Ethics and the LawEthics and the Law

Computer EthicsComputer Ethics A branch of philosophy that deals A branch of philosophy that deals

with computing-related moral with computing-related moral dilemmas and defines ethical dilemmas and defines ethical principles for computer principles for computer professionalsprofessionals• PlagiarismPlagiarism• Software PiracySoftware Piracy• Proper Email and Internet useProper Email and Internet use• Unauthorized Computer AccessUnauthorized Computer Access• Computer CrimesComputer Crimes

Computer CrimeComputer Crime Definition:Definition: the act of using a the act of using a

computer to commit an illegal actcomputer to commit an illegal act• Authorized and unauthorized computer Authorized and unauthorized computer

accessaccess• ExamplesExamples

Stealing time on company computersStealing time on company computers Breaking into government Web sitesBreaking into government Web sites Stealing credit card information Stealing credit card information

Computer CrimeComputer Crime Federal and State LawsFederal and State Laws

• Stealing or compromising dataStealing or compromising data• Gaining unauthorized computer accessGaining unauthorized computer access• Violating data belonging to banksViolating data belonging to banks• Intercepting communicationsIntercepting communications• Threatening to damage computer systemsThreatening to damage computer systems• Disseminating virusesDisseminating viruses

Computer CrimeComputer Crime Hacking and CrackingHacking and Cracking

• Hacker – one who gains unauthorized Hacker – one who gains unauthorized computer access, but without doing damagecomputer access, but without doing damage

• Cracker – one who breaks into computer Cracker – one who breaks into computer systems for the purpose of doing damagesystems for the purpose of doing damage

Computer CrimeComputer Crime Who commits computer crime?Who commits computer crime?

Computer CrimeComputer Crime Types of computer crimeTypes of computer crime

• Data diddlingData diddling: modifying data: modifying data• Salami slicingSalami slicing: skimming small amounts of money: skimming small amounts of money• PhreakingPhreaking: making free long distance calls: making free long distance calls• CloningCloning: cellular phone fraud using scanners : cellular phone fraud using scanners • CardingCarding: stealing credit card numbers online: stealing credit card numbers online• PiggybackingPiggybacking: stealing credit card numbers by : stealing credit card numbers by

spyingspying• Social engineeringSocial engineering: tricking employees to gain : tricking employees to gain

accessaccess• Dumpster divingDumpster diving: finding private info in garbage : finding private info in garbage

canscans• SpoofingSpoofing: stealing passwords through a false login : stealing passwords through a false login

pagepage

Computer CrimeComputer Crime Software piracySoftware piracy

• North America – 25%North America – 25%• Western Europe – 34%Western Europe – 34%• Asia / Pacific – 51%Asia / Pacific – 51%• Mid East / Africa – 55%Mid East / Africa – 55%• Latin America – 58%Latin America – 58%• Eastern Europe – 63%Eastern Europe – 63%

Laws related to Information Laws related to Information SecuritySecurity

Privacy Act of 1974Privacy Act of 1974• Makes a blanket statement that no Makes a blanket statement that no

records at an agency can be disclosed records at an agency can be disclosed without that individual’s written consent.without that individual’s written consent.

Electronic Communications Privacy Electronic Communications Privacy Act of 1988Act of 1988• Prohibits unauthorized monitoring of Prohibits unauthorized monitoring of

electronic communications by individuals electronic communications by individuals businesses and the government.businesses and the government.

Laws related to Information Laws related to Information Security (II)Security (II)

Computer Matching and Privacy Computer Matching and Privacy Protection Act of 1988Protection Act of 1988• Amends the Privacy Act of 1974 by Amends the Privacy Act of 1974 by

adding new regulations that deal with adding new regulations that deal with computer matching.computer matching.

• Computer matching is the process of Computer matching is the process of linking records together by a common linking records together by a common element like a social security number.element like a social security number.

Laws related to Information Laws related to Information Security (III)Security (III)

Computer Fraud and Abuse Act 1986Computer Fraud and Abuse Act 1986• Passed in 1986 to combat hacking. It primarily Passed in 1986 to combat hacking. It primarily

applies to four activities:applies to four activities: Knowingly access without authorization (or in excess Knowingly access without authorization (or in excess

of authorization) any computer system and in doing so of authorization) any computer system and in doing so obtaining restricted or classified government obtaining restricted or classified government information.information.

