Post on 21-Dec-2015
transcript
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 11
Risk Risk ManagementManagement
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 22
What is a risk?What is a risk?
Information SystemAt Risk
Threat (attacker)
Vulnerability
Concepts revisitConcepts revisit– A A threatthreat is a potential occurrence that can have an is a potential occurrence that can have an
undesirable effect on the system assets or resourcesundesirable effect on the system assets or resources– A A vulnerabilityvulnerability is a weakness that makes a threat to is a weakness that makes a threat to
possibly occurpossibly occurA A riskrisk is a possible future negative event that may is a possible future negative event that may affect the successful operations of a systemaffect the successful operations of a system– A risk is not necessarily an ongoing problem, but it may A risk is not necessarily an ongoing problem, but it may
become onebecome one
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 33
Threat CategoryThreat Category
Unauthorized access threatsUnauthorized access threatsInformation compromise threatsInformation compromise threatsInformation corruption threatsInformation corruption threatsDenial of service threatsDenial of service threatsSoftware corruption threatsSoftware corruption threatsHardware corruption threatsHardware corruption threatsHardware/software distribution Hardware/software distribution threatsthreatsNetwork-based threatsNetwork-based threats
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 44
Vulnerability CategoryVulnerability Category
Probabilistic vulnerabilitiesProbabilistic vulnerabilities– Caused by hardware failures, human Caused by hardware failures, human
actions and information problems in the actions and information problems in the operational environment operational environment
Algorithmic vulnerabilities Algorithmic vulnerabilities – Caused by design and implementation Caused by design and implementation
errors, which are introduced during errors, which are introduced during system development [including both system development [including both software and hardware] software and hardware]
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 55
Identify Possible RisksIdentify Possible RisksWhat is at risk?What is at risk?– Product design documentsProduct design documents– Customer informationCustomer information– Company’s future planCompany’s future plan– ……
What is the threat and where does the threat What is the threat and where does the threat come from?come from?– Who? (competitors, foreign agents, hackers)Who? (competitors, foreign agents, hackers)– Motivation (national security, money, fame, “fun”)Motivation (national security, money, fame, “fun”)– Target (access confidential data, change data, deface…)Target (access confidential data, change data, deface…)– Capabilities (intellect, equipment, money)Capabilities (intellect, equipment, money)
What vulnerabilities can be exploited?What vulnerabilities can be exploited?– TechnologyTechnology– ProcessProcess– NetworkNetwork– PeoplePeople
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 66
Cost/Benefit AnalysisCost/Benefit AnalysisAfter identifying possible risks, cost/benefit After identifying possible risks, cost/benefit analysis needs to be performed for the following analysis needs to be performed for the following reasons:reasons:
Infeasible or sometimes impossible to implement a Infeasible or sometimes impossible to implement a perfect secure systemsperfect secure systems
Cost/benefit analysis helps identify risks which will Cost/benefit analysis helps identify risks which will most likely occur, and which will cause severe most likely occur, and which will cause severe damages if occurdamages if occur
Some risks always there (Some risks always there (residual riskresidual risk), but highly ), but highly unlikely to become a problem; or even if they unlikely to become a problem; or even if they become problems, they can easily be contained and become problems, they can easily be contained and solved. These risks are treated as acceptable risks solved. These risks are treated as acceptable risks in a system.in a system.
Results of cost/benefit analysis can help allocate Results of cost/benefit analysis can help allocate limited system resources to most needed areaslimited system resources to most needed areas
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 77
Risk AnalysisRisk AnalysisA process to systematically identify assets, A process to systematically identify assets, threats, and (potential) vulnerabilities in a threats, and (potential) vulnerabilities in a system, and address the following:system, and address the following:– What to be protectedWhat to be protected– What are threatening the systemWhat are threatening the system– Time, effort, and money willing to be spentTime, effort, and money willing to be spent
Should be a continuous process over the life Should be a continuous process over the life cycle of a system (design, implementation, cycle of a system (design, implementation, testing, deployment, update and testing, deployment, update and termination)termination)
Two basic types of risk analysis:Two basic types of risk analysis:– Quantitative and qualitative Quantitative and qualitative
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 88
Quantitative Risk AnalysisQuantitative Risk AnalysisAttempts to establish and maintain an Attempts to establish and maintain an independent set of risk metrics and independent set of risk metrics and statistics, includingstatistics, including– Annualized loss expectancy (ALE)Annualized loss expectancy (ALE): single : single
loss expectancy multiplied by annualized loss expectancy multiplied by annualized rate of occurrence.rate of occurrence.
