Learning Center
Plans & pricing Sign in
Sign Out
Get this document free



Security Threat
              The C-I-A Triad
Confidentiality (sensitivity, secrecy)
Integrity (accuracy, authenticity, etc)
Availability (fault tolerance, recovery, etc)

Basic Overview
   Value of information
   Threats
   Vulnerabilities
   Risk
   Risk Analysis
The Value of Information
   Information has value
   May be defined or perceived
   Value may change
   Business model (way its used..)
   Different reasons to target information
    – Value
    – Use
    – Destruction
   Activity that represents possible danger
   Can come in different forms
   Can come from different places
   Can’t protect from all threats
   Protect against most likely or most worrisome
    such as:
    – Business mission
    – Data (integrity, confidentiality, availability)
The Concept of Threats and Threat Agents*
 Threat elements
    – Natural threats and accidents
    – Malicious threats
 Malicious threat agents
    – Capability
           Ability to mount and sustain an effective attack
    – Motivation
           Political, secular, personal gain, religious, revenge, power, curiosity, etc.
    – Access
           Physical or logical access to the target
    – Catalyst
           Something that causes the threat agent to select the target
    – Inhibitors
           Events, actions, countermeasures, etc. that prevent the threat agent from
            mounting an attack
    – Amplifiers
        – Events, actions, etc. that encourage a threat agent to mount an attack
Relationships of Malicious Threats
       threat agent                capability