Knowingly access without authorization to obtain Knowingly access without authorization to obtain financial information.financial information.

Intentionally and without authorization access any Intentionally and without authorization access any computer of a department or agency of the US.computer of a department or agency of the US.

Knowingly, and with intent to defraud, traffic in any Knowingly, and with intent to defraud, traffic in any password or similar information without authorizationpassword or similar information without authorization

How the Laws effect youHow the Laws effect you

Knowing the previous laws effects you Knowing the previous laws effects you quite profoundly. quite profoundly.

If you were to break into a government If you were to break into a government computer a release a virus, you are computer a release a virus, you are responsible for all of the damage and responsible for all of the damage and downtime in addition to the actual downtime in addition to the actual breaking in of the computer. This could breaking in of the computer. This could mean large penalties and jail time even for mean large penalties and jail time even for a simple offense.a simple offense.

Computer Crimes – The people Computer Crimes – The people who commit themwho commit them

Amateurs (Script Kiddies)Amateurs (Script Kiddies)• Temptation is there if access is available.Temptation is there if access is available.• You wouldn't ask a stranger to hold your You wouldn't ask a stranger to hold your

wallet while you went around the corner to wallet while you went around the corner to move your car.move your car.

• Disgruntled employeesDisgruntled employees• Oh Yeah! I'll show you!Oh Yeah! I'll show you!

Crackers and HackersCrackers and Hackers• Often the challenge or CuriosityOften the challenge or Curiosity• West German group (Cliff Stoll)West German group (Cliff Stoll)• Desert Shield / Desert StormDesert Shield / Desert Storm

Computer Crimes – The people Computer Crimes – The people who commit them (II)who commit them (II)

Corporate RaidersCorporate Raiders• Trade SecretsTrade Secrets• Inside InformationInside Information• Financial predictionsFinancial predictions

TerroristsTerrorists• No major incidents have occurred yet!No major incidents have occurred yet!• This is a potential nightmare waiting to This is a potential nightmare waiting to

happen.happen.• Potential Economic disaster. Potential Economic disaster.

Categories of Computer misuseCategories of Computer misuse Human ErrorHuman Error

• Hard to controlHard to control Abuse of AuthorityAbuse of Authority

• White collar crimeWhite collar crime Direct ProbingDirect Probing

• Rattling doorknobsRattling doorknobs Probing With Malicious SoftwareProbing With Malicious Software

• Trojan horsesTrojan horses Direct PenetrationDirect Penetration

• Exploiting system bugsExploiting system bugs Subversion of MechanismSubversion of Mechanism

• Trap doorsTrap doors

Security Risk Security Risk ManagementManagement

Outline for Today’s ClassOutline for Today’s Class

Basic DefinitionsBasic Definitions What is Security Risk ManagementWhat is Security Risk Management Generic Security Risk Management Generic Security Risk Management

MethodologyMethodology Security Risk AnalysisSecurity Risk Analysis

What is Security?What is Security?

Security is a Security is a processprocess, not a product. , not a product. Security products will not save you – Security products will not save you – Bruce SchneierBruce Schneier

ProcessProcess is composed of technology, is composed of technology, people, and tools. This is important people, and tools. This is important because processes involve time and because processes involve time and interaction between entities and many interaction between entities and many of the hard problems in security stem of the hard problems in security stem from this inherent interaction.from this inherent interaction.

What is RISK MANAGEMENT?What is RISK MANAGEMENT?

• The process concerned with identification, The process concerned with identification, measurement, control and minimization of measurement, control and minimization of security risks in information systems to a level security risks in information systems to a level commensurate with the value of the assets commensurate with the value of the assets protected.protected.

(Definition from National Information Systems Security

(INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

RISKRISK

- The likelihood that a particular - The likelihood that a particular threat using a specific attack, will exploit a threat using a specific attack, will exploit a particular vulnerability of a system that particular vulnerability of a system that results in an undesirable consequence.results in an undesirable consequence.

(Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

THREATTHREAT

Any circumstance or event with the Any circumstance or event with the potential to cause harm to an information potential to cause harm to an information system in the form of destruction, system in the form of destruction, disclosure, adverse modification of data, disclosure, adverse modification of data, and/or the denial of service.and/or the denial of service.

(Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

Definition of LikelihoodDefinition of Likelihood

• LIKELIHOOD of the threat occurring is the LIKELIHOOD of the threat occurring is the estimation of the probability that a threat will estimation of the probability that a threat will succeed in achieving an undesirable event.succeed in achieving an undesirable event.