– ProbabilityProbability: chance, in a finite sample, that : chance, in a finite sample, that an event will occur or that a specific loss an event will occur or that a specific loss value may be attained should the event value may be attained should the event occurs.occurs.
– ControlControl: risk-reducing measure that acts to : risk-reducing measure that acts to detect, prevent, or minimize loss detect, prevent, or minimize loss associated with occurrence of a specified associated with occurrence of a specified threat or category of threats.threat or category of threats.
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 99
Quantitative Risk Quantitative Risk Analysis Analysis (cont.)(cont.)
Pros:Pros:– Objective, independent processObjective, independent process– Solid bases for cost/benefit analysisSolid bases for cost/benefit analysis– Credibility for audit, managementCredibility for audit, management– Useful for many kinds of reliability-Useful for many kinds of reliability-
related design questions (e. g., related design questions (e. g., redundant servers), where threats redundant servers), where threats and likelihood of “events” can be and likelihood of “events” can be easily measuredeasily measured
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 1010
Quantitative Risk Quantitative Risk Analysis Analysis (cont.)(cont.)
Cons:Cons:– Problems associated with Problems associated with
unreliability and inaccuracy of dataunreliability and inaccuracy of data– Probability can rarely be precise Probability can rarely be precise
and, in some cases, promote and, in some cases, promote complacencycomplacency
– Very time consuming, and costly to Very time consuming, and costly to do correctlydo correctly
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 1111
Qualitative Risk AnalysisQualitative Risk AnalysisMost widely used approach to risk analysisMost widely used approach to risk analysis– Probability data not requiredProbability data not required– Only estimated potential loss usedOnly estimated potential loss used
Establishing classes of loss values (Establishing classes of loss values (impactimpact))– Insignificant, minor, moderate, major, Insignificant, minor, moderate, major,
catastrophiccatastrophic– Under $10K, between $10K and $100K, between Under $10K, between $10K and $100K, between
$100K and $1M, between $1M and $50M, over $100K and $1M, between $1M and $50M, over $50M$50M
– Type of loss (e. g. compromise of credit card #, Type of loss (e. g. compromise of credit card #, compromise of SSN, compromise of highly compromise of SSN, compromise of highly personal data)personal data)
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 1212
Qualitative Risk Analysis Qualitative Risk Analysis (cont.)(cont.)
Establishing classes of likelihood of Establishing classes of likelihood of compromisecompromise– Almost certain, likely, moderate, unlikely, Almost certain, likely, moderate, unlikely,
rarerare
Levels of risksLevels of risks– ExtremeExtreme– HighHigh– ModerateModerate– LowLow
Focusing effort on high loss itemsFocusing effort on high loss items
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 1313
Determine Risk LevelsDetermine Risk Levels
LikelihoLikelihoodod
ImpactImpactInsignificInsignificantant
MinorMinor ModerModerateate
MajoMajorr
CatastropCatastrophichic
Almost Almost CertainCertain
HighHigh HighHigh ExtremeExtreme ExtreExtrememe
ExtremeExtreme
LikelyLikely ModerateModerate HighHigh HighHigh ExtreExtrememe
ExtremeExtreme
ModeraModeratete
LowLow ModerModerateate
HighHigh ExtreExtrememe
ExtremeExtreme
UnlikelUnlikelyy
LowLow LowLow ModeratModeratee
HighHigh ExtremeExtreme
RareRare LowLow LowLow ModeratModeratee
HighHigh ExtremeExtreme
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 1414
Qualitative Risk Analysis Qualitative Risk Analysis (cont.)(cont.)
