goel 38
Lost, Stolen, DestroyedDocumentation
Terminated, Quit,Retired, VacationPeople
Deleted, Misplaced,Destroyed
Damaged (softwareerror, hardware error,user error)
Disclosed,accessed byoutsider,inferred
Data
Lost, Stolen, DamagedSupplies
Deleted, Misplaced,Usage expired
Impaired by Trojanhorse, Modified,tampered with
Stolen, copied,piratedSoftware
Failed, Stolen,Destroyed, Unavailable
Overloaded, destroyed,Tampered withHardware
AvailabilityIntegrityConfidentialityAsset
Determine vulnerabilitiesImpact to Assets
• Table lists some impact to tangible assets– Harder to determine impact to non-tangible assets
• Accessible,• Detectable,• Identifiable,• Transparent,• Interceptable• Hard to manage
or control• Self-
unawareness andunpredictability
• Predictability
• Behavioral• Sensitivity/fragility• Malevolence• Rigidity• Malleability• Gullibility, deceivability,naïveté
• Complacency• Corruptibility,• Controllability
• Singularity– Uniqueness– Centrality– Homogeneity
• Separability• Logic/implementation
errors; fallibility• Design sensitivity,
fragility, limits,finiteness
• Unrecoverability
GeneralBehavioralDesign/Architecture
Determine VulnerabilitesKey Attributes
• No simple checklist to list all vulnerabilities• Assets have properties that make them vulnerable
– Properties exist in three categories (i.e. Architecture, Behavioral,General)
Sanjay Goel 40
• Likelihood relates to the stringency of existing controls– i.e. likelihood that someone or something will evade controls
• Several approaches to computing the probability that anevent will occur– classical, frequency and subjective
• Not easy to determine an event’s probabilities usingclassical methods– Frequency probability can be computing by tracking failures that
result in security breaches or create new vulnerabilities can beidentified
– e.g. operating systems can track hardware failures, failed loginattempts, changes in the sizes of data files etc.
• In case automatic tracking is not feasible expertjudgment is used to determine the frequency
Likelihood of ExploitationFrequency of event
Sanjay Goel 41
• Subjective probabilitytechnique originallydevised to deal withpublic policydecisions
• Assumes experts canmake informeddecisions
• Results from severalexperts are analyzed
• Estimates are reviseduntil consensus isreached amongexperts
Likelihood of ExploitationDelphi Approach
10More than once a day
1Less than once in three years2Once every three years3Once a year4Once every four months5Once a month6Once in two weeks7Once a week8Once every three days9Once a day
RatingsFrequency
Sanjay Goel 42
• In this step ramifications of a computer security failureon the organization are determined.
• Often inaccurate– Costs of human capital required to recover from failure
undervalued e.g. cost of restoring data– Indirect consequences of an event unknown until the event
actually happens– Catastrophic events that cause heavy damage are so
infrequent that correct data is unavailable– Non-tangible assets are hard to quantify
• The questions, on the next slide, can prompt us to thinkabout issues of explicit and hidden cost related tosecurity.– The answers may not produce precise cost figures, but can
help identify the sources of various types of costs.
Compute Expected LossTangible & Non-tangible assets
Sanjay Goel 43
• What are the legal obligations in preserving theconfidentiality or integrity of the data?
• What business requirements and agreements cover thesituation?
• Could release of data item cause harm to person ororganization?
• Could unauthorized access to data cause the loss offuture business opportunity?
• What is the psychological effect of lack of computerservice?
• What is the value of access to data or programs?• What is the value of having access to data or programs
to someone else?• What other problems would arise from loss of data?
Compute Expected LossGuiding Questions
ControlsSurveying and Implementing
Vulnerability G
PrimarySecondarySecondaryVulnerability F
PrimaryVulnerability E
Vulnerability D
Vulnerability C
Vulnerability B
Vulnerability A
Technique 4Technique 3Technique 2Technique 1
CautionVulnerability T
• The previous slide shows matching of vulnerabilitieswith appropriate security techniques (controls).
• Note– Vulnerabilities E and F are countered by primary techniques 2
and 4, respectively.– The secondary control techniques 2 and 3 for vulnerability F
are good defense in depth.– The fact that there is no secondary control for vulnerability E is
a minor concern.– Vulnerability T is a serious caution, because it has no control
whatsoever.
ControlsSurveying and Implementing Cont’d.