Considerations in Assessing the Considerations in Assessing the

Likelihood of ThreatLikelihood of Threat

• Presence of threatsPresence of threats• Tenacity of threatsTenacity of threats• Strengths of threatsStrengths of threats• Effectiveness of safeguardsEffectiveness of safeguards

Statistical Threat DataStatistical Threat Data

Two Schools of Thought on Two Schools of Thought on Likelihood CalculationLikelihood Calculation

AssumeAssume

Don’t Don’t AssumeAssume

ATTACKATTACK

• An attempt to gain unauthorized access to an An attempt to gain unauthorized access to an information system’s services, resources, or information system’s services, resources, or information, or the attempt to compromise an information, or the attempt to compromise an information system’s integrity, availability, or information system’s integrity, availability, or confidentiality, as applicable.confidentiality, as applicable.

(Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

VULNERABILITYVULNERABILITY

Weakness in an information system, Weakness in an information system, cryptographic system, or other cryptographic system, or other components (e.g... , system security components (e.g... , system security procedures, hardware design, internal procedures, hardware design, internal controls) that could be exploited by a controls) that could be exploited by a threat.threat.

(Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

Vulnerability ExampleVulnerability Example

RM/RARM/RA

RISKRISKMANAGEMENTMANAGEMENT

RISKRISKMITIGATIONMITIGATION

RISKASSESSMENT

RISK ASSESSMENTRISK ASSESSMENT

A process of analyzing THREATS to A process of analyzing THREATS to and VULNERABILITIES of an and VULNERABILITIES of an information system and the POTENTIAL information system and the POTENTIAL IMPACT the loss of information or IMPACT the loss of information or capabilities of a system would have. capabilities of a system would have. The resulting analysis is used as a The resulting analysis is used as a basis for identifying appropriate and basis for identifying appropriate and cost-effective counter-measures.cost-effective counter-measures.

(Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

Benefits of Risk AssessmentBenefits of Risk Assessment

• Increased awarenessIncreased awareness• Assets, vulnerabilities, and Assets, vulnerabilities, and

controlscontrols• Improved basis for Improved basis for

decisionsdecisions• Justification of expendituresJustification of expenditures

Risk Assessment ProcessRisk Assessment Process

• Identify assetsIdentify assets• Determine vulnerabilitiesDetermine vulnerabilities• Estimate likelihood of exploitationEstimate likelihood of exploitation• Compute expected lossCompute expected loss

What is a risk (generic)What is a risk (generic)

A definable eventA definable event Probability of OccurrenceProbability of Occurrence Consequence (impact) of occurrenceConsequence (impact) of occurrence

A risk is not a problem …. A problem A risk is not a problem …. A problem is a risk whose time has comeis a risk whose time has come

What is a security riskWhat is a security risk

Threat – is any potential danger to Threat – is any potential danger to information, or systems (e.g. fire)information, or systems (e.g. fire)

Vulnerability – is a software, hardware, or Vulnerability – is a software, hardware, or procedural weakness that may provide an procedural weakness that may provide an attacker the open door to enter a system. attacker the open door to enter a system. (e.g. lack of water)(e.g. lack of water)

Risk – loss potential (probability) that a Risk – loss potential (probability) that a threat will exploit a vulnerability. threat will exploit a vulnerability.

The CIA TriadThe CIA Triad

Confidentiality

Integrity

Availability

Security

Objectives

CIA ModelCIA Model

ConfidentialityConfidentiality - - The protection of The protection of information assets from unauthorized information assets from unauthorized access, leakage or copying.  (losing trade access, leakage or copying.  (losing trade secrets, unauthorized access, etc.) secrets, unauthorized access, etc.)

IntegrityIntegrity - The protection of information - The protection of information from unauthorized modification.  (accuracy from unauthorized modification.  (accuracy of data, sensitivity to fraud, etc.) of data, sensitivity to fraud, etc.)

AvailabilityAvailability - Ensuring that information - Ensuring that information assets are available to authorized users assets are available to authorized users when they need and expect themwhen they need and expect them. .