Pros:Pros:– Easy to understand and carry outEasy to understand and carry out– Not depend on possibly inaccurate dataNot depend on possibly inaccurate data
Cons:Cons:– More subjective to person defining More subjective to person defining
classes of impacts and likelihood of classes of impacts and likelihood of compromisecompromise
– Depends on history experience and Depends on history experience and expertiseexpertise
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 1515
ControlsControlsCountermeasures for vulnerabilitiesCountermeasures for vulnerabilities– Deterrent controlsDeterrent controls reduce likelihood of reduce likelihood of
deliberate attackdeliberate attack– Preventative controlsPreventative controls protect vulnerabilities protect vulnerabilities
and make an attack unsuccessful or reduce its and make an attack unsuccessful or reduce its impactimpact
– Corrective controlsCorrective controls reduce the effect of an reduce the effect of an attackattack
– Detective controlsDetective controls discover attacks and discover attacks and trigger preventative or corrective controlstrigger preventative or corrective controls
– Recovery controlsRecovery controls restore lost computer restore lost computer resources or capabilities from security resources or capabilities from security violationsviolations
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 1616
A Model of Risk Analysis A Model of Risk Analysis ProcessProcess
ATTACK
ThreatDeterrent Control
DetectiveControl
PreventativeControl
Impact
Vulnerability
CorrectiveControl
Reduce likelihood of
Discovers
Triggers Protects
Reduces
Results in
Decreases
Creates
Exploits
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 1717
Risk ManagementRisk ManagementConcerned with preventing risks Concerned with preventing risks from becoming problemsfrom becoming problems
How to deal with risks identified in How to deal with risks identified in the risk analysisthe risk analysis– Old philosophy: risk avoidanceOld philosophy: risk avoidance
Do whatever you can to avoid risksDo whatever you can to avoid risks
– New philosophy: risk managementNew philosophy: risk managementUnderstand risksUnderstand risks
Deal with them in an appropriate, cost Deal with them in an appropriate, cost effective mannereffective manner
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 1818
Risk Management (cont.)Risk Management (cont.)
Choices for each riskChoices for each risk– Risk acceptance: tolerate those risks with Risk acceptance: tolerate those risks with
low impact or rare occurrencelow impact or rare occurrence– Risk reduction (also called risk mitigation)Risk reduction (also called risk mitigation)– Risk transfer (to another entity): let Risk transfer (to another entity): let
others handle the riskothers handle the risk
Typically use a combination of Typically use a combination of acceptance, reduction, and transfer acceptance, reduction, and transfer for different risksfor different risks
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 1919
ExamplesExamplesChoices for Choices for
riskrisk Car theft riskCar theft risk Hacker break-Hacker break-
in riskin risk
Risk Risk acceptanceacceptance
Deductibles on Deductibles on car insurancecar insurance
Minimal Minimal securitysecurity
(delete all the (delete all the spam emails)spam emails)
Risk reductionRisk reduction Locks, alarms, Locks, alarms, GPS locatorGPS locator
Strong security Strong security mechanisms mechanisms (firewall, (firewall, encryption, etc.)encryption, etc.)
Risk transferRisk transfer Car insurance Car insurance covering theftcovering theft
Rely on Internet Rely on Internet Service Service Provider (ISP) Provider (ISP) to provide to provide security security guaranteesguarantees
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 2020
Risk Management ProcessRisk Management Process
Step 1: System characterizationStep 1: System characterization– Input: hardware, software, system Input: hardware, software, system
interfaces, system mission, people, data interfaces, system mission, people, data informationinformation
– Output: system boundary, system Output: system boundary, system functions, system and data criticality functions, system and data criticality and sensitivityand sensitivity
Step 2: Threat identificationStep 2: Threat identification– Input: attack history, data from Input: attack history, data from
intelligence agencies or mass mediaintelligence agencies or mass media– Output: threat statementOutput: threat statement
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 2121
Risk Management Risk Management Process (cont.)Process (cont.)
