1 / 33

Risk analysis chr503

Risk analysis chr503. Jacky Hartnett 2011. Goal of slides. To understand the role of risk analysis in Computer Security An underpinning technique that informs all security decisions To become familiar with various methods of performing Risk Analysis. Context.

kerica
Télécharger la présentation

Risk analysis chr503

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk analysischr503 Jacky Hartnett 2011

  2. Goal of slides • To understand the role of risk analysis in Computer Security • An underpinning technique that informs all security decisions • To become familiar with various methods of performing Risk Analysis

  3. Context • Computer Security techniques employed to protect bottom line from costs associated with; • Threats, legislation, duty of care • We have looked at threats to ICT in general • Which threats should my organisation protect against? • The ‘should’ is quantified via risk assessment

  4. Topics • An Introduction to Risk • Risk Analysis • Risk Assessment techniques • Qualitative and Dependency Based • Qualitative and Threat based • Attack Trees • Quantitative and Threat Based • Australian Standard - in tutorial • Quantitative and Dependency Based • Characteristics of a Formal Method • Annualised Loss Expectancies • You can also look at VAM (in Pfleeger)

  5. References • Attack Trees • Schneier, Secrets and Lies, p318 -333 • Risk Analysis • Pfleeger & Pfleeger section 8.2 p 524 - 547 • Schneier Bruce, Beyond Fear, section 1 • Amoroso E and Sharp R Internet and Intranet Firewall Strategies • Risk Management standards - AS/NZS ISO 31000:2009

  6. Introduction to Risk • We live in a risky world • The outcome of Risk Analysis is an indication of • Where on organisation is vulnerable • Which vulnerabilities will cause the most harm • The $ amount of loss each vulnerability could result in • A priotised list • A decision on what level of risk going to accept

  7. Introduction to Risk • Managing the identified risks • What could do to mitigate each risk • Eg get insurance, adopt different behaviour • Risk management strategies balance • cost of protective measure versus • estimated cost of loss versus • estimated chance of loss occurring • What Residual Risk going to accept • No management strategy is perfect • Amount of residual risk an organisation will accept depends upon their Risk Appetite

  8. Introduction to Risk • Strategic Risk • Evaluated at CIO level • Affecting well being of whole company • Operational Risk • Day to day functions and service • ICT risk impacts on both strategic and operational risk • ICT often drives key services and products of an organisation

  9. Introduction to Risk • Risk Analysis: • How likely is it that the identified risks will eventuate? • What will be the loss to the organisation if this threat materialises? • What will be the possible cost of this loss? • Then assess value of any protective activities • Do they cost more than what could be lost?

  10. Topics • An Introduction to Risk • Risk Analysis • Risk Assessment techniques • Qualitative and Dependency Based • Qualitative and Threat based • Attack Trees • Quantitative and Threat Based • Australian Standard - in tutorial • Quantitative and Dependency Based • Characteristics of aFormal Method • Annualised Loss Expectancies • You can also look at VAM (in Pfleeger)

  11. Introduction to Risk Analysis • Not exact science • Only one of the Twin Towers was insured • Risk of both being destroyed was thought to be around the 0.00nnn • Obviously dealing with risk involves • Estimates (informed by expertise) • Guesses about the basically unknown • Informed by statistics from the past • Imprecise dollar amounts • But can get a ‘ball park’ feel

  12. Introduction to Risk Analysis • Now seen as a fundamental basis for all Computer Security activity • Alignment of ICT activity to business goals • Expenditure needs to be justified as contributing to the business • Employing Computer Security techniques is a risk mitigation activity for CIA of company data & systems • Risk Analysis justifies the expense

  13. Introduction to Risk Analysis • Two classes of methods • Qualitative • Usual method • Quantitative • Tries to assign a dollar value • Two starting points • Possible vulnerabilities and threats • Threat based • Assets need to protect • Dependency analysis

  14. Topics • An Introduction to Risk • Risk Analysis • Risk Assessment techniques • Qualitative and Dependency Based • Qualitative and Threat based • Attack Trees • Quantitative and Threat Based • Australian Standard - in tutorial • Quantitative and Dependency Based • Characteristics of aFormal Method • Annualised Loss Expectancies • You can also look at VAM (in Pfleeger)

  15. Qualitative Methods of Risk Analysis • Structured Brain Storming • preparation, then structured list of questions • Informed by expertise • must have right people, prepare and attend • Tiger Team • experts examine and evaluate system for known vulnerabilities • Often consultants

  16. Qualitative & Dependency Based • A structured list used in ‘Beyond Fear’ by Bruce Schneier: • What assets are you trying to protect? • What are the risks to these assets? • How well does the security solution mitigate those risks? • What other risks does the security solution cause? • What costs and trade offs does the security solution impose?