Controls to protect AssetsControls to protect Assets

Company data and assets

Administrative controls

Technical Controls

Physical Controls

Administrative Controls

Policies, standards, guidelines, screening

personnel, security awareness training

Technical Controls

Logical access controls,

encryption, security devices, identification and

authentication

Physical Controls

Facility protection, security guards,

locks, monitoring, environmental

controls, intrusion detection

Technology: Goals to ToolsTechnology: Goals to Tools

Relationship among different security Relationship among different security componentscomponents

ThreatAgent Threat

Vulnerability

RISK

Asset

ExposureSafeguard

Gives rise to

Exploits

Leads to

Can damage

And causes an

Can be counter measured by a

Directly affects

Security Risk ManagementSecurity Risk Management

Risk Management is the process of Risk Management is the process of identifying, assessing, and reducing identifying, assessing, and reducing a risk(s) to an acceptable level and a risk(s) to an acceptable level and implementing the right mechanisms implementing the right mechanisms to maintain that level of risk. (e.g to maintain that level of risk. (e.g acceptable risk)acceptable risk)

Risk management reduces risks by Risk management reduces risks by defining and controlling threats and defining and controlling threats and vulnerabilities.vulnerabilities.

Generic Security Risk Management MethodologyGeneric Security Risk Management Methodology

Identify Baseline

OrNew Risks

Identify

Classify Risks

EvaluateRisks

PrioritizeRisks

Analyze

AssignResponsibility

DetermineAction Plan

Determine Response Strategy

Plan

TrackRisks

ControlRisks

Tracking & Control

Project Start

Communicate RisksInside and OutsideThe Project Team

Communication

Primary Primary Risk Calculation MethodologiesRisk Calculation Methodologies

QQuantitativeuantitative

&&QQualitativeualitative

Risk AnalysisRisk Analysis

Risk Analysis is a method of identifying and Risk Analysis is a method of identifying and assessing the possible damage that could be assessing the possible damage that could be caused on order to justify security safeguards.caused on order to justify security safeguards.

Two types of risk analysis:Two types of risk analysis:• QuantitativeQuantitative – attempts to assign real numbers to – attempts to assign real numbers to

the costs of safeguards and the amount of damage the costs of safeguards and the amount of damage that can take placethat can take place

• Qualitative Qualitative – An analysis that judges an – An analysis that judges an organization’s risk to threats, which is based on organization’s risk to threats, which is based on judgment, intuition, and the experience versus judgment, intuition, and the experience versus assigning real numbers to this possible risks and assigning real numbers to this possible risks and their potential losstheir potential loss

The Quantitative MethodThe Quantitative Method

Steps of Quantitative Risk Steps of Quantitative Risk AnalysisAnalysis

Assign value to information and assets Assign value to information and assets (tangible and intangible)(tangible and intangible)

Estimate potential loss per riskEstimate potential loss per risk Perform a threat analysisPerform a threat analysis Derive the overall loss potential per riskDerive the overall loss potential per risk Choose safeguards / countermeasure for Choose safeguards / countermeasure for

each riskeach risk Determine Risk Response (e.g. mitigation, Determine Risk Response (e.g. mitigation,

avoidance, acceptance)avoidance, acceptance)

Formula for RiskFormula for Risk

dv + zqm/ {2a} bc = wxyz

dv + zqm/ {2a} bc = wxyz

lm +op * dz = tgm\bvd

lm +op * dz = tgm\bvd

2b 2b oror n2b n2b

mkt/40 = 9j*Xmkt/40 = 9j*X

Quantitative Risk AnalysisQuantitative Risk Analysis Exposure FactorExposure Factor ( (EFEF) = Percentage of asset loss caused by ) = Percentage of asset loss caused by

identified threat; ranges from 0 to 100%identified threat; ranges from 0 to 100%

Single Loss ExpectancySingle Loss Expectancy ( (SLESLE) = Asset Value x Exposure factor; ) = Asset Value x Exposure factor; 1,000,000 @ 10% likelihood = $100,0001,000,000 @ 10% likelihood = $100,000

Annualized Rate of OccurrenceAnnualized Rate of Occurrence ( (AROARO) = Estimated frequency ) = Estimated frequency a threat will occur with in a year and is charterized on a a threat will occur with in a year and is charterized on a annual basis. A threat occurring once in 10 years has an ARO annual basis. A threat occurring once in 10 years has an ARO of 0.1; a threat occurring 50 times in a year has an ARO of 50of 0.1; a threat occurring 50 times in a year has an ARO of 50