        catalysts                  motivation


                      inhibitors                amplifiers

Threat Agents
   Nation-states
   Terrorists
   Pressure groups
   Commercial organizations
   Criminal groups
   Hacker groups
   Disaffected staff
 A condition, weakness, or absence of security
  procedures, technical controls, physical
  controls, or other controls that could be
  exploited by a threat.
 Often analyzed in terms of missing safeguards
 Contribute to risk because they allow a threat
  to harm a system
Classes of Vulnerabilities
 Hard vulnerabilities -
  – bugs,
  – misconfigurations, etc.
 Soft vulnerabilities -
  – Systems not configured to company policy
  – Lack of underlying policies, procedures or
    configuration/change management
  – Insufficient logging
  – Company policies go against best practices
   Hardware
   Software
   Infrastructure
   Processes
Known Vulnerabilities
   Design Flaws
   Software Development (SDLC)
   Innovative Misuse
   Incorrect Implementation
   Documentation
   Social Engineering
   A potential for loss or harm
   An exposure to a threat
   Risk is Subjective
   Dependent on situation and circumstances
   Impossible to fully measure
Concepts of Risk
 Generalized risk model – components of risk
   –   Assets
   –   Threats
   –   Vulnerabilities
   –   Impacts
   –   Countermeasures
 Many types of risk analysis
   – Qualitative
   – Quantitative
   – Hybrid
 Simple risk analysis model
   – ALE = VL
           Annualized Loss Expectancy = Value of the Asset times Likelihood of
            the Threat
           Too simplistic for most practical uses
Concepts of Risk - Definitions
   Assets –
     – Things to be protected
              Physical, logical, human
   Threats –
     – Events with the potential to cause unauthorized access, modification, disclosure or destruction of
         an asset
   Vulnerabilities –
     – Weaknesses in an asset or associated countermeasure that can be exploited to realize upon a threat
   Impacts –
     – Outcome of a threat acting upon a vulnerability
     – Usually measured as money losses
   Countermeasure (safeguards) –
     – Protective measures implemented to counter threats and mitigate vulnerabilities
   Risk –
     – The probability that a threat will exploit a particular set of vulnerabilities successfully – Peltier
     – The likelihood that a threat agent will successfully exploit a vulnerability to create and unwanted
         or adverse impact – Jones
   Exposure Factor (EF)
     – Percentage of loss a successful threat event would have on a single specific asset
   Single Loss Expectancy (SLE)
     – Dollar figure assigned to single event: SLE = AV ( Asset Value in $) X EF
   Annualized Rate of Occurrence (ARO)
     – Estimated frequency in which a threat is expected to occur
   Annualized Loss Expectancy (ALE)
     – Total computed estimated loss per year (ALE=AV X ARO)
Handling Risk
   Eliminate it
   Minimize It
   Accept it
   Transfer it
Common Risk Analysis Fallacies
 Vulnerabilities = Risks
   – The Truth: vulnerabilities = vulnerabilities
   – Vulnerability assessment or penetration testing does not, by
     itself, identify or quantify risk
 Threats are not an element of risk
   – The Truth: threats are (arguably) the most important element
     of risk
 Tools = Countermeasures
   – The Truth: tools are just tools. Many countermeasures are
     administrative or a combination of tools and administration
   – The best countermeasures are layered (defense in depth)
 All risks must be mitigated
   – The Truth: don’t waste money protecting garbage. There is a
     valid concept of “acceptable risk”.
 Takes a security “snapshot” of a computing
  environment at any given time.
 Evaluates the information security policies and
 Establishes a baseline for operations
 Can be “Formal” or Informal”
 Can be “Quantitative” or “Qualitative” in
The Name Game
Risk Assessments go by many names:
  –   Security Baseline Assessment
  –   Penetration Study (“Ethical Hacking)
  –   Vulnerability Scan
  –   Policy consulting
  –   Audits
Why use a Risk Assessment?
 To gauge the security posture of a given
  resource- Division, Department, or
 Help Justify cost of security controls
 To understand shortcomings in current
  technology environment
 To prepare for doing business on the Internet
Quantitative Characteristics
 Relies on statistical measurement for
 Generally used on mature environments
 Security posture is “rated” based on
  collection of weighted data findings
Qualitative Characteristics
 Subjective in Nature
 Generally used on Immature environments
 Interviews and observation key part of
 Recommendations based on “best practices”
Audit vs. Assessment
 An audit is a formal process used to measure
  the high-level aspects of an infrastructure’s
  security from an organizational point of
 Limited in scope
 No low-level technical details
 Check-list style methodology
Risk Based Audit Approach
 Audit risk can be defined as the risk that the
  information / financial report may contain
  material error or that the IS Auditor may not
  detect an error that has occurred.
  –   Inherent Risk
  –   Control Risk
  –   Detection Risk
  –   Overall Audit Risk
Audit vs. Assessment
 Security Assessments are attempts to measure
  as many technical details of an
  infrastructure’s security posture as possible.
 Less formal
 More detailed / broader in scope
 Considered an “Art form”
Why use Quantitative?
 If your organization has implemented basic
  security countermeasures, and wants to
  improve its posture
 If upper management respond well to
  presentations of findings based on numerical
 If statistically-based facts will help “Sell”
  security to executives
Why use Qualitative?
 If your security policy is brand new
 If your culture works well with “consulting”
  type approaches
 If “best practices” can be used to sell upper
  management on the proper security controls
 If your expectations involve a shorter
  assessment cycle
Do Not use an Assessment…
 If your organization does not have a security
  policy defined
 If your organization is experiencing high
 If upper management does not “sponsor”
  security expenditures
Network Security Assessment

Expected results:
 Identify security vulnerabilities
 Provide corrective action knowledge base
 Recommend corrective action
 Continuous “realtime” monitoring
 Repeatable and measurable
 Used to justify security controls to upper
Basic Formula
        Threat x Vulnerability
Risk = -------------------------------- x Value

Asset Value x exposure factor = Single Loss
Expectancy (SLE)

SLE x annualized rate of occurrence (ARO) =
Annualized Loss Expectancy (ALE)
RA methodology Examples
Qualitative:   Quantitative:
   CRAMM      • Courtney
   RAM-X
               • RAM-X
   IAM
   OSG
Representative Risk Analysis Methods
 Courtney – quantitative               L = 10(i+f-3)
   – L=annualized loss expectancy               3
   – i= impact rating
   – f= Threat frequency
 CRAMM – qualitative                   Stage 1: Establish
                                           boundaries of the
   – “CCTA Risk Analysis and
                                           review (assets)
     Management Methodology”
                                        Stage 2: Establish
   – Not mathematical – subjective         threat context
   – Attempts to take a holistic view   Stage 3: Establish
   – Gathers information through           necessary
     structured interviews                 countermeasures
Risk Management Cycle
                           Assess Risk
                       and Determine Needs