  17. Qualitative & Dependency Based • The approach described in Pfleeger & Pfleeger: • Identify assets • Determine the vulnerabilities • Estimate the likelihood of exploitation • Compute Expected annual loss • Survey applicable countermeasures • Project annual savings for proposed measures

  18. Qualitative & Threat Based Method: Attack Trees • Use Attack Trees • Analyse in different ways • Possible / Impossible • Skill / Access required • Cost • Can analyse threats according to each criteria • Least / greatest skill greatest/ cheapest cost • Still need to guess likely goals and methods in order to produce original threat tree

  19. Qualitative & Threat Based Method: Attack Trees • A pictorial method of examining threats is to use Attack Trees • Represented as a tree structure with nodes and leaves • Implicit OR between leaves, AND specified Attack Goal Method 2 Method 1 Method 3

  20. Qualitative & Threat Based Method: Attack Trees • Each method is dissected into nodes representing the component parts until a leaf is reached Obtain Password Bribe holder Search diary AND Obtain diary Examine

  21. Bribe holder Search diary AND Obtain diary Examine Qualitative & Threat Based Method: Attack Trees Analyse this tree according to possible / impossible, skill required and cost Find Password

  22. Qualitative & Threat Based Method: by AS/NZS ISO 31000:2009) • Method used by all Federal Government agencies • For each threat estimate • Consequences • Likelihood • Combine to create a priority matrix • ‘Extreme’ consequences plus ‘almost certain’ -> top priority • Starting with most important risk, create a table with the following headings: • Risk Number, Risk, Risk Likelihood Rating, Risk Impact Rating, Risk Management / Mitigation Strategy, Residual Risk after Implementing , Risk Management Strategy

  23. An example from our Telehealth Funding Application

  24. Topics • An Introduction to Risk • Risk Analysis • Risk Assessment techniques • Qualitative and Dependency Based • Qualitative and Threat based • Attack Trees • Quantitative and Threat Based • Australian Standard - in tutorial • Quantitative and Dependency Based • Characteristics of aFormal Method • Annualised Loss Expectancies • You can also look at VAM (in Pfleeger)

  25. Quantitative & Dependency Based • Formal Assessment • system security engineering processes • thorough and list driven • Examples in text and AS/NZS ISO 31000:2009 • Identify assets • hardware, software, data, people, documentation, supplies • Identify vulnerabilities • imagination plus tables

  26. Quantitative & Dependency Based • [1,2,3] Predict incidence of each vulnerability • observe, guess, history, Delphi method • [4] Assign a cost to each possible loss • legal penalty • financial loss • loss of reputation, market share, competitive edge • guesses known as expert estimates!

  27. Quantitative & Dependency Based • [5] Think of and cost new measures which would decrease the likelihood of attack estimates • [6] Work out which of these bring savings • Write a report identifying the cost benefits of minimising identified risks • => security goals for organisation

  28. Quantitative & Dependency Based • Steps 1, 2 ,3 and 5 are the responsibility of the computer security expert • Accountants are needed to help with steps 4 and 6 • Nowadays work with ‘internal auditors’ who specialise in risk management • First need to understand the ICT assets to be protected, how they can be attacked, and the likelihood of such an attack • The rest of the unit is about the possibilities for step 5

  29. Quantitative & Dependency Based: ALE • Annualised Loss Expectancy • Work out CIA threats to an asset • Work out cost of a single case of loss • Single Loss Expectancy (SLE) • Estimate how often loss likely to occur in one year • Estimated Annual Occurrence (EAO) • Multiply 2*3 to get ALE

  30. Quantitative & Dependency Based: ALE

  31. The Benefits of Risk Analysis • Makes people think about value of assets maintained by computer systems • Indicates potential loss to business of a loss of CIA in any of its systems • Provides guidelines for cost benefit analysis of possible security measures • Justifies spending on security

  32. The Disadvantages of Risk Analysis • Costly • time, money resources • Guesstimate • not precise, initial data collection very tedious • False sense of security • allow for change • allow for inaccuracy • Problems with both under and over estimating risk

  33. Risk Analysissummary • How can you tell if you got it right? • If no attacks succeed can you prove it is because of actions stemming from the risk analysis • Must attempt some form of risk analysis and take seriously • Justifies all security spending • Aligns ICT security with business goals

More Related