Annualized Loss ExpectancyAnnualized Loss Expectancy ( (ALEALE) = Single Loss Expectancy x ) = Single Loss Expectancy x Annualized Rate of Occurrence Annualized Rate of Occurrence

Safeguard cost/benefit analysisSafeguard cost/benefit analysis = (ALE before implementing = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) == value of safeguard to the companycost of safeguard) == value of safeguard to the company

Simple Quantitative ExampleSimple Quantitative ExampleRisk:Risk: Disclosure of company confidential data, computation based Disclosure of company confidential data, computation based on incorrect dataon incorrect data

AmountAmount

Cost to reconstruct correct data:$1,000,000 @ 10% likelihood per Cost to reconstruct correct data:$1,000,000 @ 10% likelihood per yearyear

$100,000$100,000

Effectiveness of access control software: 60%Effectiveness of access control software: 60% - $60000- $60000

Cost of access control softwareCost of access control software + $25000+ $25000

Expect annual costs due to loss and controls: $100,000 - $60000 + Expect annual costs due to loss and controls: $100,000 - $60000 + $25000$25000

$65000$65000

Project Savings $100000 - $65000Project Savings $100000 - $65000 $35000$35000

Risk ResponseRisk Response Mitigation – Mitigation – Minimize lossMinimize loss

Quantitative ExampleQuantitative ExampleRiskRisk AmountAmount

Access to authorized data and programs: $100,000 @ 2% likelihood Access to authorized data and programs: $100,000 @ 2% likelihood per yearper year

$2000$2000

Unauthorized use of computing facilities: $10,000 @ 40% likelihood Unauthorized use of computing facilities: $10,000 @ 40% likelihood per year per year

$4000$4000

Expected annual loss (2000 + 4000)Expected annual loss (2000 + 4000) $6000$6000

Effectiveness of network control: 100%Effectiveness of network control: 100% - $6000- $6000

Safeguard CostsSafeguard Costs

Hardware ($50,000 amortized over 5 years)Hardware ($50,000 amortized over 5 years) + $10000+ $10000

Software ($20,000 amortized over 5 years)Software ($20,000 amortized over 5 years) + $4000+ $4000

Support personnel (each year)Support personnel (each year) + $40000+ $40000

Safeguard Annual Cost (10000 + 4000 + 40000)Safeguard Annual Cost (10000 + 4000 + 40000) $54000$54000

Safeguard Cost Benefit annual cost: $6000 - $6000 + $54000Safeguard Cost Benefit annual cost: $6000 - $6000 + $54000 $54000$54000

Project Savings $6000 - $54000Project Savings $6000 - $54000 - $48000- $48000

Risk ResponseRisk Response ACCEPT -ACCEPT - PassivePassive

Quantitative Risk Summary Quantitative Risk Summary ProsPros

• Uses probability Uses probability concepts – the concepts – the likelihood that an risk likelihood that an risk will occur or will not will occur or will not occuroccur

• The value of The value of information is information is expressed in monetary expressed in monetary terms with supporting terms with supporting rationalerationale

• Risk assessment results Risk assessment results are derived and are derived and expressed in expressed in management speakmanagement speak

ConsCons• Purely quantitative risk Purely quantitative risk

analysis not possible analysis not possible because quantitative because quantitative measures must be measures must be applied to qualitative applied to qualitative elementselements

• Can be less ambiguous Can be less ambiguous but using numbers can but using numbers can give appearance of give appearance of specificity that does not specificity that does not really existreally exist

• Huge amount of data Huge amount of data must be gathered and must be gathered and managedmanaged

The Qualitative MethodThe Qualitative Method

Qualitative Risk AnalysisQualitative Risk Analysis

Does not assign numbers and Does not assign numbers and monetary value to components and monetary value to components and losses.losses.

Walks through different scenarios of Walks through different scenarios of risk possibilities and rank the risk possibilities and rank the seriousness of the threats for the seriousness of the threats for the sensitivity of the assets.sensitivity of the assets.

Qualitative Example:Qualitative Example:

““The system is weak in this area and we know The system is weak in this area and we know that our adversary has the capability and that our adversary has the capability and motivation to get to the data in the system so motivation to get to the data in the system so the likelihood of this event occurring is high.”the likelihood of this event occurring is high.”

