Date post: | 07-Jan-2017 |
Category: |
Technology |
Upload: | priyanka-aash |
View: | 792 times |
Download: | 2 times |
1 | Copyright © 2015 Tata Consultancy Services Limited
Adoption of O-RA for Secure Architecture of an E-commerce Platform
Satish K SreenivasaiahLead ArchitectTata Consultancy Services
February 16, 2015
4
O-RA (Risk Analysis)
A Standard that is intended to be applied toward the problem of managing the
frequency and magnitude of loss that arises from a threat (whether human,
animal, or natural event)
Coupled with the Risk Taxonomy (O-RT) Standard, it provides risk analysts the
specific processes necessary to perform effective FAIR-based information security
risk analysis
5
Risk Analysis
Risk Assessment
Risk Analysis
Identify Evaluate Report
Determines the significance of the
identified risk concerns
Risk-related concernsIdentified risk
concerns
Managing ‘How often bad things happen, and how bad they are when they occur‘
6
A Few Key Objectives of O-RA
Used with companion O-RT standard to,
Establish a common language for the information security and risk management profession
Introduce rigor and consistency into analysis for more effective risk modeling
Educate information security, risk and audit professionals
8
O-RT (Risk Taxonomy)
A Standard to provide a single logical and rational taxonomical framework to
understand and/or analyze information security risk
Each factor that drives risk is identified and defined
Limited to describing the factors that drive risk and their relationships to one
another
9
Risk
Why do we Need a Taxonomy for Risk?
SoftwareFlaws or Faults
So , Is Risk = (Threat * Vulnerability) / Controls?
If not, what are the factors that drive risk?
10
Risk Taxonomy – High Level
Estimates probable frequency and magnitude of future loss
Probable frequency within a given timeframe that a threat agent can
inflict harm on asset
Probable magnitude of loss resulting from a loss
event
TCap RSPoACF
Risk
LossMagnitude
Loss Event Frequency
Threat Event Frequency
VulnerabilityPrimary
LossSecondary
Loss
ContactFrequency
Probability of Action
Threat Capability
Resistance Strength
Secondary Loss Event Frequency
Secondary Loss Magnitude
LEFLM
TEF
Vuln
11
Risk Taxonomy – Loss Event Frequency
Threat Event Frequency
Vulnerability
Probable frequency within a given timeframe that a threat agent will act against an asset
Probability that a threat event can become a loss event
Contact Frequency
Probability of Action
Threat Capability
Resistance Strength
Probable frequency within a given timeframe that a threat agent will come into contact with an asset
Probability that a threat agent will act against the asset once the contact occurs
Probable level of force that a threat agent is capable of applying against an asset
Strength of a control as compared to a baseline measure of force
12
Risk Taxonomy – Loss Magnitude
Primary LossSecondary
Loss
Occurs directly as a result of threat agent’s action on the asset
Occurs due to secondary stakeholders
Secondary Loss Event Frequency
Secondary Loss Magnitude
Allows analyst to estimate percentage of time a scenario is expected to have secondary effects
Losses that are expected dealing with secondary stakeholders (e.g. fines, loss of market share)
14
Risk Analysis Stages
01
02
03
04
Scope the Analysis
Evaluate Loss MagnitudeEvaluate Loss Event Frequency
Derive and Articulate Risk
15
FAIR Basic Risk Analysis Methodology
Identify the asset at risk
Identify the threat community under consideration
Define the loss event
Estimate the Threat Event Frequency
Estimate the Threat Capability
Estimate Resistance Strength
Derive Vulnerability Derive Loss Event
Frequency
Estimate Primary Loss
Evaluate Secondary Loss
Estimate Secondary Loss Event Frequency
Estimate Secondary Loss Magnitude
Derive Primary Risk
Derive Secondary Risk
Derive Total Risk
So, why apply risk analysis for E-commerce?
Scoping Evaluate LEF Evaluate LM Derive Risk
17
Categories of Data Breach
Year 2013 may be remembered as the “year of the retailer breach”
*Source – Verizon 2014 Data Breach investigations Report
21
The Scenario
An E-commerce portal specialized in selling gift items such as fragrance,
books, watches, sunglasses, bags, wallets etc. across the globe. Customer
personal information is stored in the portal whereas his/her credit and debit
card details are stored with external payment gateways and not within the
portal. Portal is available for all the registered and guest users, 24X7.
22
Mapping of Stage 1 to E-commerce Platform
Scoping E-commerce Platform
Key Assets: Customer Data - personal details like name, contact details and
address E-commerce server infrastructure such as Web, Application,
Database servers Customer Credit and Debit card details (But this has been handled by
external payment gateways which are PCI-DSS compliant)
Hackers for gain and to cause disruption Script kiddies Internal employees of the organization
The malicious access and misuse of sensitive customer data by Hackers using the vulnerabilities in the system
Identify the asset at risk
Identify the threat community under
consideration
Define the loss event
What Asset is at risk?
Risk associated with what threat?
What does the loss event look
like?
