1 | Copyright © 2015 Tata Consultancy Services Limited

Adoption of O-RA for Secure Architecture of an E-commerce Platform

Satish K SreenivasaiahLead ArchitectTata Consultancy Services

February 16, 2015

2

Agenda

Introduction to O-RA1

Security challenges in E-commerce2

Control considerations3

Summary4

3

Click to edit Master title styleIntroduction to O-RA Standard

4

O-RA (Risk Analysis)

A Standard that is intended to be applied toward the problem of managing the

frequency and magnitude of loss that arises from a threat (whether human,

animal, or natural event)

Coupled with the Risk Taxonomy (O-RT) Standard, it provides risk analysts the

specific processes necessary to perform effective FAIR-based information security

risk analysis

5

Risk Analysis

Risk Assessment

Risk Analysis

Identify Evaluate Report

Determines the significance of the

identified risk concerns

Risk-related concernsIdentified risk

concerns

Managing ‘How often bad things happen, and how bad they are when they occur‘

6

A Few Key Objectives of O-RA

Used with companion O-RT standard to,

Establish a common language for the information security and risk management profession

Introduce rigor and consistency into analysis for more effective risk modeling

Educate information security, risk and audit professionals

7

Click to edit Master title styleIntroduction to O-RT Standard

8

O-RT (Risk Taxonomy)

A Standard to provide a single logical and rational taxonomical framework to

understand and/or analyze information security risk

Each factor that drives risk is identified and defined

Limited to describing the factors that drive risk and their relationships to one

another

9

Risk

Why do we Need a Taxonomy for Risk?

SoftwareFlaws or Faults

So , Is Risk = (Threat * Vulnerability) / Controls?

If not, what are the factors that drive risk?

10

Risk Taxonomy – High Level

Estimates probable frequency and magnitude of future loss

Probable frequency within a given timeframe that a threat agent can

inflict harm on asset

Probable magnitude of loss resulting from a loss

event

TCap RSPoACF

Risk

LossMagnitude

Loss Event Frequency

Threat Event Frequency

VulnerabilityPrimary

LossSecondary

Loss

ContactFrequency

Probability of Action

Threat Capability

Resistance Strength

Secondary Loss Event Frequency

Secondary Loss Magnitude

LEFLM

TEF

Vuln

11

Risk Taxonomy – Loss Event Frequency

Threat Event Frequency

Vulnerability

Probable frequency within a given timeframe that a threat agent will act against an asset

Probability that a threat event can become a loss event

Contact Frequency

Probability of Action

Threat Capability

Resistance Strength

Probable frequency within a given timeframe that a threat agent will come into contact with an asset

Probability that a threat agent will act against the asset once the contact occurs

Probable level of force that a threat agent is capable of applying against an asset

Strength of a control as compared to a baseline measure of force

12

Risk Taxonomy – Loss Magnitude

Primary LossSecondary

Loss

Occurs directly as a result of threat agent’s action on the asset

Occurs due to secondary stakeholders

Secondary Loss Event Frequency

Secondary Loss Magnitude

Allows analyst to estimate percentage of time a scenario is expected to have secondary effects

Losses that are expected dealing with secondary stakeholders (e.g. fines, loss of market share)

13

Click to edit Master title styleRisk Analysis – Deep Dive

14

Risk Analysis Stages

01

02

03

04

Scope the Analysis

Evaluate Loss MagnitudeEvaluate Loss Event Frequency

Derive and Articulate Risk

15

FAIR Basic Risk Analysis Methodology

Identify the asset at risk

Identify the threat community under consideration

Define the loss event

Estimate the Threat Event Frequency

Estimate the Threat Capability

Estimate Resistance Strength

Derive Vulnerability Derive Loss Event

Frequency

Estimate Primary Loss

Evaluate Secondary Loss

Estimate Secondary Loss Event Frequency

Estimate Secondary Loss Magnitude

Derive Primary Risk

Derive Secondary Risk

Derive Total Risk

So, why apply risk analysis for E-commerce?

Scoping Evaluate LEF Evaluate LM Derive Risk

16

Click to edit Master title styleData Breaches in Retail Environment

17

Categories of Data Breach

Year 2013 may be remembered as the “year of the retailer breach”

*Source – Verizon 2014 Data Breach investigations Report

18

Breaches Per Asset

*Source – Verizon 2014 Data Breach investigations Report

19

Incident Classification

*Source – Verizon 2014 Data Breach investigations Report

20

Click to edit Master title styleMapping of O-RA to E-commerce Domain

21

The Scenario

An E-commerce portal specialized in selling gift items such as fragrance,

books, watches, sunglasses, bags, wallets etc. across the globe. Customer

personal information is stored in the portal whereas his/her credit and debit

card details are stored with external payment gateways and not within the

portal. Portal is available for all the registered and guest users, 24X7.

22

Mapping of Stage 1 to E-commerce Platform

Scoping E-commerce Platform

Key Assets: Customer Data - personal details like name, contact details and

address E-commerce server infrastructure such as Web, Application,

Database servers Customer Credit and Debit card details (But this has been handled by

external payment gateways which are PCI-DSS compliant)

Hackers for gain and to cause disruption Script kiddies Internal employees of the organization

The malicious access and misuse of sensitive customer data by Hackers using the vulnerabilities in the system

Identify the asset at risk

Identify the threat community under

consideration

Define the loss event

What Asset is at risk?

Risk associated with what threat?

What does the loss event look

like?