Identifying Qualitative RisksIdentifying Qualitative Risks

Expert InterviewsExpert Interviews Wideband Delphi TechniqueWideband Delphi Technique BrainstormingBrainstorming Nominal Group TechniqueNominal Group Technique Affinity DiagramAffinity Diagram Analogy TechniquesAnalogy Techniques

Qualitative Risks MatrixQualitative Risks Matrix

100%

4

12Example Qualitative Risk Matrix

Hostage / KidnapStrike / WalkoutHostile Takeover

Major Explosion

TerrorismIndustrial Espionage

0% Sabotage Comm. Disease

Flood

SuicideTelecomm Failure.

Maj. Operator Error

Child Care IncidentTransportation Incident

Minor Explosion

Neighbor Issue

Civil Unrest

Employee Violence

Tornado

Breach IT Security

Organized Crime

Blizzard

Bribery / Extortion

ProtestersInjury / DeathAccusation / Libel / Slander

Fog

Bomb ThreatEquipment Malfunc.Power Failure

Ice Storm

Media Investigation

Chemical Spill / Contamination

Major Fire

Class Action Lawsuit

Management Issues

Security Breach

Loss of IT / Virus

Major Electrical Storm

HIGH RISK

LOW RISK

MEDIUM HIGH

MEDIUM LOW

Qualitative Risk Summary Qualitative Risk Summary ProsPros

• Is simple and Is simple and readily understood readily understood and executed.and executed.

• Provides a general Provides a general indication of indication of significant areas of significant areas of risk that should be risk that should be addressedaddressed

ConsCons• Is difficult to enforce Is difficult to enforce

in uniformity and in uniformity and consistency but consistency but provides some order provides some order of measurementof measurement

• Is subjective in both Is subjective in both process and metrics.process and metrics.

• Can not provide Can not provide cost/benefit analysiscost/benefit analysis

Quantitative versus QualitativeQuantitative versus Qualitative

Quant.Quant. AttributesAttributes Qual.Qual.

++ Independent & Objective MetricsIndependent & Objective Metrics --

++ Cost / Benefit analysisCost / Benefit analysis --

++ Monetary basedMonetary based --

-- Amount of work, cost, timeAmount of work, cost, time ++

-- Amount of information requiredAmount of information required ++

++ Easily automatedEasily automated --

-- Degree of guessworkDegree of guesswork ++

++ Value of information understoodValue of information understood --

-- Threat frequency and impact data Threat frequency and impact data requiredrequired

--

Quantitative and Qualitative Quantitative and Qualitative MergedMerged

Risk Impact MatrixRisk Impact Matrix

Risks

Response Strategies

++

+

+

++

++ --

--

Key Elements for Managing RisksKey Elements for Managing Risks

* Source: Modeling Security Risks by Vernon H Guthrie and David Walker

Example Security Risk Assessment ApproachExample Security Risk Assessment Approach

Total Risk versus Residual RiskTotal Risk versus Residual Risk

Residual Risk – after countermeasure is Residual Risk – after countermeasure is installed, there is still some risk, which is installed, there is still some risk, which is the residual riskthe residual risk

(threats x vulnerability x asset value) x control gap = residual (threats x vulnerability x asset value) x control gap = residual riskrisk

Total risk – when a company chooses not Total risk – when a company chooses not to implement any type of safeguard. to implement any type of safeguard. Reasoning for this would be because of the Reasoning for this would be because of the cost/benefit analysis results.cost/benefit analysis results.

Threats x vulnerability x asset value = total riskThreats x vulnerability x asset value = total risk

Threat and Vulnerability Threat and Vulnerability RevisitedRevisited

The capability or intention to exploit, or any The capability or intention to exploit, or any circumstance or event with the potential to circumstance or event with the potential to cause harm such as a hacker. cause harm such as a hacker.

A weakness in a system that can be A weakness in a system that can be exploited.exploited.

Threat Threat

++

VulnerabilityVulnerability

AssessmentAssessment

Likelihood Vs. ConsequenceLikelihood Vs. Consequence

• A countermeasure is an action, device, A countermeasure is an action, device, procedure, or technique used to eliminate or procedure, or technique used to eliminate or reduce one or more vulnerabilities.reduce one or more vulnerabilities.

COUNTERMEASURECOUNTERMEASURE

• Procedures:Procedures: security policies and proceduressecurity policies and procedures trainingtraining personnel transferpersonnel transfer

• Hardware:Hardware: doors, window bars, fencesdoors, window bars, fences paper shredderpaper shredder alarms, badgesalarms, badges

• Manpower:Manpower: guard forceguard force

Examples of CountermeasuresExamples of Countermeasures

• A consequence is that which logically or A consequence is that which logically or naturally follows an action or condition.naturally follows an action or condition.