                             Central         Monitor
  Implement Policies                           and
    and Controls                             Evaluate

                            Promote                       Initial
                           Awareness                    Entry Point
Basic Risk Analysis Steps
 Estimate potential losses to assets by
  determining their value(s)
 Analyze potential threats to the assets
 Define the Annualized Loss Expectancy
10-Step Qualitative Risk Analysis Approach
 Develop scope
 Assemble team
 Identify threats
 Prioritize threats
 Estimate impact priority
 Calculate total threat impact
 Identify safeguards
 Cost-benefit analysis
 Rank safeguards by priority
 Write the report
The CRAMM Qualitative Method
 CRAMM analysis may be done using a packaged
  software application
         cost is about $4,200 plus about $1,200 per year
         Interview format tool with large databases of
          questions, threats, vulnerabilities and impacts
 A qualitative approach that is useful both for risk
  analysis and risk management
The CRAMM Qualitative Method – Risk Model
   Assets
   Threats
   Vulnerabilities
   Impacts
    –   Information disclosure
    –   Accidental or intentional destruction of data
    –   Data modification
    –   Denial of service
 Countermeasures
    –   Reduction of threat
    –   Reduction of vulnerability
    –   Reduction of impact
    –   Detection
    –   Recovery
 Risks
    – A risk arises when a threat is able to exploit a vulnerability in an
      important asset to cause an unacceptable impact
The CRAMM Qualitative Method - Stages
 Three stages
   – Establish scope – asset based
   – Establish threat context and vulnerabilities for
     assets identified in stage 1
         Identifies security requirements for each relevant group of
   – Establish countermeasures
         Output is a security plan
         Good idea to perform a cost-benefit analysis in this stage
          although this is not part of the formal CRAMM method
 Baseline review approach curtails CRAMM
  activities in unimportant areas
Courtney Quantitative Method
 Asset based
 Uses loss expectancy formula:
 Impact categories
   – Disclosure              L = 10(i+f-3)
   – Modification                   3
   – Destruction
   – Lack of availability
 Impact $ (i) taken from an impact rating table
 Threat frequency (f) taken from a threat frequency
Courtney Impact Rating Table (i)

        Impact ($)    Rating

              10       1
             100       2
           1,000       3
          10,000       4
         100,000       5
       1,000,000       6
Courtney Threat Frequency Table (f)

   Frequency           Frequency Rating
   Once in:
    300 years                 1
    30 years                  2
    3 years                   3
    100 days                  4
    10 days                   5
    1 day                     6
   10 times per day           7
   100 times per day          8
Typical Courtney Collection Form
  Asset Under Review:
                           i   f      L
    Disclosure             4   3   $3,333   L = 10(4+3-3)
    Modification                                   3
                                            L = 104
    Modification                                 3
   Exposure if unable to
   Process for:
                                            L = 10,000
    2 hours                                        3
    4 hours
    8 hours
    12 hours
                                            L = $3,333
    18 hours

Qualitative project management framework

                  Pre-Assessment       On-Site      Post-Assessment

        Pre               Project        Data           Recommendations
     Assessment         Coordination   Collection         Final Report
 Put together by Sandia Labs, along with the
  FBI, Military, Corps of Engineers, and
 Designed to be a quantitative measurement
  of risks associated with Critical
RAM-X Formula
 PA * C * (1-PE) = R
PA= Analyze Threat
C = Critical Assets
PE = System Effectiveness

PE < 1

 Developed a way to utilize Qualitative and
  quantitative methods through its “Thessaly”
 Current State
 Desired State
 Gap Analysis
 Solution recommendations
 Security Maturity Grid

To top