Note that it excludes events by script kiddies, internal employees and stipulates the intent to
be malicious and involves data misuse
23
Mapping of Stage 2 to E-commerce Platform
Evaluate LEF
Estimate the Threat Event
Frequency
Estimate the Threat Capability(skills, resources)
Rating Description
Very High(VH) >100 times per year
High(H) Between 1 and 100 times per year
Medium(M) Between 1 and 10 times per year
Low(L) Between 0.1 and 1 times per year
Very Low(VL) Less than once every ten years
Very High(VH) Top 2% as compared to overall threat population
High(H) Top 16% as compared to overall threat population
Medium(M) Average skill and resources (between bottom 16% and top 16%)
Low(L) Bottom 16% as compared to overall threat population
Very Low(VL) Bottom 2% as compared to overall threat population
Probable motive factors are value of the asset, how vulnerable the asset is, versus the risk of being
caught
24
Mapping of Stage 2 to E-commerce Platform
Evaluate LEF
Estimate Resistance Strength
Rating Description
Very High(VH) Protects against all but the top 2% of an average threat population
High(H) Protects against all but the top 16% of an average threat population
Medium(M) Protects against the average threat agent
Low(L) Only protects against bottom 16% of an average threat population
Very Low(VL) Only protects against bottom 2% of an average threat population
25
Deriving Vulnerability and LEF using Monte Carlo Simulation
Loss Event frequency is Medium, meaning it can happen between 1 and 10 times per year
Difference between likely force to be applied
and assets ability to resist that force
LEF > TEF and TEF > 100% as it is a %
26
Possible set of ranges to characterize Loss Magnitude for customer data misuse
Stage 3 – Loss Magnitude (Primary)
Primary Loss Magnitude
Loss Forms
Productivity Response ReplacementFines/
JudgmentsCompetitive Advantage
Reputation
L M L - - -
Productivity Loss is considered Low as the Ecommerce portal is operational and
Replacement Loss is Low as well. The primary loss magnitude cost associated
here would be due to response
27
Estimating Secondary Loss Probability
Estimating SLEF
Rating Description
Very High(VH) 90% to 100%
High(H) 70% to 90%
Medium(M) 30% to 70%
Low(L) 10% to 30%
Very Low(VL) 0% to 10%
Secondary Loss probability is Very High as primary
LEF was M and SLEF is VH
28
Stage 3 – Loss Magnitude (Secondary)
Secondary Loss Magnitude
Loss Forms
Productivity Response Replacement Fines/Judgments
Competitive Advantage
Reputation
H M
Possible set of ranges to characterize Loss Magnitude for customer data misuse
Response is the time spent by the executives in meetings, notifications and expenses
inside/outside legal counsel
Response Activities Approx. cost
Executive time 40 hours * $200/hr=$8000
Notification costs($5 per customer for ~50,000 customers)
$250,000 USD
Legal expenses $200,USD
Total (approx.) $450,000 USD
29
Stage 4 : Deriving Primary and Secondary Risk
Primary Risk is derived as probable loss event
frequency(Medium) and probable future loss Magnitude(Medium)
Secondary Risk is very high as compared to primary risk due to the involvement of E-commerce
customer’s data
30
Stage 4 : Deriving Overall Risk
Overall risk is very High based on the
combination of Primary and
Secondary risk
Qualitatively Risk is derived to be very High, and
Quantitatively, the magnitude of loss
is Significant
32
Risk Controls
Risk
LossMagnitude
Loss Event Frequency
Threat Event Frequency
VulnerabilityPrimary
LossSecondary
Loss
ContactFrequency
Probability of Action
Threat Capability
Resistance Strength
Secondary Loss Event Frequency
Secondary Loss Magnitude
Avoidance controls
Deterrent controls
Responsecontrols
Vulnerabilitycontrols
Affect the frequency and/or likelihood of
encountering threats
Affect the likelihood of a threat acting in a manner
that can result in harm
Affect probability that a threat’s action will
result in a loss
Affect the amount of loss that results from a threat’s action
33
Information Security Controls Mapping to E-commerce Platform
Avoidance Controls
Firewall Filters – datacenter as well as cloud,
Enable VPN for communication in a hybrid cloud
Virtual Private Clouds (preferable from Security stand-point)
Physical barriers
Reducing threat population – by implementing Fraud management systems(example EBS)
Deterrent Controls
Policies – IT Security compliance aligning to organizational policy
Logging and Monitoring – Use infrastructure and application monitoring (example, Amazon CloudWatch and Pingdom)
Asset hardening – Ensure infrastructure Vulnerability is assessed and ensure any issues are addressed
34
Information Security Controls Mapping to E-commerce Platform (Contd..)
Vulnerability Controls
Confidentiality, Integrity, Availability (CIA)
Industry bodies like OWASP, CWE and WebAppSec provide vulnerabilities and the resolutions to the known vulnerabilities to be applied at code and configuration levels
Penetration Testing – VAPT for application and infrastructure. Plan for iterative SAST and DAST throughout the development and testing life cycle
Response Controls
Back up and Media restore process – have a real-time sync up between master and Slave DB and archival strategies
Forensic capabilities
Incident response process
35
References
Risk Taxonomy (O-RT),
Version 2.0, Open Group
Standard, C13K, published
by The Open Group,
October 2013; refer to:
www.opengroup.org/boo
kstore/catalog/c13k.htm
Risk Analysis (O-RA),
Open Group Standard,
C13G, published by The
Open Group, October
2013; refer to:
www.opengroup.org/boo
kstore/catalog/c13g.htm
How to Measure
Anything: Finding the
Value of Intangibles in
Business, Douglas W.
Hubbard, John Wiley &
Sons, 2010