CONSEQUENCECONSEQUENCE

• ““The worse the consequence of a threat The worse the consequence of a threat harming the system, the greater the risk”harming the system, the greater the risk”

AttackAttack ConsequenceConsequence SuccessSuccess

Determination of the Determination of the Consequence of the AttackConsequence of the Attack

• determine:determine: the threatthe threat the vulnerabilitythe vulnerability the likelihood of attackthe likelihood of attack the consequence of an attackthe consequence of an attack

• apply this formula by: apply this formula by: postulating attackspostulating attacks estimating the likelihood of a successful attackestimating the likelihood of a successful attack evaluating the consequences of those evaluating the consequences of those

successful attackssuccessful attacks

Risk Calculation ProcessRisk Calculation Process

• Developed in the NSA Information Systems Developed in the NSA Information Systems Security Organization (ISSO)Security Organization (ISSO)

• Used for INFOSEC Products and SystemsUsed for INFOSEC Products and Systems• Can Use During Entire life CycleCan Use During Entire life Cycle• Not Widely Used Outside of the ISSONot Widely Used Outside of the ISSO

NSA ISSO NSA ISSO Risk Assessment MethodologyRisk Assessment Methodology

• Understanding the systemUnderstanding the system• Developing attack scenariosDeveloping attack scenarios• Understanding the severity of the Understanding the severity of the

consequencesconsequences• Creating a risk planeCreating a risk plane• Generating a reportGenerating a report

The NSA ISSO The NSA ISSO Risk Assessment ProcessRisk Assessment Process

X -axisX -axis

The likelihood of a successful attackThe likelihood of a successful attack

Y -axisY -axis

The severity of theConsequences ofthat successful attack.

The Risk PlaneThe Risk Plane

Risk Index, as defined by the “Yellow Risk Index, as defined by the “Yellow Book”, is the disparity between the Book”, is the disparity between the minimum clearance or authorization minimum clearance or authorization of system users and the maximum of system users and the maximum sensitivity of data processed by a sensitivity of data processed by a system.system.

Risk IndexRisk Index

• Minimum User Clearance=RminMinimum User Clearance=Rmin

• Maximum Data Sensitivity=RmaxMaximum Data Sensitivity=Rmax

• Risk Index=Rmax - RminRisk Index=Rmax - Rmin

Risk IndexRisk Index

MINIMUM USER CLEARANCE RATING(Rmin)

Uncleared (U) 0Not Cleared but Authorized Access to Sensitive UnclassifiedInformation (N)

1

Confidential (C) 2Secret (S) 3Top Secret (TS)/Current Background Investigation (BI) 4Top Secret (TS)/Current Special Background Investigation(SBI)

5

One Category (1C) 6Multiple Categories (MC) 7

Rating Scale for Minimum Rating Scale for Minimum User Clearance (Rmin)User Clearance (Rmin)

Maximum DataSensitivity RatingsWithout Categories

Rating(Rmax)

Maximum Data Sensitivity With Categories Rating(Rmax)

Unclassified (U) 0 N/ANot Classified But

Sensitive1 Unclassified but Sensitive With One or More

Categories2

Confidential (C) 2 Confidential With One or More Categories 3Secret (S) 3 Secret With No More Than One Category

Containing Secret Data

Secret With Two or More CategoriesContaining Secret Data

4

5Top Secret (TS) 5 Top Secret With One or More Categories

With No More Than one CategoryContaining Secret or Top Secret Data

Top Secret With Two or More CategoriesContaining Secret or Top Secret Data

6

7

Rating Scale for Maximum Rating Scale for Maximum Data Sensitivity (Rmax)Data Sensitivity (Rmax)

RISKINDEX

MODE MINIMUM CRITERIA FOROPEN ENVIRONMENTS

MINIMUM CRITERIA FORCLOSED ENVIRONMENTS

0 Dedicated None None0 System High C2 C21 Compartmented

MultilevelB1 B1

2 CompartmentedMultilevel

B2 B2

3 Multilevel B3 B24 Multilevel A1 B35 Multilevel * A16 Multilevel * *7 Multilevel * *

* = Security Requirements Beyond State of the Art

Computer Security Computer Security RequirementsRequirements

Examples of documented Examples of documented risk assessment systemsrisk assessment systems

