Docstoc

Security Risk Analysis Management

Document Sample
Security Risk Analysis Management Powered By Docstoc
					Security Risk Analysis & Management




    Security Risk Analysis & Requirements Engineering
                                                        1
      Security in System Development

l   Risk Analysis & Management needs to be a part of
    system development, not tacked on afterwards
l   Baskerville's three generations of methods
    1st Generation: Checklists
         Example: BS 7799 Part 1
    2nd Generation: Mechanistic engineering methods
         Example: this risk analysis method
    3rd Generation: Integrated design
         Not yet achieved

[Baskerville, R. (1993). Information Systems Security Design Methods:
   Implications for Information Systems Development. ACM Computing
   Surveys 25(4): 375-414.]



            Security Risk Analysis & Management
                                                                        2
                      Introduction

Risk Analysis and Management Framework


Assets      Threats      Vulnerabilities


             Risks
                                           }   Analysis




          Security Measures                }   Management




         Security Risk Analysis & Management
                                                            3
                     Definitions 1

The meanings of terms in this area is not universally
  agreed. We will use the following
l Threat: Harm that can happen to an asset
l Impact: A measure of the seriousness of a threat
l Attack: A threatening event
l Attacker: The agent causing an attack (not necessarily
  human)
l Vulnerability: a weakness in the system that makes an
  attack more likely to succeed
l Risk: a quantified measure of the likelihood of a threat
  being realised


         Security Risk Analysis & Management
                                                             4
                              Definitions 2

l   Risk Analysis involves the identification and
    assessment of the levels of risk, calculated from the
     l   Values of assets
     l   Threats to the assets
     l   Their vulnerabilities and likelihood of exploitation
l   Risk Management involves the identification, selection
    and adoption of security measures justified by
     l   The identified risks to assets
     l   The reduction of these risks to acceptable levels




             Security Risk Analysis & Management
                                                                5
                 Goals of Risk Analysis

l   All assets have been identified
l   All threats have been identified
    l   Their impact on assets has been valued
l   All vulnerabilities have been identified and assessed




             Security Risk Analysis & Management
                                                            6
          Problems of Measuring Risk

Businesses normally wish to measure in money, but
l Many of the entities do not allow this
   l   Valuation of assets
        – Value of data and in-house software - no market value
        – Value of goodwill and customer confidence
   l   Likelihood of threats
        – How relevant is past data to the calculation of future probabilities?
             l The nature of future attacks is unpredictable
             l The actions of future attackers are unpredictable
   l   Measurement of benefit from security measures
        – Problems with the difference of two approximate quantities
             l How does an extra security measure affect a ~10-5 probability
               of attack?



            Security Risk Analysis & Management
                                                                                  7
                              Risk Levels

l   Precise monetary values give a false precision
l   Better to use levels, e.g.
    l   High, Medium, Low
         – High: major impact on the organisation
         – Medium: noticeable impact (“material” in auditing terms)
         – Low: can be absorbed without difficulty
    l   1 - 10
l   Express money values in levels, e.g.
    l   For a large University Department a possibility is
         – High              £1,000,000+
         – Medium            £1,000+
         – Low               < £1,000



             Security Risk Analysis & Management
                                                                      8
                   Risk Analysis Steps

l   Decide on scope of analysis
    l   Set the system boundary
l   Identification of assets & business processes
l   Identification of threats and valuation of their impact on
    assets (impact valuation)
l   Identification and assessment of vulnerabilities to
    threats
l   Risk assessment




            Security Risk Analysis & Management
                                                                 9
        Risk Analysis – Defining the Scope

l   Draw a context diagram
l   Decide on the boundary
    l   It will rarely be the computer!
l   Make explicit assumptions about the security of
    neighbouring domains
    l   Verify them!




             Security Risk Analysis & Management
                                                      10
        Risk Analysis - Identification of
                   Assets
l   Types of asset
    l   Hardware
    l   Software: purchased or developed programs
    l   Data
    l   People: who run the system
    l   Documentation: manuals, administrative procedures, etc
    l   Supplies: paper forms, magnetic media, printer liquid, etc
    l   Money
    l   Intangibles
         – Goodwill
         – Organisation confidence
         – Organisation image



             Security Risk Analysis & Management
                                                                     11
                  Risk Analysis – Impact
                        Valuation
Identification and valuation of threats - for each group
  of assets
l Identify threats, e.g. for stored data
    l   Loss of confidentiality
    l   Loss of integrity
    l   Loss of completeness
    l   Loss of availability (Denial of Service)
l   For many asset types the only threat is loss of
    availability
l   Assess impact of threat
    l   Assess in levels, e.g H-M-L or 1 - 10
    l   This gives the valuation of the asset in the face of the threat



             Security Risk Analysis & Management
                                                                          12
           Risk Analysis – Process
                  Analysis
l Every company or organisation has some processes
  that are critical to its operation
l The criticality of a process may increase the impact
  valuation of one or more assets identified
So
l Identify critical processes
l Review assets needed for critical processes
l Revise impact valuation of these assets




         Security Risk Analysis & Management
                                                         13
        Risk Analysis – Vulnerabilities 1

l   Identify vulnerabilities against a baseline system
    l   For risk analysis of an existing system
         – Existing system with its known security measures and weaknesses
    l   For development of a new system
         – Security facilities of the envisaged software, e.g. Windows NT
         – Standard good practice, e.g. BS 7799 recommendations of good
           practice