Note that it excludes events by script kiddies, internal employees and stipulates the intent to

be malicious and involves data misuse

23

Mapping of Stage 2 to E-commerce Platform

Evaluate LEF

Estimate the Threat Event

Frequency

Estimate the Threat Capability(skills, resources)

Rating Description

Very High(VH) >100 times per year

High(H) Between 1 and 100 times per year

Medium(M) Between 1 and 10 times per year

Low(L) Between 0.1 and 1 times per year

Very Low(VL) Less than once every ten years

Very High(VH) Top 2% as compared to overall threat population

High(H) Top 16% as compared to overall threat population

Medium(M) Average skill and resources (between bottom 16% and top 16%)

Low(L) Bottom 16% as compared to overall threat population

Very Low(VL) Bottom 2% as compared to overall threat population

Probable motive factors are value of the asset, how vulnerable the asset is, versus the risk of being

caught

24

Mapping of Stage 2 to E-commerce Platform

Evaluate LEF

Estimate Resistance Strength

Rating Description

Very High(VH) Protects against all but the top 2% of an average threat population

High(H) Protects against all but the top 16% of an average threat population

Medium(M) Protects against the average threat agent

Low(L) Only protects against bottom 16% of an average threat population

Very Low(VL) Only protects against bottom 2% of an average threat population

25

Deriving Vulnerability and LEF using Monte Carlo Simulation

Loss Event frequency is Medium, meaning it can happen between 1 and 10 times per year

Difference between likely force to be applied

and assets ability to resist that force

LEF > TEF and TEF > 100% as it is a %

26

Possible set of ranges to characterize Loss Magnitude for customer data misuse

Stage 3 – Loss Magnitude (Primary)

Primary Loss Magnitude

Loss Forms

Productivity Response ReplacementFines/

JudgmentsCompetitive Advantage

Reputation

L M L - - -

Productivity Loss is considered Low as the Ecommerce portal is operational and

Replacement Loss is Low as well. The primary loss magnitude cost associated

here would be due to response

27

Estimating Secondary Loss Probability

Estimating SLEF

Rating Description

Very High(VH) 90% to 100%

High(H) 70% to 90%

Medium(M) 30% to 70%

Low(L) 10% to 30%

Very Low(VL) 0% to 10%

Secondary Loss probability is Very High as primary

LEF was M and SLEF is VH

28

Stage 3 – Loss Magnitude (Secondary)

Secondary Loss Magnitude

Loss Forms

Productivity Response Replacement Fines/Judgments

Competitive Advantage

Reputation

H M

Possible set of ranges to characterize Loss Magnitude for customer data misuse

Response is the time spent by the executives in meetings, notifications and expenses

inside/outside legal counsel

Response Activities Approx. cost

Executive time 40 hours * $200/hr=$8000

Notification costs($5 per customer for ~50,000 customers)

$250,000 USD

Legal expenses $200,USD

Total (approx.) $450,000 USD

29

Stage 4 : Deriving Primary and Secondary Risk

Primary Risk is derived as probable loss event

frequency(Medium) and probable future loss Magnitude(Medium)

Secondary Risk is very high as compared to primary risk due to the involvement of E-commerce

customer’s data

30

Stage 4 : Deriving Overall Risk

Overall risk is very High based on the

combination of Primary and

Secondary risk

Qualitatively Risk is derived to be very High, and

Quantitatively, the magnitude of loss

is Significant

31

Click to edit Master title styleBasic Control Considerations in FAIR Analysis

32

Risk Controls

Risk

LossMagnitude

Loss Event Frequency

Threat Event Frequency

VulnerabilityPrimary

LossSecondary

Loss

ContactFrequency

Probability of Action

Threat Capability

Resistance Strength

Secondary Loss Event Frequency

Secondary Loss Magnitude

Avoidance controls

Deterrent controls

Responsecontrols

Vulnerabilitycontrols

Affect the frequency and/or likelihood of

encountering threats

Affect the likelihood of a threat acting in a manner

that can result in harm

Affect probability that a threat’s action will

result in a loss

Affect the amount of loss that results from a threat’s action

33

Information Security Controls Mapping to E-commerce Platform

Avoidance Controls

Firewall Filters – datacenter as well as cloud,

Enable VPN for communication in a hybrid cloud

Virtual Private Clouds (preferable from Security stand-point)

Physical barriers

Reducing threat population – by implementing Fraud management systems(example EBS)

Deterrent Controls

Policies – IT Security compliance aligning to organizational policy

Logging and Monitoring – Use infrastructure and application monitoring (example, Amazon CloudWatch and Pingdom)

Asset hardening – Ensure infrastructure Vulnerability is assessed and ensure any issues are addressed

34

Information Security Controls Mapping to E-commerce Platform (Contd..)

Vulnerability Controls

Confidentiality, Integrity, Availability (CIA)

Industry bodies like OWASP, CWE and WebAppSec provide vulnerabilities and the resolutions to the known vulnerabilities to be applied at code and configuration levels

Penetration Testing – VAPT for application and infrastructure. Plan for iterative SAST and DAST throughout the development and testing life cycle

Response Controls

Back up and Media restore process – have a real-time sync up between master and Slave DB and archival strategies

Forensic capabilities

Incident response process

35

References

Risk Taxonomy (O-RT),

Version 2.0, Open Group

Standard, C13K, published

by The Open Group,

October 2013; refer to:

www.opengroup.org/boo

kstore/catalog/c13k.htm

Risk Analysis (O-RA),

Open Group Standard,

C13G, published by The

Open Group, October

2013; refer to:

www.opengroup.org/boo

kstore/catalog/c13g.htm

How to Measure

Anything: Finding the

Value of Intangibles in

Business, Douglas W.

Hubbard, John Wiley &

Sons, 2010

Thank You

IT ServicesBusiness SolutionsConsulting