• Aggregated Countermeasures Effectiveness (ACE) Aggregated Countermeasures Effectiveness (ACE) ModelModel

• Risk Assessment Tool Risk Assessment Tool • Information Security Risk Assessment Model (ISRAM)Information Security Risk Assessment Model (ISRAM)• Dollar-based OPSEC Risk Analysis (DORA)Dollar-based OPSEC Risk Analysis (DORA)• Analysis of Networked Systems Security Risks Analysis of Networked Systems Security Risks

(ANSSR)(ANSSR)• ProfilesProfiles• National Security Agency (NSA) Information Systems National Security Agency (NSA) Information Systems

Security Organization (ISSO) INFOSEC Risk Security Organization (ISSO) INFOSEC Risk Assessment ToolAssessment Tool

ConclusionConclusion Why should I bother doing security risk Why should I bother doing security risk

management?management?• Risk Management and assessment prepares Risk Management and assessment prepares

you with deciding what to do about a riskyou with deciding what to do about a risk• Allows you to identify assets, vulnerabilities, Allows you to identify assets, vulnerabilities,

and controlsand controls• Helps you understand what you do & do not Helps you understand what you do & do not

know – improve basis for decisionsknow – improve basis for decisions• Assists in justifying expenditures for Assists in justifying expenditures for

securitysecurity

Risk ResponseRisk ResponseRiskResponseDevelopment

Knowledge /research

Acquire Investigate

Strategies Reserves

Mitigation

MinimizeProbability

MinimizeLoss

Avoidance Acceptance

Active Passive

* Source: Software Risk Management by ESI International

CRR ToolCRR Tool

Risk A Risk A

Risk B Risk B

Risk C Risk C

Risk D Risk D

A3

B1

A2

C2

B3

C1

C2

D2

B2

D2

A3

D1

• Each risk is compared with all other risks• Team votes on which is more significant• Scores are tallied for priority list of risks

Risk A = 3+2+3 = 8Risk B = 1+3+2 = 6Risk C = 2+1+2 = 5Risk D = 1+2+2 = 5

The Business Case For SecurityThe Business Case For Security

Perfect security is much too expensive, and not

worth it No security causes breaches that are too

expensive, and not worth it Adequate security, at a reasonable cost, is

worth it• Ability to offer new services• Ability to expand into new markets• Ability to attract, and retain, customers

Preventive CountermeasuresPreventive Countermeasures

Computer security is sold as preventive technology:• Firewalls prevent unauthorized network access• Encryption prevents eavesdropping• PKI prevents impersonation

This model doesn’t work in the real world:• No one ever sells a door lock with the slogan

“This lock prevents burglaries”

• Safes are rated by time and materials

Prevention, Detection and Prevention, Detection and ResponseResponse

Most of the time, prevention is not perfect• When you install a preventive countermeasure,

you are buying two things:• A barrier to overcome• The time it takes to overcome that barrier

Without detection and response, the preventive countermeasure is only of limited value

Most of the time, detection and response is more effective, and more cost-effective• Real-time detection acts as a preventive

The Risks Will Always Be With UsThe Risks Will Always Be With Us

The downside of being in a global, highly connected network—you are attached to the best and worst of society

Security products will not “solve” the problems of Internet security, any more than they “solve” the security problems in the real world

The best we can do is manage the risk• Close the window of exposure• Enable e-business• Thrive on the Internet

Effective Security Comes From Effective Security Comes From Human InterventionHuman Intervention

Automatic security is necessarily flawed• Smart attackers bypass the security• New attacks fool products

Humans can recognize, and respond to, new attacks and new threats

Expert monitoring is the most cost-effective way to provide security

Human minds are the attackers: human minds need to be the defenders

Humans can share information to aid defense:• Hackers collaborate; victims isolate

ReferencesReferences Information Security Management Handbook, 4Information Security Management Handbook, 4thth edition by edition by

Harold F. Tipton and Micki KrauseHarold F. Tipton and Micki Krause Software Risk Management by ESI InternationalSoftware Risk Management by ESI International Software Engineering Institute, (SEI)Software Engineering Institute, (SEI) Risk Management Guide for Information Technology Risk Management Guide for Information Technology

Systems by NIST (National Institute of Standards and Systems by NIST (National Institute of Standards and Technology), special publication 800-30Technology), special publication 800-30