             Security Risk Analysis & Management
                                                                             14
         Risk Analysis – Vulnerabilities 2
For each threat
l  Identify vulnerabilities
     l   How to exploit a threat successfully;
l   Assess levels of likelihood - High, Medium, Low
     l   Of attempt
          – Expensive attacks are less likely (e.g. brute-force attacks on encryption
             keys)
     l   Successful exploitation of vulnerability;
l   Combine them
                                       Vulne                Likelihood of Attempt
                                                 rabili
                                                       ty   Low Med High

                                                     Low Low Low Med
                                  Likelihood
                                                     Med Low Med High
                                 of Success
                                                     High Low Med High

               Security Risk Analysis & Management
                                                                                        15
                        Risk Assessment

Assess risk
l If we had accurate probabilities and values, risk would
  be
    l   Impact valuation x probability of threat x probability of exploitation
    l   Plus a correction factor for risk aversion
l   Since we haven't, we construct matrices such as
                                     Impact valuation
                     Risk      Low Med High

                         Low Low Low Med
    Vulnerability        Med Low Med High
                         High Low Med High

             Security Risk Analysis & Management
                                                                                 16
                Responses to Risk

Responses to risk
l Avoid it completely by withdrawing from an activity
l Accept it and do nothing
l Reduce it with security measures




         Security Risk Analysis & Management
                                                        17
                      Security Measures
Possible security measures
l Transfer the risk, e.g. insurance
l Reduce vulnerability
    l   Reduce likelihood of attempt
         – e.g. publicise security measures in order to deter attackers
         – e.g. competitive approach - the lion-hunter’s approach to security
    l   Reduce likelihood of success by preventive measures
         – e.g. access control, encryption, firewall
l   Reduce impact, e.g. use fire extinguisher / firewall
l   Recovery measures, e.g. restoration from backup



             Security Risk Analysis & Management
                                                                                18
                      Risk Management

l   Identify possible security measures
l   Decide which to choose
    l   Ensure complete coverage with confidence that:
         – The selected security measures address all threats
         – The results are consistent
         – The expenditure and its benefits are commensurate with the risks
             l Consider doing less than the BS7799 recommendations?




             Security Risk Analysis & Management
                                                                              19
                                    Iterate

l   Adding security measures changes the system
    l   Vulnerabilities may have been introduced
l   After deciding on security measures, revisit the risk
    analysis and management processes
    l   e.g. introduction of encryption of stored files may remove the threat to
        Confidentiality but introduce a threat to Availability
         – What happens if the secret key is lost?




             Security Risk Analysis & Management
                                                                                   20
           Conclusion: Problems of Risk
            Analysis and Management

l   Lack of precision
l   Volume of work and volume of output
l   Integrating them into a ”normal” development process




           Security Risk Analysis & Management
                                                           21
Current Risk Management
      Techniques




Security Risk Analysis & Requirements Engineering
                                                    22
        Risk Management Techniques 1

Commercial tools
    l   Mostly rely on check lists
l   CRAMM (CCTA Risk Assessment and Management Methodology):
    l   UK Government approach
    l   Supported by software
l   PROTEUS (BSI) software:
    l   Gap analysis to identify necessary actions and existing strengths
    l   Comprehensive practical guidance and the text of BS 7799
    l   Reporting, for easy monitoring and maintenance
    l   Evidence to customers and auditors




             Security Risk Analysis & Management
                                                                            23
        Risk Management Techniques 2

Generic processes
l Threat trees (see below):
    l   Threat analysis
    l   Based on fault trees
    l   Only addresses the threat identification stage
l   Attack trees (see below)
    l   Vulnerability analysis




             Security Risk Analysis & Management
                                                         24
                               Threat Trees 1

AT&T Bell Laboratories
l Categorisation of threats
     l   Disclosure / Integrity / Denial of service
l   Categorisation of vulnerabilities by view
     l   Personnel view
     l   Physical view
     l   Operational view
     l   Communications view
     l   Network view
     l   Computing view
     l   Information view
[Amoroso, E., W.E. Kleppinger, and D. Majette, An Engineering
  Approach to Secure System Analysis, Design and Integration.
  AT&T Technical Journal, 1994. 73(5): p. 40-51.]



               Security Risk Analysis & Management
                                                                25
                                 Threat Trees 2

  l   Model of system
  l   Calculate risks from
        l     Impact
                                                              Threats to
        l     Vulnerability                                 Electronic Mail



                   Message
   Originator      Handling    Recipient
       O                          R         Disclosure   Integrity               Denial of
                      M                                                          Service

                   Other
                 Subscribers
                     S

                   External                O R M S E        O R M S E         O R M S E
Electronic            E
Mail System



                   Security Risk Analysis & Management
                                                                                             26
                           Attack Trees

l   Tree Structure
    l   Goal is root node
    l   Ways of achieving goals are leaf nodes
    l   Costs can be associated with nodes


[Schneier, B, Secrets and Lies. 2000: John Wiley and Sons.]




             Security Risk Analysis & Management
                                                              27
                     Attack Tree Example
Goal: Read a specific message …
1. Convince sender to reveal message (OR)
    1.1. Bribe user
    1.2. Blackmail user
    1.3 Threaten user
    1.4. Fool user
2. Read message when it is being entered into the computer (OR)
    2.1. Monitor electromagnetic emanations from computer screen (Countermeasure:
        use a TEMPEST computer)
    2.2. Visually monitor computer screen
    2.3. Monitor video memory
    2.4. Monitor video cables
3. Read message when it is being stored on sender's disk
   (Countermeasure: use SFS to encrypt hard drive) (AND)
    3.1 Get access to hard drive (Countermeasure: Put physical locks on all doors and
        windows)
    3.2. Read a file protected with SFS.
4. …..

             Security Risk Analysis & Management
                                                                                        28

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:3/18/2014
language:Unknown
pages:28