Step 3: Vulnerability identificationStep 3: Vulnerability identification– Input: prior risk assessment reports, Input: prior risk assessment reports,
audit comments, security requirements, audit comments, security requirements, security test resultssecurity test results
– Output: list of potential vulnerabilitiesOutput: list of potential vulnerabilities
Step 4: Control analysisStep 4: Control analysis– Input: current controls, planned controlsInput: current controls, planned controls– Output: evaluation results of current Output: evaluation results of current
and planned controlsand planned controls
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 2222
Risk Management Risk Management Process Process (cont.)(cont.)
Step 5: Likelihood determinationStep 5: Likelihood determination– Input: threat-source motivation, threat capacity, Input: threat-source motivation, threat capacity,
nature of vulnerability, current controlsnature of vulnerability, current controls– Output: likelihood ratingOutput: likelihood rating
Step 6: Impact analysisStep 6: Impact analysis– Input: mission impact analysis, asset criticality Input: mission impact analysis, asset criticality
assessment, data criticality and sensitivityassessment, data criticality and sensitivity– Output: impact ratingOutput: impact rating
Step 7: Risk determinationStep 7: Risk determination– Input: likelihood of threat exploitation, magnitude Input: likelihood of threat exploitation, magnitude
of impact, adequacy of planned or current of impact, adequacy of planned or current controlscontrols
– Output: risks and associated risk levelsOutput: risks and associated risk levels
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 2323
Risk Management Process Risk Management Process (cont.)(cont.)
Step 8: Control recommendationsStep 8: Control recommendations– Output: recommended controlsOutput: recommended controls
Step 9: Results documentationsStep 9: Results documentations– Output: A set of documents including risk Output: A set of documents including risk
identification, assessment, cost-effective identification, assessment, cost-effective evaluation, suggested control list, etc.evaluation, suggested control list, etc.
– A well documented risk management A well documented risk management process at one phase, which is also the process at one phase, which is also the starting point for the analysis at the next starting point for the analysis at the next phasephase
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 2424
Risk Management Risk Management Process Process (cont.)(cont.)
Step 10: System monitoring:Step 10: System monitoring:– Whether system configuration has changed: new Whether system configuration has changed: new
hardware installed, software updates, mission goal hardware installed, software updates, mission goal changed, etc.changed, etc.
– Performance of controls: how many possible Performance of controls: how many possible attacks have been prevented by controls; any attacks have been prevented by controls; any failures or unwanted outcome, etc.failures or unwanted outcome, etc.
Restart the whole process from Step 1 again:Restart the whole process from Step 1 again:– Periodically as part of system maintenance Periodically as part of system maintenance
procedureprocedure– When system configuration changed, it may When system configuration changed, it may
generate some new risks not been covered during generate some new risks not been covered during the last risk management processthe last risk management process
– When some controls fail to prevent the risk from When some controls fail to prevent the risk from turning into attacksturning into attacks
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 2525
Risk Management Process Risk Management Process (Cont.)(Cont.)
1. System Characteriza
tion
2. Threat Identificati
on
4. Control Analysis 8. Control
Recommendation
6. Impact Analysis
3. Vulnerabilit
y Identificatio
n
9. Results Documentat
ion
10. System Monitorin
g
7. Risk Determinat
ion
5. Likelihood
Determination
Stephen S. YauStephen S. Yau CSE465-591, Fall 2006CSE465-591, Fall 2006 2626
ReferenceReference
M. Merkow, J. Breithaupt, M. Merkow, J. Breithaupt, Information Information Security: Principles and PracticesSecurity: Principles and Practices,, Prentice Prentice Hall, August 2005, 448 pages, ISBN Hall, August 2005, 448 pages, ISBN 0131547291 0131547291 J. G. Boyce, D. W. Jennings, J. G. Boyce, D. W. Jennings, Information Information AssuranceAssurance:: Managing Organizational IT Managing Organizational IT Security RisksSecurity Risks. Butterworth Heineman, 2002, . Butterworth Heineman, 2002, ISBN 0-7506-7327-3ISBN 0-7506-7327-3Risk Management Guide for Information Risk Management Guide for Information Technology Systems, July 2002. Available at:Technology Systems, July 2002. Available at:
http://csrc.nist.gov/publications/nistpubs/800-http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf30/sp800-30.pdf